This is v2 of the series that fixes extra_subflows u8 underflow bugs
in the MPTCP userspace path manager.

extra_subflows is a u8 field in struct mptcp_pm_data. Two code paths
in the userspace PM can cause it to underflow from 0 to 255, after
which the counter is permanently corrupted and future subflow
creation is blocked.

Patch 1 skips the spurious mptcp_pm_close_subflow() call in
__mptcp_subflow_connect() when the userspace PM is in use, since it
does not pre-increment extra_subflows before attempting subflow
creation.

Patch 2 adds an underflow guard in mptcp_pm_subflow_check_next() to
avoid decrementing extra_subflows when it is already zero.

Tao Cui (2):
  mptcp: pm: fix extra_subflows underflow on userspace PM connect
    failure
  mptcp: pm: add extra_subflows underflow guard for userspace PM

 net/mptcp/pm.c      | 3 ++-
 net/mptcp/subflow.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

---
Changes in v2:
  - Dropped the use-after-free fix.
  - Split the underflow fix into two patches, one per code path.
v1:
  https://lore.kernel.org/all/20260509075629.217791-2-cuitao@kylinos.cn/
--
2.43.0

Hi Tao,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Success! ✅
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/25854223893

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/34573f7001fb
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1094704


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)

Sorry, I missed adding --subject-prefix="PATCH mptcp-next" when running git format-patch.

在 2026/5/14 17:50, Tao Cui 写道:
> This is v2 of the series that fixes extra_subflows u8 underflow bugs
> in the MPTCP userspace path manager.
> 
> extra_subflows is a u8 field in struct mptcp_pm_data. Two code paths
> in the userspace PM can cause it to underflow from 0 to 255, after
> which the counter is permanently corrupted and future subflow
> creation is blocked.
> 
> Patch 1 skips the spurious mptcp_pm_close_subflow() call in
> __mptcp_subflow_connect() when the userspace PM is in use, since it
> does not pre-increment extra_subflows before attempting subflow
> creation.
> 
> Patch 2 adds an underflow guard in mptcp_pm_subflow_check_next() to
> avoid decrementing extra_subflows when it is already zero.
> 
> Tao Cui (2):
>   mptcp: pm: fix extra_subflows underflow on userspace PM connect
>     failure
>   mptcp: pm: add extra_subflows underflow guard for userspace PM
> 
>  net/mptcp/pm.c      | 3 ++-
>  net/mptcp/subflow.c | 3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> ---
> Changes in v2:
>   - Dropped the use-after-free fix.
>   - Split the underflow fix into two patches, one per code path.
> v1:
>   https://lore.kernel.org/all/20260509075629.217791-2-cuitao@kylinos.cn/
> --
> 2.43.0

Sorry everyone, please ignore this v2 patch submission.
I missed the review note from Sashiko when preparing this update:

  " sashiko adds some comments here, please address them in v2:
    https://sashiko.dev/#/patchset/20260509075629.217791-2-cuitao@kylinos.cn "

Besides, the race condition scenario pointed out by Sashiko also needs to be handled.
I will send out the v3 patch later to fix all these issues.

在 2026/5/14 18:00, Tao Cui 写道:
> 
> Sorry, I missed adding --subject-prefix="PATCH mptcp-next" when running git format-patch.
> 
> 在 2026/5/14 17:50, Tao Cui 写道:
>> This is v2 of the series that fixes extra_subflows u8 underflow bugs
>> in the MPTCP userspace path manager.
>>
>> extra_subflows is a u8 field in struct mptcp_pm_data. Two code paths
>> in the userspace PM can cause it to underflow from 0 to 255, after
>> which the counter is permanently corrupted and future subflow
>> creation is blocked.
>>
>> Patch 1 skips the spurious mptcp_pm_close_subflow() call in
>> __mptcp_subflow_connect() when the userspace PM is in use, since it
>> does not pre-increment extra_subflows before attempting subflow
>> creation.
>>
>> Patch 2 adds an underflow guard in mptcp_pm_subflow_check_next() to
>> avoid decrementing extra_subflows when it is already zero.
>>
>> Tao Cui (2):
>>   mptcp: pm: fix extra_subflows underflow on userspace PM connect
>>     failure
>>   mptcp: pm: add extra_subflows underflow guard for userspace PM
>>
>>  net/mptcp/pm.c      | 3 ++-
>>  net/mptcp/subflow.c | 3 ++-
>>  2 files changed, 4 insertions(+), 2 deletions(-)
>>
>> ---
>> Changes in v2:
>>   - Dropped the use-after-free fix.
>>   - Split the underflow fix into two patches, one per code path.
>> v1:
>>   https://lore.kernel.org/all/20260509075629.217791-2-cuitao@kylinos.cn/
>> --
>> 2.43.0