From nobody Sat Feb 7 21:59:49 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C07179D6 for ; Wed, 5 Apr 2023 22:47:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1680734872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EVyj89yYIn0Jz4rzUgI0a1InX+DbzGmVU60fINGM2HI=; b=X5LQqbqWw8+tC3BybvJHARS3II/uw2izcWgA4+njJtDFx9CAK/RFLrLyD+pAIn7ZNmJaRL 1rGbFkVKfsg2q+BVOw5J75+0fwmXaRN13s7rQae5wef1hR95WSMpFK7kktop1STRNyV94d 44XU+KT54KzYttkp3/AiaT9lNVbpb0Q= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-182-twyq3NnnO1-KHa9-vVBa2w-1; Wed, 05 Apr 2023 18:47:48 -0400 X-MC-Unique: twyq3NnnO1-KHa9-vVBa2w-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EE50429AB3E3; Wed, 5 Apr 2023 22:47:46 +0000 (UTC) Received: from gerbillo.redhat.com (unknown [10.39.193.138]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5A10C140EBF4; Wed, 5 Apr 2023 22:47:46 +0000 (UTC) From: Paolo Abeni To: mptcp@lists.linux.dev Cc: Christoph Paasch Subject: [PATCH mptcp-net 1/2] Squash-to: "mptcp: fix accept vs worker race" Date: Thu, 6 Apr 2023 00:47:37 +0200 Message-Id: In-Reply-To: References: Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8"; x-default="true" 2 separate fixes needed for the mentioned patch On some exceptional scenarios (e.g. listener socket disconnecting while the subflow is created) a newly created MPC is deleted by the TCP stack via inet_child_forget(). When that happen we leak the subflow context and the msk. Address the issue explicitly detecting such scenario and forcing a full msk shutdown. mptcp_subflow_drop_ctx() does not remove the subflow from the msk list, racing msk lookup done by the NL PM could fetch the msk just before deletion, and try to free again the subflow. Just explicitly remove the subflow from said list. Signed-off-by: Paolo Abeni --- net/mptcp/protocol.c | 13 +++++++++++-- net/mptcp/subflow.c | 1 + 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 0e4961e87b48..76c1814c0b19 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2378,9 +2378,18 @@ static void __mptcp_close_ssk(struct sock *sk, struc= t sock *ssk, * to deliver the msk to user-space. * Do nothing at the moment and take action at accept and/or listener * shutdown. + * If instead such subflow has been destroyed, e.g. by inet_child_forget + * do the kill */ - if (msk->in_accept_queue && msk->first =3D=3D ssk) - return; + if (msk->in_accept_queue && msk->first =3D=3D ssk) { + if (!sock_flag(ssk, SOCK_DEAD)) + return; + + /* ensure later check in mptcp_worker will dispose the msk */ + sock_set_flag(sk, SOCK_DEAD); + inet_csk(sk)->icsk_mtup.probe_timestamp =3D tcp_jiffies32 - + TCP_TIMEWAIT_LEN -1; + } =20 dispose_it =3D !msk->subflow || ssk !=3D msk->subflow->sk; if (dispose_it) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 3d6ccf5067d7..32e54b7fdbbc 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -715,6 +715,7 @@ void mptcp_subflow_drop_ctx(struct sock *ssk) if (!ctx) return; =20 + list_del(&mptcp_subflow_ctx(ssk)->node); subflow_ulp_fallback(ssk, ctx); if (ctx->conn) sock_put(ctx->conn); --=20 2.39.2 From nobody Sat Feb 7 21:59:49 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D44C979D6 for ; Wed, 5 Apr 2023 22:47:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1680734869; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bEE5f7/2/S4jkoe5f5gpLftEXutV5Xo2thLzHOxJOF8=; b=fUH6wu4akqEroL0pVg33QrMRoryimKLhoo18orQWUeo5UvB098bLShVwKMMvJ6iLbFK81g dRgE8/VAskZB7JdyxM8mRkT8aJpoBkEqY/dQucCmN399okrsR73TPccQbTYivYV0FI7wLj /ikgJm/b1a9/oLgZUtSBFUCj640MAhc= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-262-zm4eqpD4Pu2mrv6SHcQTEw-1; Wed, 05 Apr 2023 18:47:48 -0400 X-MC-Unique: zm4eqpD4Pu2mrv6SHcQTEw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D3C80185A791; Wed, 5 Apr 2023 22:47:47 +0000 (UTC) Received: from gerbillo.redhat.com (unknown [10.39.193.138]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3F46A140EBF4; Wed, 5 Apr 2023 22:47:47 +0000 (UTC) From: Paolo Abeni To: mptcp@lists.linux.dev Cc: Christoph Paasch Subject: [PATCH mptcp-net 2/2] Squash-to: "mptcp: stops worker on unaccepted sockets at listener close" Date: Thu, 6 Apr 2023 00:47:38 +0200 Message-Id: <728d7ef6b46f1f38ae37a49411ca90e0991057d0.1680733942.git.pabeni@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8"; x-default="true" The mentioned patch carries a bad lockdep annotation. The msk socket lock is not nested, as that is the outermost one, held only by the user-space. Signed-off-by: Paolo Abeni --- net/mptcp/subflow.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 32e54b7fdbbc..c6ae5ddd3bb0 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1882,8 +1882,7 @@ void mptcp_subflow_queue_clean(struct sock *listener_= sk, struct sock *listener_s */ mutex_release(&listener_sk->sk_lock.dep_map, _RET_IP_); mptcp_cancel_work(sk); - mutex_acquire(&listener_sk->sk_lock.dep_map, - SINGLE_DEPTH_NESTING, 0, _RET_IP_); + mutex_acquire(&listener_sk->sk_lock.dep_map, 0, 0, _RET_IP_); =20 sock_put(sk); } --=20 2.39.2