Re: [PATCH net v2] mptcp: prevent stale backlog references to closing subflows

[Paolo Abeni]

On 5/18/26 7:00 AM, Kalpan Jani wrote:
> @@ -2549,6 +2566,22 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk,
>  	 */
>  	lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
>  	subflow->closing = 1;
> +
> +	/* Remove any reference from the backlog to this ssk; backlog skbs
> +	 * consume space in the msk receive queue, no need to touch
> +	 * sk->sk_rmem_alloc. Serialize with mptcp_data_ready() under
> +	 * mptcp_data_lock() while the ssk lock is still held, so the
> +	 * cleanup is exhaustive: no new skb can be enqueued after this point.
> +	 */
> +	mptcp_data_lock(sk);
> +	list_for_each_entry(skb, &msk->backlog_list, list) {
> +		if (skb->sk != ssk)
> +			continue;
> +
> +		atomic_sub(skb->truesize, &skb->sk->sk_rmem_alloc);
> +		skb->sk = NULL;
> +	}
> +	mptcp_data_unlock(sk);

Here you should use the just defined helper, and only when `flags &
MPTCP_CF_PUSH`, otherwise the backlog cleanup is already performed by
the caller.

>  
>  	/* Borrow the fwd allocated page left-over; fwd memory for the subflow
>  	 * could be negative at this point, but will be reach zero soon - when
> @@ -2587,6 +2620,7 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk,
>  		__mptcp_subflow_disconnect(ssk, subflow, msk->fastclosing);
>  		release_sock(ssk);
>  
> +		mptcp_cleanup_ssk_backlog(sk, ssk);

Why are you cleaning the backlog again?

Why you did not use the code I suggested?

For the next iteration, please go trough the mptcp ML only, to reduce
traffic on more busy places.

/P
/P