TFO: stall CPU if SYN is reset

[matttbe]

When looking at validating MPTCP+TFO for the server side, I got a kernel deadlock on top of the export branch from yesterday: a84974a → export/20221121T103206

root@(none):/home/nix.tessares.net/mbaerts/Workspace/multipath-tcp/upstream/mptcp_net-next# cd /opt/packetdrill/gtests/net/mptcp
root@(none):/opt/packetdrill/gtests/net/mptcp# /opt/packetdrill/gtests/net/packetdrill/packetdrill -v --ip_version=ipv4 --local_ip=192.168.0.2 --gateway_ip=192.168.0.1 --netmask_ip=255.255.0.0 --remote_ip=192.0.2.1/24 -D CMSG_LEVEL_IP=SOL_IP -D CMSG_TYPE_RECVERR=IP_RECVERR -D TFO_COOKIE=de4f234f0f433a55 fastopen/server-TCP_FASTOPEN-no-cookie.pkt
socket syscall: 1669138520.527445
setsockopt syscall: 1669138520.527768
bind syscall: 1669138520.528086
listen syscall: 1669138520.528386
inbound injected packet:  0.001298 S 0:500(500) win 65535 <mss 1460,sackOK,TS val 100 ecr 0,nop,wscale 8,FO,nop,nop,mp_capable v1 flags: |H| >
outbound sniffed packet:  0.002449 S. 2366816640:2366816640(0) ack 501 win 65535 <mss 1460,sackOK,TS val 1347476566 ecr 100,nop,wscale 8,mp_capable v1 flags: |H| sender_key: 665474359205250004>
fastopen/server-TCP_FASTOPEN-no-cookie.pkt:14: error handling packet: live packet field ipv4_total_length: expected: 76 (0x4c) vs actual: 72 (0x48)
script packet:  0.012451 S. 0:0(0) ack 501 <mss 1460,nop,nop,sackOK,nop,wscale 8,FO de4f234f0f433a55,nop,nop,mp_capable v1 flags: |H| sender_key: 665474359205250004>
actual packet:  0.002449 S. 0:0(0) ack 501 win 65535 <mss 1460,sackOK,TS val 1347476566 ecr 100,nop,wscale 8,mp_capable v1 flags: |H| sender_key: 665474359205250004>
[   72.126002] sched: RT throttling activated
[   91.474002] rcu: INFO: rcu_preempt self-detected stall on CPU
[   91.474456] rcu:     1-....: (21001 ticks this GP) idle=9084/1/0x4000000000000000 softirq=1107/1107 fqs=5250
[   91.475178]  (t=21001 jiffies g=665 q=4 ncpus=2)
[   91.475474] CPU: 1 PID: 162 Comm: packetdrill Not tainted 6.1.0-rc5 #361
[   91.475970] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   91.477741] RIP: 0010:queued_spin_lock_slowpath (arch/x86/include/asm/vdso/processor.h:19) 
[ 91.478611] Code: 00 41 55 41 54 55 48 89 fd 53 66 90 ba 01 00 00 00 8b 45 00 85 c0 75 10 f0 0f b1 55 00 85 c0 75 f0 5b 5d 41 5c 41 5d c3 f3 90 <eb> e5 81 fe 00 01 00 00 74 4c 40 30 f6 85 f6 75 6f f0 0f ba 6d 00
All code
========
   0:	00 41 55             	add    %al,0x55(%rcx)
   3:	41 54                	push   %r12
   5:	55                   	push   %rbp
   6:	48 89 fd             	mov    %rdi,%rbp
   9:	53                   	push   %rbx
   a:	66 90                	xchg   %ax,%ax
   c:	ba 01 00 00 00       	mov    $0x1,%edx
  11:	8b 45 00             	mov    0x0(%rbp),%eax
  14:	85 c0                	test   %eax,%eax
  16:	75 10                	jne    0x28
  18:	f0 0f b1 55 00       	lock cmpxchg %edx,0x0(%rbp)
  1d:	85 c0                	test   %eax,%eax
  1f:	75 f0                	jne    0x11
  21:	5b                   	pop    %rbx
  22:	5d                   	pop    %rbp
  23:	41 5c                	pop    %r12
  25:	41 5d                	pop    %r13
  27:	c3                   	ret
  28:	f3 90                	pause
  2a:*	eb e5                	jmp    0x11		<-- trapping instruction
  2c:	81 fe 00 01 00 00    	cmp    $0x100,%esi
  32:	74 4c                	je     0x80
  34:	40 30 f6             	xor    %sil,%sil
  37:	85 f6                	test   %esi,%esi
  39:	75 6f                	jne    0xaa
  3b:	f0                   	lock
  3c:	0f                   	.byte 0xf
  3d:	ba                   	.byte 0xba
  3e:	6d                   	insl   (%dx),%es:(%rdi)
	...

Code starting with the faulting instruction
===========================================
   0:	eb e5                	jmp    0xffffffffffffffe7
   2:	81 fe 00 01 00 00    	cmp    $0x100,%esi
   8:	74 4c                	je     0x56
   a:	40 30 f6             	xor    %sil,%sil
   d:	85 f6                	test   %esi,%esi
   f:	75 6f                	jne    0x80
  11:	f0                   	lock
  12:	0f                   	.byte 0xf
  13:	ba                   	.byte 0xba
  14:	6d                   	insl   (%dx),%es:(%rdi)
	...
[   91.481686] RSP: 0018:ffff9d9d8028fb30 EFLAGS: 00000202
[   91.482521] RAX: 0000000000000001 RBX: ffff8e2102ec8858 RCX: 0000000000000cc0
[   91.483469] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8e2102ec8818
[   91.484035] RBP: ffff8e2102ec8818 R08: 0000000000001f90 R09: ffffffff962068d0
[   91.484640] R10: 0000000000000008 R11: ffff8e2102f6ab00 R12: ffff8e2102ec8818
[   91.485208] R13: ffff8e2102ec8dd0 R14: 0000000000000000 R15: 0000000000000001
[   91.485825] FS:  0000000000000000(0000) GS:ffff8e217dd00000(0000) knlGS:0000000000000000
[   91.486517] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   91.487029] CR2: 00007f42b4ca4e40 CR3: 0000000058010000 CR4: 0000000000350ee0
[   91.487667] Call Trace:
[   91.487896]  <TASK>
[   91.488091] mptcp_destroy_common (include/linux/skbuff.h:1764) 
[   91.488487] mptcp_destroy (include/net/sock.h:1495) 
[   91.488821] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[   91.489214] __mptcp_close (net/mptcp/protocol.c:2959) 
[   91.489547] mptcp_subflow_queue_clean (net/mptcp/subflow.c:1813) 
[   91.489997] __mptcp_close_ssk (net/mptcp/protocol.c:2363) 
[   91.490372] mptcp_destroy_common (net/mptcp/protocol.c:3170) 
[   91.490747] mptcp_destroy (include/net/sock.h:1495) 
[   91.491072] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[   91.491449] __mptcp_close (net/mptcp/protocol.c:2959) 
[   91.491772] mptcp_close (net/mptcp/protocol.c:2974) 
[   91.492084] inet_release (net/ipv4/af_inet.c:432) 
[   91.492400] __sock_release (net/socket.c:651) 
[   91.492731] sock_close (net/socket.c:1367) 
[   91.493029] __fput (fs/file_table.c:321) 
[   91.493314] task_work_run (include/linux/sched.h:2077 (discriminator 1)) 
[   91.493654] do_exit (kernel/exit.c:821) 
[   91.493952] do_group_exit (kernel/exit.c:932) 
[   91.494277] get_signal (kernel/signal.c:2825) 
[   91.494603] arch_do_signal_or_restart (arch/x86/kernel/signal.c:869) 
[   91.495034] ? do_futex (kernel/futex/syscalls.c:106) 
[   91.495350] ? __x64_sys_futex (kernel/futex/syscalls.c:183) 
[   91.495720] exit_to_user_mode_prepare (kernel/entry/common.c:170) 
[   91.496158] syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:55) 
[   91.496577] do_syscall_64 (arch/x86/entry/common.c:87) 
[   91.496911] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[   91.497372] RIP: 0033:0x7f4169e4a340
[ 91.497704] Code: Unable to access opcode bytes at 0x7f4169e4a316.

Code starting with the faulting instruction
===========================================
[   91.498249] RSP: 002b:00007f4169db4db8 EFLAGS: 00000282 ORIG_RAX: 00000000000000ca
[   91.498922] RAX: fffffffffffffe00 RBX: 00007f4169db5640 RCX: 00007f4169e4a340
[   91.499545] RDX: 0000000000000002 RSI: 0000000000000080 RDI: 000055da090279c0
[   91.500184] RBP: 00007f4169db4df0 R08: 0000000000000000 R09: 0000000000000000
[   91.500820] R10: 0000000000000000 R11: 0000000000000282 R12: 00007f4169db5640
[   91.501389] R13: 0000000000000002 R14: 00007f4169e4d850 R15: 00007ffe04eab210
[   91.502007]  </TASK>

The packetdrill test that can reproduce the issue:

// Receive data with TFO + cookie
--tolerance_usecs=100000
`../common/defaults.sh
 sysctl -q net.ipv4.tcp_fastopen=0x602`

// A first connection to store the cookie
 0.0    socket(..., SOCK_STREAM, IPPROTO_MPTCP) = 3
+0.0    setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0

+0.0    bind(3, ..., ...) = 0
+0.0    listen(3, 1) = 0

+0.0      <  S   0:500(500)               win 65535  <mss 1460, sackOK, TS val 100 ecr 0,   nop, wscale 8, FO,            nop, nop, mpcapable v1 flags[flag_h] nokey>

So here, packetdrill has injected a (valid) SYN with data (TFO). In theory, a SYN+ACK has been sent back by the kernel and a RST has been injected by Packetdrill just after but I cannot prove if it happened before or after the deadlock.

I didn't investigate more for the moment. This has been reproduced on a kernel without debug kconfig so far.

[matttbe]

With a debug kernel:

root@(none):/home/nix.tessares.net/mbaerts/Workspace/multipath-tcp/upstream/mptcp_net-next# cd /opt/packetdrill/gtests/net/mptcp
root@(none):/opt/packetdrill/gtests/net/mptcp# packetdrill -v --ip_version=ipv4 --local_ip=192.168.0.2 --gateway_ip=192.168.0.1 --netmask_ip=255.255.0.0 --remote_ip=192.0.2.1/24 -D CMSG_LEVEL_IP=SOL_IP -D CMSG_TYPE_RECVERR=IP_RECVERR -D TFO_COOKIE=de4f234f0f433a55 fastopen/server-TCP_FASTOPEN-no-cookie-bug.pkt
socket syscall: 1669141431.327847
setsockopt syscall: 1669141431.327959
bind syscall: 1669141431.328364
listen syscall: 1669141431.328505
inbound injected packet:  0.001108 S 0:500(500) win 65535 <mss 1460,sackOK,TS val 100 ecr 0,nop,wscale 8,FO,nop,nop,mp_capable v1 flags: |H| >
[  410.006523][  T155] BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877
[  410.007300][  T155] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill
[  410.008009][  T155] preempt_count: 201, expected: 0
[  410.008412][  T155] RCU nest depth: 0, expected: 0
[  410.008819][  T155] 4 locks held by packetdrill/155:
[ 410.009262][ T155] #0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650) 
[ 410.010161][ T155] #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973) 
[ 410.010948][ T155] #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363) 
[ 410.011757][ T155] #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820) 
[  410.012551][  T155] Preemption disabled at:
[ 410.012555][ T155] 0x0 
[  410.013220][  T155] CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365
[  410.013793][  T155] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[  410.014511][  T155] Call Trace:
[  410.014773][  T155]  <TASK>
[ 410.015011][ T155] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) 
[ 410.015397][ T155] __might_resched.cold (kernel/sched/core.c:9891) 
[ 410.015816][ T155] __mptcp_destroy_sock (include/linux/kernel.h:110) 
[ 410.016240][ T155] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 410.016598][ T155] mptcp_subflow_queue_clean (include/net/sock.h:1777) 
[ 410.017020][ T155] ? __local_bh_enable_ip (arch/x86/include/asm/irqflags.h:45) 
[ 410.017466][ T155] __mptcp_close_ssk (net/mptcp/protocol.c:2363) 
[ 410.017862][ T155] mptcp_destroy_common (net/mptcp/protocol.c:3170) 
[ 410.018281][ T155] ? __destroy_inode (fs/inode.c:287 (discriminator 2)) 
[ 410.018662][ T155] mptcp_destroy (include/net/sock.h:1495) 
[ 410.019053][ T155] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[ 410.019489][ T155] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 410.019860][ T155] mptcp_close (net/mptcp/protocol.c:2974) 
[ 410.020183][ T155] inet_release (net/ipv4/af_inet.c:432) 
[ 410.020488][ T155] __sock_release (net/socket.c:651) 
[ 410.020801][ T155] sock_close (net/socket.c:1367) 
[ 410.021098][ T155] __fput (fs/file_table.c:320) 
[ 410.021412][ T155] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 410.021782][ T155] ? task_work_func_match (kernel/task_work.c:44) 
[ 410.022208][ T155] ? task_work_cancel (kernel/task_work.c:147) 
[ 410.022607][ T155] exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49) 
[ 410.023047][ T155] syscall_exit_to_user_mode (kernel/entry/common.c:130) 
[ 410.023465][ T155] do_syscall_64 (arch/x86/entry/common.c:87) 
[ 410.023830][ T155] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[  410.024292][  T155] RIP: 0033:0x7f9fcf87413b
[ 410.024636][ T155] Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 b9 f7 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 91 b9 f7 ff 8b 44
All code
========
   0:	03 00                	add    (%rax),%eax
   2:	00 00                	add    %al,(%rax)
   4:	0f 05                	syscall
   6:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   c:	77 41                	ja     0x4f
   e:	c3                   	ret
   f:	48 83 ec 18          	sub    $0x18,%rsp
  13:	89 7c 24 0c          	mov    %edi,0xc(%rsp)
  17:	e8 43 b9 f7 ff       	call   0xfffffffffff7b95f
  1c:	8b 7c 24 0c          	mov    0xc(%rsp),%edi
  20:	41 89 c0             	mov    %eax,%r8d
  23:	b8 03 00 00 00       	mov    $0x3,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 35                	ja     0x67
  32:	44 89 c7             	mov    %r8d,%edi
  35:	89 44 24 0c          	mov    %eax,0xc(%rsp)
  39:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9cf
  3e:	8b                   	.byte 0x8b
  3f:	44                   	rex.R

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 35                	ja     0x3d
   8:	44 89 c7             	mov    %r8d,%edi
   b:	89 44 24 0c          	mov    %eax,0xc(%rsp)
   f:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9a5
  14:	8b                   	.byte 0x8b
  15:	44                   	rex.R
[  410.026174][  T155] RSP: 002b:00007fff6c30b190 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  410.026854][  T155] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9fcf87413b
[  410.027478][  T155] RDX: 0000000000000000 RSI: 0000560709519830 RDI: 0000000000000007
[  410.028108][  T155] RBP: 00007fff6c30b1d0 R08: 0000000000000000 R09: 0000000000000000
[  410.028757][  T155] R10: 00007f9fcf979370 R11: 0000000000000293 R12: 00007fff6c30b698
[  410.029381][  T155] R13: 00005607090db2cb R14: 0000560709136978 R15: 00007f9fcf9c9040
[  410.030043][  T155]  </TASK>
[  410.030331][  T155]
[  410.030521][  T155] ============================================
[  410.031031][  T155] WARNING: possible recursive locking detected
[  410.031532][  T155] 6.1.0-rc5 #365 Tainted: G        W
[  410.032025][  T155] --------------------------------------------
[  410.032520][  T155] packetdrill/155 is trying to acquire lock:
[ 410.032969][ T155] ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: mptcp_destroy_common (include/linux/skbuff.h:1764) 
[  410.033739][  T155]
[  410.033739][  T155] but task is already holding lock:
[ 410.034280][ T155] ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820) 
[  410.034990][  T155]
[  410.034990][  T155] other info that might help us debug this:
[  410.035629][  T155]  Possible unsafe locking scenario:
[  410.035629][  T155]
[  410.036198][  T155]        CPU0
[  410.036455][  T155]        ----
[  410.036686][  T155]   lock(slock-AF_INET);
[  410.037016][  T155]   lock(slock-AF_INET);
[  410.037370][  T155]
[  410.037370][  T155]  *** DEADLOCK ***
[  410.037370][  T155]
[  410.038039][  T155]  May be due to missing lock nesting notation
[  410.038039][  T155]
[  410.038708][  T155] 4 locks held by packetdrill/155:
[ 410.039125][ T155] #0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650) 
[ 410.039977][ T155] #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973) 
[ 410.040708][ T155] #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363) 
[ 410.041520][ T155] #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820) 
[  410.042295][  T155]
[  410.042295][  T155] stack backtrace:
[  410.042747][  T155] CPU: 1 PID: 155 Comm: packetdrill Tainted: G        W          6.1.0-rc5 #365
[  410.043437][  T155] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[  410.044177][  T155] Call Trace:
[  410.044438][  T155]  <TASK>
[ 410.044672][ T155] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) 
[ 410.045030][ T155] validate_chain.cold (kernel/locking/lockdep.c:2990) 
[ 410.045439][ T155] ? check_prev_add (kernel/locking/lockdep.c:3787) 
[ 410.045854][ T155] ? mark_lock.part.0 (arch/x86/include/asm/bitops.h:228) 
[ 410.046276][ T155] ? mark_lock_irq (kernel/locking/lockdep.c:4593) 
[ 410.046681][ T155] __lock_acquire (kernel/locking/lockdep.c:5055) 
[ 410.047064][ T155] lock_acquire (kernel/locking/lockdep.c:466) 
[ 410.047413][ T155] ? mptcp_destroy_common (include/linux/skbuff.h:1764) 
[ 410.047841][ T155] ? debug_object_activate (lib/debugobjects.c:864) 
[ 410.048278][ T155] ? rcu_read_unlock (include/linux/rcupdate.h:779 (discriminator 5)) 
[ 410.048592][ T155] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:466) 
[ 410.049077][ T155] ? asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:649) 
[ 410.049575][ T155] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4385) 
[ 410.049981][ T155] ? asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:649) 
[ 410.050430][ T155] _raw_spin_lock_bh (include/linux/spinlock_api_smp.h:127) 
[ 410.050804][ T155] ? mptcp_destroy_common (include/linux/skbuff.h:1764) 
[ 410.051207][ T155] mptcp_destroy_common (include/linux/skbuff.h:1764) 
[ 410.051608][ T155] ? dump_stack_lvl (lib/dump_stack.c:108) 
[ 410.051965][ T155] mptcp_destroy (include/net/sock.h:1495) 
[ 410.052278][ T155] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[ 410.052654][ T155] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 410.053024][ T155] mptcp_subflow_queue_clean (include/net/sock.h:1777) 
[ 410.053458][ T155] ? __local_bh_enable_ip (arch/x86/include/asm/irqflags.h:45) 
[ 410.053856][ T155] __mptcp_close_ssk (net/mptcp/protocol.c:2363) 
[ 410.054249][ T155] mptcp_destroy_common (net/mptcp/protocol.c:3170) 
[ 410.054643][ T155] ? __destroy_inode (fs/inode.c:287 (discriminator 2)) 
[ 410.055015][ T155] mptcp_destroy (include/net/sock.h:1495) 
[ 410.055387][ T155] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[ 410.055796][ T155] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 410.056188][ T155] mptcp_close (net/mptcp/protocol.c:2974) 
[ 410.056536][ T155] inet_release (net/ipv4/af_inet.c:432) 
[ 410.056898][ T155] __sock_release (net/socket.c:651) 
[ 410.057280][ T155] sock_close (net/socket.c:1367) 
[ 410.057631][ T155] __fput (fs/file_table.c:320) 
[ 410.057964][ T155] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 410.058331][ T155] ? task_work_func_match (kernel/task_work.c:44) 
[ 410.058742][ T155] ? task_work_cancel (kernel/task_work.c:147) 
[ 410.059134][ T155] exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49) 
[ 410.059577][ T155] syscall_exit_to_user_mode (kernel/entry/common.c:130) 
[ 410.059979][ T155] do_syscall_64 (arch/x86/entry/common.c:87) 
[ 410.060315][ T155] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[  410.060761][  T155] RIP: 0033:0x7f9fcf87413b
[ 410.061110][ T155] Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 b9 f7 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 91 b9 f7 ff 8b 44
All code
========
   0:	03 00                	add    (%rax),%eax
   2:	00 00                	add    %al,(%rax)
   4:	0f 05                	syscall
   6:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   c:	77 41                	ja     0x4f
   e:	c3                   	ret
   f:	48 83 ec 18          	sub    $0x18,%rsp
  13:	89 7c 24 0c          	mov    %edi,0xc(%rsp)
  17:	e8 43 b9 f7 ff       	call   0xfffffffffff7b95f
  1c:	8b 7c 24 0c          	mov    0xc(%rsp),%edi
  20:	41 89 c0             	mov    %eax,%r8d
  23:	b8 03 00 00 00       	mov    $0x3,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 35                	ja     0x67
  32:	44 89 c7             	mov    %r8d,%edi
  35:	89 44 24 0c          	mov    %eax,0xc(%rsp)
  39:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9cf
  3e:	8b                   	.byte 0x8b
  3f:	44                   	rex.R

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 35                	ja     0x3d
   8:	44 89 c7             	mov    %r8d,%edi
   b:	89 44 24 0c          	mov    %eax,0xc(%rsp)
   f:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9a5
  14:	8b                   	.byte 0x8b
  15:	44                   	rex.R
[  410.062625][  T155] RSP: 002b:00007fff6c30b190 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  410.063269][  T155] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9fcf87413b
[  410.063858][  T155] RDX: 0000000000000000 RSI: 0000560709519830 RDI: 0000000000000007
[  410.064534][  T155] RBP: 00007fff6c30b1d0 R08: 0000000000000000 R09: 0000000000000000
[  410.065186][  T155] R10: 00007f9fcf979370 R11: 0000000000000293 R12: 00007fff6c30b698
[  410.065803][  T155] R13: 00005607090db2cb R14: 0000560709136978 R15: 00007f9fcf9c9040
[  410.066415][  T155]  </TASK>
[  411.554932][    C1] sched: RT throttling activated
[  436.005931][    C1] rcu: INFO: rcu_preempt self-detected stall on CPU
[  436.006416][    C1] rcu:     1-....: (26038 ticks this GP) idle=810c/1/0x4000000000000000 softirq=16793/16797 fqs=6495
[  436.007253][    C1]  (t=26000 jiffies g=25737 q=16 ncpus=2)
[  436.007727][    C1] CPU: 1 PID: 155 Comm: packetdrill Tainted: G        W          6.1.0-rc5 #365
[  436.008450][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 436.009161][ C1] RIP: 0010:queued_spin_lock_slowpath (arch/x86/include/asm/vdso/processor.h:19) 
[ 436.009667][ C1] Code: 8b 84 24 88 00 00 00 65 48 2b 04 25 28 00 00 00 0f 85 7b 0b 00 00 48 81 c4 90 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 f3 90 <e9> 74 ff ff ff 44 8b 74 24 50 41 81 fe 00 01 00 00 0f 84 e1 00 00
All code
========
   0:	8b 84 24 88 00 00 00 	mov    0x88(%rsp),%eax
   7:	65 48 2b 04 25 28 00 	sub    %gs:0x28,%rax
   e:	00 00 
  10:	0f 85 7b 0b 00 00    	jne    0xb91
  16:	48 81 c4 90 00 00 00 	add    $0x90,%rsp
  1d:	5b                   	pop    %rbx
  1e:	5d                   	pop    %rbp
  1f:	41 5c                	pop    %r12
  21:	41 5d                	pop    %r13
  23:	41 5e                	pop    %r14
  25:	41 5f                	pop    %r15
  27:	c3                   	ret
  28:	f3 90                	pause
  2a:*	e9 74 ff ff ff       	jmp    0xffffffffffffffa3		<-- trapping instruction
  2f:	44 8b 74 24 50       	mov    0x50(%rsp),%r14d
  34:	41 81 fe 00 01 00 00 	cmp    $0x100,%r14d
  3b:	0f                   	.byte 0xf
  3c:	84 e1                	test   %ah,%cl
	...

Code starting with the faulting instruction
===========================================
   0:	e9 74 ff ff ff       	jmp    0xffffffffffffff79
   5:	44 8b 74 24 50       	mov    0x50(%rsp),%r14d
   a:	41 81 fe 00 01 00 00 	cmp    $0x100,%r14d
  11:	0f                   	.byte 0xf
  12:	84 e1                	test   %ah,%cl
	...
[  436.011231][    C1] RSP: 0018:ffffc9000017f998 EFLAGS: 00000202
[  436.011708][    C1] RAX: 0000000000000000 RBX: ffff88800b49a098 RCX: ffffffffb5c94923
[  436.012356][    C1] RDX: ffffed1001693414 RSI: 0000000000000004 RDI: ffff88800b49a098
[  436.012978][    C1] RBP: 0000000000000001 R08: 0000000000000000 R09: ffff88800b49a09b
[  436.013596][    C1] R10: ffffed1001693413 R11: 0000000000000001 R12: 0000000000000003
[  436.014207][    C1] R13: ffffed1001693413 R14: 0000000000000001 R15: dffffc0000000000
[  436.014831][    C1] FS:  00007f9fcf75c740(0000) GS:ffff88806cd00000(0000) knlGS:0000000000000000
[  436.015530][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  436.016058][    C1] CR2: 00007fff6c3d9000 CR3: 0000000007a36000 CR4: 0000000000350ee0
[  436.016671][    C1] Call Trace:
[  436.016937][    C1]  <TASK>
[ 436.017170][ C1] ? __printk_cpu_sync_put (include/linux/atomic/atomic-arch-fallback.h:243) 
[ 436.017586][ C1] ? _raw_write_unlock_irqrestore (kernel/locking/qspinlock.c:317) 
[ 436.018048][ C1] ? lock_acquire (kernel/locking/lockdep.c:5636) 
[ 436.018412][ C1] ? debug_object_activate (lib/debugobjects.c:864) 
[ 436.018856][ C1] ? rcu_read_unlock (include/linux/rcupdate.h:779 (discriminator 5)) 
[ 436.019230][ C1] do_raw_spin_lock (include/asm-generic/qspinlock.h:114) 
[ 436.019609][ C1] ? rwlock_bug.part.0 (kernel/locking/spinlock_debug.c:113) 
[ 436.019991][ C1] mptcp_destroy_common (include/linux/skbuff.h:1764) 
[ 436.020392][ C1] ? dump_stack_lvl (lib/dump_stack.c:108) 
[ 436.020756][ C1] mptcp_destroy (include/net/sock.h:1495) 
[ 436.021113][ C1] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[ 436.021505][ C1] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 436.021858][ C1] mptcp_subflow_queue_clean (include/net/sock.h:1777) 
[ 436.022311][ C1] ? __local_bh_enable_ip (arch/x86/include/asm/irqflags.h:45) 
[ 436.022747][ C1] __mptcp_close_ssk (net/mptcp/protocol.c:2363) 
[ 436.023132][ C1] mptcp_destroy_common (net/mptcp/protocol.c:3170) 
[ 436.023553][ C1] ? __destroy_inode (fs/inode.c:287 (discriminator 2)) 
[ 436.023936][ C1] mptcp_destroy (include/net/sock.h:1495) 
[ 436.024290][ C1] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[ 436.024692][ C1] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 436.025055][ C1] mptcp_close (net/mptcp/protocol.c:2974) 
[ 436.025386][ C1] inet_release (net/ipv4/af_inet.c:432) 
[ 436.025729][ C1] __sock_release (net/socket.c:651) 
[ 436.026085][ C1] sock_close (net/socket.c:1367) 
[ 436.026409][ C1] __fput (fs/file_table.c:320) 
[ 436.026739][ C1] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 436.027099][ C1] ? task_work_func_match (kernel/task_work.c:44) 
[ 436.027505][ C1] ? task_work_cancel (kernel/task_work.c:147) 
[ 436.027888][ C1] exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49) 
[ 436.028329][ C1] syscall_exit_to_user_mode (kernel/entry/common.c:130) 
[ 436.028740][ C1] do_syscall_64 (arch/x86/entry/common.c:87) 
[ 436.029086][ C1] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[  436.029563][    C1] RIP: 0033:0x7f9fcf87413b
[ 436.029914][ C1] Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 b9 f7 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 91 b9 f7 ff 8b 44
All code
========
   0:	03 00                	add    (%rax),%eax
   2:	00 00                	add    %al,(%rax)
   4:	0f 05                	syscall
   6:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   c:	77 41                	ja     0x4f
   e:	c3                   	ret
   f:	48 83 ec 18          	sub    $0x18,%rsp
  13:	89 7c 24 0c          	mov    %edi,0xc(%rsp)
  17:	e8 43 b9 f7 ff       	call   0xfffffffffff7b95f
  1c:	8b 7c 24 0c          	mov    0xc(%rsp),%edi
  20:	41 89 c0             	mov    %eax,%r8d
  23:	b8 03 00 00 00       	mov    $0x3,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 35                	ja     0x67
  32:	44 89 c7             	mov    %r8d,%edi
  35:	89 44 24 0c          	mov    %eax,0xc(%rsp)
  39:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9cf
  3e:	8b                   	.byte 0x8b
  3f:	44                   	rex.R

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 35                	ja     0x3d
   8:	44 89 c7             	mov    %r8d,%edi
   b:	89 44 24 0c          	mov    %eax,0xc(%rsp)
   f:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9a5
  14:	8b                   	.byte 0x8b
  15:	44                   	rex.R
[  436.031427][    C1] RSP: 002b:00007fff6c30b190 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  436.032082][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9fcf87413b
[  436.032715][    C1] RDX: 0000000000000000 RSI: 0000560709519830 RDI: 0000000000000007
[  436.033343][    C1] RBP: 00007fff6c30b1d0 R08: 0000000000000000 R09: 0000000000000000
[  436.033971][    C1] R10: 00007f9fcf979370 R11: 0000000000000293 R12: 00007fff6c30b698
[  436.034599][    C1] R13: 00005607090db2cb R14: 0000560709136978 R15: 00007f9fcf9c9040
[  436.035227][    C1]  </TASK>
[  460.873930][    C1] watchdog: BUG: soft lockup - CPU#1 stuck for 49s! [packetdrill:155]
[  460.874560][    C1] Modules linked in:
[  460.874860][    C1] irq event stamp: 2014052
[ 460.875205][ C1] hardirqs last enabled at (2014052): _raw_spin_unlock_irqrestore (include/linux/spinlock_api_smp.h:151) 
[ 460.876055][ C1] hardirqs last disabled at (2014051): _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:108) 
[ 460.876889][ C1] softirqs last enabled at (2013784): mptcp_subflow_queue_clean (net/mptcp/subflow.c:1803) 
[ 460.877771][ C1] softirqs last disabled at (2013786): __lock_sock_fast (include/net/sock.h:1820) 
[  460.878583][    C1] CPU: 1 PID: 155 Comm: packetdrill Tainted: G        W          6.1.0-rc5 #365
[  460.879355][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 460.880074][ C1] RIP: 0010:kasan_check_range (arch/x86/include/asm/cpufeature.h:173) 
[ 460.880526][ C1] Code: 89 43 0c e8 69 e2 ff ff 89 43 08 5b 5d 41 5c c3 90 48 85 f6 0f 84 64 01 00 00 48 89 f8 41 54 44 0f b6 c2 55 53 48 01 f0 72 14 <eb> 28 0f 1f 00 48 ba ff ff ff ff ff ff ff fe 48 39 d7 77 25 44 89
All code
========
   0:	89 43 0c             	mov    %eax,0xc(%rbx)
   3:	e8 69 e2 ff ff       	call   0xffffffffffffe271
   8:	89 43 08             	mov    %eax,0x8(%rbx)
   b:	5b                   	pop    %rbx
   c:	5d                   	pop    %rbp
   d:	41 5c                	pop    %r12
   f:	c3                   	ret
  10:	90                   	nop
  11:	48 85 f6             	test   %rsi,%rsi
  14:	0f 84 64 01 00 00    	je     0x17e
  1a:	48 89 f8             	mov    %rdi,%rax
  1d:	41 54                	push   %r12
  1f:	44 0f b6 c2          	movzbl %dl,%r8d
  23:	55                   	push   %rbp
  24:	53                   	push   %rbx
  25:	48 01 f0             	add    %rsi,%rax
  28:	72 14                	jb     0x3e
  2a:*	eb 28                	jmp    0x54		<-- trapping instruction
  2c:	0f 1f 00             	nopl   (%rax)
  2f:	48 ba ff ff ff ff ff 	movabs $0xfeffffffffffffff,%rdx
  36:	ff ff fe 
  39:	48 39 d7             	cmp    %rdx,%rdi
  3c:	77 25                	ja     0x63
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89

Code starting with the faulting instruction
===========================================
   0:	eb 28                	jmp    0x2a
   2:	0f 1f 00             	nopl   (%rax)
   5:	48 ba ff ff ff ff ff 	movabs $0xfeffffffffffffff,%rdx
   c:	ff ff fe 
   f:	48 39 d7             	cmp    %rdx,%rdi
  12:	77 25                	ja     0x39
  14:	44                   	rex.R
  15:	89                   	.byte 0x89
[  460.882115][    C1] RSP: 0018:ffffc9000017f978 EFLAGS: 00000286
[  460.882622][    C1] RAX: ffff88800b49a09c RBX: ffff88800b49a098 RCX: ffffffffb5c94923
[  460.883261][    C1] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88800b49a098
[  460.883919][    C1] RBP: 0000000000000001 R08: 0000000000000000 R09: ffff88800b49a09b
[  460.884569][    C1] R10: ffffed1001693413 R11: 0000000000000001 R12: 0000000000000003
[  460.885199][    C1] R13: ffffed1001693413 R14: 0000000000000001 R15: dffffc0000000000
[  460.885776][    C1] FS:  00007f9fcf75c740(0000) GS:ffff88806cd00000(0000) knlGS:0000000000000000
[  460.886445][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  460.886944][    C1] CR2: 00007fff6c3d9000 CR3: 0000000007a36000 CR4: 0000000000350ee0
[  460.887591][    C1] Call Trace:
[  460.887885][    C1]  <TASK>
[ 460.888140][ C1] queued_spin_lock_slowpath (arch/x86/include/asm/atomic.h:29) 
[ 460.888591][ C1] ? __printk_cpu_sync_put (include/linux/atomic/atomic-arch-fallback.h:243) 
[ 460.888995][ C1] ? _raw_write_unlock_irqrestore (kernel/locking/qspinlock.c:317) 
[ 460.889482][ C1] ? lock_acquire (kernel/locking/lockdep.c:5636) 
[ 460.889835][ C1] ? debug_object_activate (lib/debugobjects.c:864) 
[ 460.890270][ C1] ? rcu_read_unlock (include/linux/rcupdate.h:779 (discriminator 5)) 
[ 460.890659][ C1] do_raw_spin_lock (include/asm-generic/qspinlock.h:114) 
[ 460.891057][ C1] ? rwlock_bug.part.0 (kernel/locking/spinlock_debug.c:113) 
[ 460.891438][ C1] mptcp_destroy_common (include/linux/skbuff.h:1764) 
[ 460.891855][ C1] ? dump_stack_lvl (lib/dump_stack.c:108) 
[ 460.892207][ C1] mptcp_destroy (include/net/sock.h:1495) 
[ 460.892554][ C1] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[ 460.892963][ C1] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 460.893337][ C1] mptcp_subflow_queue_clean (include/net/sock.h:1777) 
[ 460.893793][ C1] ? __local_bh_enable_ip (arch/x86/include/asm/irqflags.h:45) 
[ 460.894211][ C1] __mptcp_close_ssk (net/mptcp/protocol.c:2363) 
[ 460.894619][ C1] mptcp_destroy_common (net/mptcp/protocol.c:3170) 
[ 460.895041][ C1] ? __destroy_inode (fs/inode.c:287 (discriminator 2)) 
[ 460.895417][ C1] mptcp_destroy (include/net/sock.h:1495) 
[ 460.895757][ C1] __mptcp_destroy_sock (net/mptcp/protocol.c:2886) 
[ 460.896180][ C1] __mptcp_close (net/mptcp/protocol.c:2959) 
[ 460.896562][ C1] mptcp_close (net/mptcp/protocol.c:2974) 
[ 460.896901][ C1] inet_release (net/ipv4/af_inet.c:432) 
[ 460.897249][ C1] __sock_release (net/socket.c:651) 
[ 460.897616][ C1] sock_close (net/socket.c:1367) 
[ 460.897934][ C1] __fput (fs/file_table.c:320) 
[ 460.898264][ C1] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 460.898658][ C1] ? task_work_func_match (kernel/task_work.c:44) 
[ 460.899107][ C1] ? task_work_cancel (kernel/task_work.c:147) 
[ 460.899545][ C1] exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49) 
[ 460.900036][ C1] syscall_exit_to_user_mode (kernel/entry/common.c:130) 
[ 460.900517][ C1] do_syscall_64 (arch/x86/entry/common.c:87) 
[ 460.900912][ C1] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[  460.901425][    C1] RIP: 0033:0x7f9fcf87413b
[ 460.901829][ C1] Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 b9 f7 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 91 b9 f7 ff 8b 44
All code
========
   0:	03 00                	add    (%rax),%eax
   2:	00 00                	add    %al,(%rax)
   4:	0f 05                	syscall
   6:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   c:	77 41                	ja     0x4f
   e:	c3                   	ret
   f:	48 83 ec 18          	sub    $0x18,%rsp
  13:	89 7c 24 0c          	mov    %edi,0xc(%rsp)
  17:	e8 43 b9 f7 ff       	call   0xfffffffffff7b95f
  1c:	8b 7c 24 0c          	mov    0xc(%rsp),%edi
  20:	41 89 c0             	mov    %eax,%r8d
  23:	b8 03 00 00 00       	mov    $0x3,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 35                	ja     0x67
  32:	44 89 c7             	mov    %r8d,%edi
  35:	89 44 24 0c          	mov    %eax,0xc(%rsp)
  39:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9cf
  3e:	8b                   	.byte 0x8b
  3f:	44                   	rex.R

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 35                	ja     0x3d
   8:	44 89 c7             	mov    %r8d,%edi
   b:	89 44 24 0c          	mov    %eax,0xc(%rsp)
   f:	e8 91 b9 f7 ff       	call   0xfffffffffff7b9a5
  14:	8b                   	.byte 0x8b
  15:	44                   	rex.R
[  460.903553][    C1] RSP: 002b:00007fff6c30b190 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  460.904296][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9fcf87413b
[  460.904995][    C1] RDX: 0000000000000000 RSI: 0000560709519830 RDI: 0000000000000007
[  460.905691][    C1] RBP: 00007fff6c30b1d0 R08: 0000000000000000 R09: 0000000000000000
[  460.906386][    C1] R10: 00007f9fcf979370 R11: 0000000000000293 R12: 00007fff6c30b698
[  460.907108][    C1] R13: 00005607090db2cb R14: 0000560709136978 R15: 00007f9fcf9c9040
[  460.907823][    C1]  </TASK>

[pabeni]

it looks like the issue is a pre-existing one (WRT TFO) !?! should be introduced by:

commit 30e51b9
Author: Menglong Dong imagedong@tencent.com
Date: Tue Sep 27 12:31:58 2022 -0700

mptcp: fix unreleased socket in accept queue

Could you please try the following patch? (not even compile tested)

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 05099b3760b5..602cb2fe5148 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1802,16 +1802,16 @@ void mptcp_subflow_queue_clean(struct sock *listener_ssk)
 
        for (msk = head; msk; msk = next) {
                struct sock *sk = (struct sock *)msk;
-               bool slow, do_cancel_work;
+               bool do_cancel_work;
 
                sock_hold(sk);
-               slow = lock_sock_fast_nested(sk);
+               lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
                next = msk->dl_next;
                msk->first = NULL;
                msk->dl_next = NULL;
 
                do_cancel_work = __mptcp_close(sk, 0);
-               unlock_sock_fast(sk, slow);
+               release_sock(sk);
                if (do_cancel_work)
                        mptcp_cancel_work(sk);
                sock_put(sk);

Additionally it would be nice add the test describe by the mentioned commit to our self-tests

[matttbe]

@pabeni: thank you for the quick reply!

Indeed, the patch fixes the issue I reported :-)

I did 100 iterations with the packetdrill test and a debug kernel config.

I guess you plan to send a patch to the ML, right? :)