Commit 5cd6e0ad79d2 for kernel

commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Tue May 5 17:00:51 2026 +0200

    mptcp: pm: ADD_ADDR rtx: fix potential data-race

    This mptcp_pm_add_timer() helper is executed as a timer callback in
    softirq context. To avoid any data races, the socket lock needs to be
    held with bh_lock_sock().

    If the socket is in use, retry again soon after, similar to what is done
    with the keepalive timer.

    Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
index 5056eb8db24e..3912128d9b86 100644
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -337,6 +337,13 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
 	if (inet_sk_state_load(sk) == TCP_CLOSE)
 		return;

+	bh_lock_sock(sk);
+	if (sock_owned_by_user(sk)) {
+		/* Try again later. */
+		sk_reset_timer(sk, timer, jiffies + HZ / 20);
+		goto out;
+	}
+
 	if (mptcp_pm_should_add_signal_addr(msk)) {
 		sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
 		goto out;
@@ -365,6 +372,7 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
 		mptcp_pm_subflow_established(msk);

 out:
+	bh_unlock_sock(sk);
 	__sock_put(sk);
 }