diff options
author | Paolo Abeni <pabeni@redhat.com> | 2024-02-08 19:03:54 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2024-02-12 10:08:13 +0000 |
commit | 337cebbd850f94147cee05252778f8f78b8c337f (patch) | |
tree | b8285f6b5af2c0764e628f51630842e52aaf477e | |
parent | f012d796a6de662692159c539689e47e662853a8 (diff) | |
download | lwn-337cebbd850f94147cee05252778f8f78b8c337f.tar.gz lwn-337cebbd850f94147cee05252778f8f78b8c337f.zip |
mptcp: really cope with fastopen race
Fastopen and PM-trigger subflow shutdown can race, as reported by
syzkaller.
In my first attempt to close such race, I missed the fact that
the subflow status can change again before the subflow_state_change
callback is invoked.
Address the issue additionally copying with all the states directly
reachable from TCP_FIN_WAIT1.
Fixes: 1e777f39b4d7 ("mptcp: add MSG_FASTOPEN sendmsg flag support")
Fixes: 4fd19a307016 ("mptcp: fix inconsistent state on fastopen race")
Cc: stable@vger.kernel.org
Reported-by: syzbot+c53d4d3ddb327e80bc51@syzkaller.appspotmail.com
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/458
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/mptcp/protocol.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index fefcbf585411..ed50f2015dc3 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -1129,7 +1129,8 @@ static inline bool subflow_simultaneous_connect(struct sock *sk) { struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); - return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_FIN_WAIT1) && + return (1 << sk->sk_state) & + (TCPF_ESTABLISHED | TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | TCPF_CLOSING) && is_active_ssk(subflow) && !subflow->conn_finished; } |