Commit ce7356ae authored Nov 08, 2024 by Paolo Abeni Committed by Jakub Kicinski Nov 11, 2024

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust



Additional active subflows - i.e. created by the in kernel path
manager - are included into the subflow list before starting the
3whs.

A racing recvmsg() spooling data received on an already established
subflow would unconditionally call tcp_cleanup_rbuf() on all the
current subflows, potentially hitting a divide by zero error on
the newly created ones.

Explicitly check that the subflow is in a suitable state before
invoking tcp_cleanup_rbuf().

Fixes: c76c6956 ("mptcp: call tcp_cleanup_rbuf on subflows")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.1731060874.git.pabeni@redhat.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 58130229

net/mptcp/protocol.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -2082,6 +2082,7 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied)
		slow = lock_sock_fast(ssk);
		WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf);
		WRITE_ONCE(tcp_sk(ssk)->window_clamp, window_clamp);
		if (tcp_can_send_ack(ssk))
		tcp_cleanup_rbuf(ssk, 1);
		unlock_sock_fast(ssk, slow);
		}