mptcp: plug races between subflow fail and subflow creation

	pr_debug("fail_seq=%llu\n", fail_seq);

	if (!READ_ONCE(msk->allow_infinite_fallback))

	/* After accepting the fail, we can't create any other subflows */

	spin_lock_bh(&msk->fallback_lock);

	if (!msk->allow_infinite_fallback) {

		spin_unlock_bh(&msk->fallback_lock);

		return;

	}

	msk->allow_subflows = false;

	spin_unlock_bh(&msk->fallback_lock);

	if (!subflow->fail_tout) {

		pr_debug("send MP_FAIL response and infinite map\n");

static void mptcp_subflow_joined(struct mptcp_sock *msk, struct sock *ssk)

{

	mptcp_subflow_ctx(ssk)->map_seq = READ_ONCE(msk->ack_seq);

	WRITE_ONCE(msk->allow_infinite_fallback, false);

	msk->allow_infinite_fallback = false;

	mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC);

}

		return false;

	spin_lock_bh(&msk->fallback_lock);

	if (__mptcp_check_fallback(msk)) {

	if (!msk->allow_subflows) {

		spin_unlock_bh(&msk->fallback_lock);

		return false;

	}

				len = max(copied, len);

				tcp_push(ssk, 0, info.mss_now, tcp_sk(ssk)->nonagle,

					 info.size_goal);

				WRITE_ONCE(msk->allow_infinite_fallback, false);

				msk->allow_infinite_fallback = false;

			}

			spin_unlock_bh(&msk->fallback_lock);

	WRITE_ONCE(msk->first, NULL);

	inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss;

	WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk)));

	WRITE_ONCE(msk->allow_infinite_fallback, true);

	msk->allow_infinite_fallback = true;

	msk->allow_subflows = true;

	msk->recovery = false;

	msk->subflow_id = 1;

	msk->last_data_sent = tcp_jiffies32;

	/* active subflow, already present inside the conn_list */

	if (!list_empty(&subflow->node)) {

		spin_lock_bh(&msk->fallback_lock);

		if (__mptcp_check_fallback(msk)) {

		if (!msk->allow_subflows) {

			spin_unlock_bh(&msk->fallback_lock);

			return false;

		}

		u64	rtt_us; /* last maximum rtt of subflows */

	} rcvq_space;

	u8		scaling_ratio;

	bool		allow_subflows;

	u32		subflow_id;

	u32		setsockopt_seq;

	char		ca_name[TCP_CA_NAME_MAX];

	spinlock_t	fallback_lock;	/* protects fallback and

					 * allow_infinite_fallback

	spinlock_t	fallback_lock;	/* protects fallback,

					 * allow_infinite_fallback and

					 * allow_join

					 */

};

		return false;

	}

	msk->allow_subflows = false;

	set_bit(MPTCP_FALLBACK_DONE, &msk->flags);

	spin_unlock_bh(&msk->fallback_lock);

	return true;

		mptcp_schedule_work(sk);

}

static void mptcp_subflow_fail(struct mptcp_sock *msk, struct sock *ssk)

static bool mptcp_subflow_fail(struct mptcp_sock *msk, struct sock *ssk)

{

	struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);

	unsigned long fail_tout;

	/* we are really failing, prevent any later subflow join */

	spin_lock_bh(&msk->fallback_lock);

	if (!msk->allow_infinite_fallback) {

		spin_unlock_bh(&msk->fallback_lock);

		return false;

	}

	msk->allow_subflows = false;

	spin_unlock_bh(&msk->fallback_lock);

	/* graceful failure can happen only on the MPC subflow */

	if (WARN_ON_ONCE(ssk != READ_ONCE(msk->first)))

		return;

		return false;

	/* since the close timeout take precedence on the fail one,

	 * no need to start the latter when the first is already set

	 */

	if (sock_flag((struct sock *)msk, SOCK_DEAD))

		return;

		return true;

	/* we don't need extreme accuracy here, use a zero fail_tout as special

	 * value meaning no fail timeout at all;

	tcp_send_ack(ssk);

	mptcp_reset_tout_timer(msk, subflow->fail_tout);

	return true;

}

static bool subflow_check_data_avail(struct sock *ssk)

		    (subflow->mp_join || subflow->valid_csum_seen)) {

			subflow->send_mp_fail = 1;

			if (!READ_ONCE(msk->allow_infinite_fallback)) {

			if (!mptcp_subflow_fail(msk, ssk)) {

				subflow->reset_transient = 0;

				subflow->reset_reason = MPTCP_RST_EMIDDLEBOX;

				goto reset;

			}

			mptcp_subflow_fail(msk, ssk);

			WRITE_ONCE(subflow->data_avail, true);

			return true;

		}