UPSTREAM: mptcp: really cope with fastopen race

Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the subflow_state_change callback is invoked. Address the issue additionally copying with all the states directly reachable from TCP_FIN_WAIT1. Fixes: 1e777f3 ("mptcp: add MSG_FASTOPEN sendmsg flag support") Fixes: 4fd19a307016 ("mptcp: fix inconsistent state on fastopen race") Cc: stable@vger.kernel.org Reported-by: syzbot+c53d4d3ddb327e80bc51@syzkaller.appspotmail.com Closes: multipath-tcp/mptcp_net-next#458 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 337cebbd850f94147cee05252778f8f78b8c337f) BUG=None TEST=None Signed-off-by: Linux Patches Robot <linux-patches-robot@chromeos-missing-patches.google.com.iam.gserviceaccount.com> Change-Id: I38c3ef0dd0901d03152693851a8cc21c46f904d2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5316317 Reviewed-by: Sean Paul <sean@poorly.run> Commit-Queue: Tzung-Bi Shih <tzungbi@chromium.org> Reviewed-by: Tzung-Bi Shih <tzungbi@chromium.org>
greenforce-project · Feb 22, 2024 · da0ace2 · da0ace2
1 parent e902633
commit da0ace2
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
@@ -1104,7 +1104,8 @@ static inline bool subflow_simultaneous_connect(struct sock *sk)
 {
 	struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
 
-	return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_FIN_WAIT1) &&
+	return (1 << sk->sk_state) &
+	       (TCPF_ESTABLISHED | TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | TCPF_CLOSING) &&
 	       is_active_ssk(subflow) &&
 	       !subflow->conn_finished;
 }