This is a note to let you know that I've just added the patch titled
mptcp: really cope with fastopen race
to the 6.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
mptcp-really-cope-with-fastopen-race.patch
and it can be found in the queue-6.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 337cebbd850f94147cee05252778f8f78b8c337f Mon Sep 17 00:00:00 2001
From: Paolo Abeni <pabeni@xxxxxxxxxx>
Date: Thu, 8 Feb 2024 19:03:54 +0100
Subject: mptcp: really cope with fastopen race
From: Paolo Abeni <pabeni@xxxxxxxxxx>
commit 337cebbd850f94147cee05252778f8f78b8c337f upstream.
Fastopen and PM-trigger subflow shutdown can race, as reported by
syzkaller.
In my first attempt to close such race, I missed the fact that
the subflow status can change again before the subflow_state_change
callback is invoked.
Address the issue additionally copying with all the states directly
reachable from TCP_FIN_WAIT1.
Fixes: 1e777f39b4d7 ("mptcp: add MSG_FASTOPEN sendmsg flag support")
Fixes: 4fd19a307016 ("mptcp: fix inconsistent state on fastopen race")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: syzbot+c53d4d3ddb327e80bc51@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/458
Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
Reviewed-by: Mat Martineau <martineau@xxxxxxxxxx>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/mptcp/protocol.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -1118,7 +1118,8 @@ static inline bool subflow_simultaneous_
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
- return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_FIN_WAIT1) &&
+ return (1 << sk->sk_state) &
+ (TCPF_ESTABLISHED | TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | TCPF_CLOSING) &&
is_active_ssk(subflow) &&
!subflow->conn_finished;
}
Patches currently in stable-queue which might be from pabeni@xxxxxxxxxx are
queue-6.7/mptcp-really-cope-with-fastopen-race.patch
queue-6.7/mptcp-fix-rcv-space-initialization.patch
queue-6.7/mptcp-drop-the-push_pending-field.patch
queue-6.7/net-stmmac-do-not-clear-tbs-enable-bit-on-link-up-down.patch
queue-6.7/mptcp-fix-data-re-injection-from-stale-subflow.patch
queue-6.7/selftests-mptcp-increase-timeout-to-30-min.patch
queue-6.7/connector-cn_proc-revert-connector-fix-proc_event_num_listeners-count-not-cleared.patch
queue-6.7/selftests-net-fix-bridge-backup-port-test-flakiness.patch
