mptcp: don't always assume copied data in mptcp_cleanup_rbuf()

Paolo Abeni · gregkh · commit f61e663d78ff · 2025-01-09T13:32:09.000+01:00
commit 551844f upstream. Under some corner cases the MPTCP protocol can end-up invoking mptcp_cleanup_rbuf() when no data has been copied, but such helper assumes the opposite condition. Explicitly drop such assumption and performs the costly call only when strictly needed - before releasing the msk socket lock. Fixes: fd89767 ("mptcp: be careful on MPTCP-level ack.") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-2-8608af434ceb@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
@@ -528,13 +528,13 @@ static void mptcp_send_ack(struct mptcp_sock *msk)
 		mptcp_subflow_send_ack(mptcp_subflow_tcp_sock(subflow));
 }
 
-static void mptcp_subflow_cleanup_rbuf(struct sock *ssk)
+static void mptcp_subflow_cleanup_rbuf(struct sock *ssk, int copied)
 {
 	bool slow;
 
 	slow = lock_sock_fast(ssk);
 	if (tcp_can_send_ack(ssk))
-		tcp_cleanup_rbuf(ssk, 1);
+		tcp_cleanup_rbuf(ssk, copied);
 	unlock_sock_fast(ssk, slow);
 }
 
@@ -551,22 +551,22 @@ static bool mptcp_subflow_could_cleanup(const struct sock *ssk, bool rx_empty)
 			      (ICSK_ACK_PUSHED2 | ICSK_ACK_PUSHED)));
 }
 
-static void mptcp_cleanup_rbuf(struct mptcp_sock *msk)
+static void mptcp_cleanup_rbuf(struct mptcp_sock *msk, int copied)
 {
 	int old_space = READ_ONCE(msk->old_wspace);
 	struct mptcp_subflow_context *subflow;
 	struct sock *sk = (struct sock *)msk;
 	int space =  __mptcp_space(sk);
 	bool cleanup, rx_empty;
 
-	cleanup = (space > 0) && (space >= (old_space << 1));
-	rx_empty = !__mptcp_rmem(sk);
+	cleanup = (space > 0) && (space >= (old_space << 1)) && copied;
+	rx_empty = !__mptcp_rmem(sk) && copied;
 
 	mptcp_for_each_subflow(msk, subflow) {
 		struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
 
 		if (cleanup || mptcp_subflow_could_cleanup(ssk, rx_empty))
-			mptcp_subflow_cleanup_rbuf(ssk);
+			mptcp_subflow_cleanup_rbuf(ssk, copied);
 	}
 }
 
@@ -2183,9 +2183,6 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
 
 		copied += bytes_read;
 
-		/* be sure to advertise window change */
-		mptcp_cleanup_rbuf(msk);
-
 		if (skb_queue_empty(&msk->receive_queue) && __mptcp_move_skbs(msk))
 			continue;
 
@@ -2234,13 +2231,16 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
 		}
 
 		pr_debug("block timeout %ld\n", timeo);
+		mptcp_cleanup_rbuf(msk, copied);
 		err = sk_wait_data(sk, &timeo, NULL);
 		if (err < 0) {
 			err = copied ? : err;
 			goto out_err;
 		}
 	}
 
+	mptcp_cleanup_rbuf(msk, copied);
+
 out_err:
 	if (cmsg_flags && copied >= 0) {
 		if (cmsg_flags & MPTCP_CMSG_TS)

Original file line number	Diff line number	Diff line change
`@@ -528,13 +528,13 @@ static void mptcp_send_ack(struct mptcp_sock *msk)`
`528`	`528`	`mptcp_subflow_send_ack(mptcp_subflow_tcp_sock(subflow));`
`529`	`529`	`}`
`530`	`530`
`531`		`-static void mptcp_subflow_cleanup_rbuf(struct sock *ssk)`
	`531`	`+static void mptcp_subflow_cleanup_rbuf(struct sock *ssk, int copied)`
`532`	`532`	`{`
`533`	`533`	`bool slow;`
`534`	`534`
`535`	`535`	`slow = lock_sock_fast(ssk);`
`536`	`536`	`if (tcp_can_send_ack(ssk))`
`537`		`- tcp_cleanup_rbuf(ssk, 1);`
	`537`	`+ tcp_cleanup_rbuf(ssk, copied);`
`538`	`538`	`unlock_sock_fast(ssk, slow);`
`539`	`539`	`}`
`540`	`540`
`@@ -551,22 +551,22 @@ static bool mptcp_subflow_could_cleanup(const struct sock *ssk, bool rx_empty)`
`551`	`551`	`(ICSK_ACK_PUSHED2 \| ICSK_ACK_PUSHED)));`
`552`	`552`	`}`
`553`	`553`
`554`		`-static void mptcp_cleanup_rbuf(struct mptcp_sock *msk)`
	`554`	`+static void mptcp_cleanup_rbuf(struct mptcp_sock *msk, int copied)`
`555`	`555`	`{`
`556`	`556`	`int old_space = READ_ONCE(msk->old_wspace);`
`557`	`557`	`struct mptcp_subflow_context *subflow;`
`558`	`558`	`struct sock sk = (struct sock )msk;`
`559`	`559`	`int space = __mptcp_space(sk);`
`560`	`560`	`bool cleanup, rx_empty;`
`561`	`561`
`562`		`- cleanup = (space > 0) && (space >= (old_space << 1));`
`563`		`- rx_empty = !__mptcp_rmem(sk);`
	`562`	`+ cleanup = (space > 0) && (space >= (old_space << 1)) && copied;`
	`563`	`+ rx_empty = !__mptcp_rmem(sk) && copied;`
`564`	`564`
`565`	`565`	`mptcp_for_each_subflow(msk, subflow) {`
`566`	`566`	`struct sock *ssk = mptcp_subflow_tcp_sock(subflow);`
`567`	`567`
`568`	`568`	`if (cleanup \|\| mptcp_subflow_could_cleanup(ssk, rx_empty))`
`569`		`- mptcp_subflow_cleanup_rbuf(ssk);`
	`569`	`+ mptcp_subflow_cleanup_rbuf(ssk, copied);`
`570`	`570`	`}`
`571`	`571`	`}`
`572`	`572`
`@@ -2183,9 +2183,6 @@ static int mptcp_recvmsg(struct sock sk, struct msghdr msg, size_t len,`
`2183`	`2183`
`2184`	`2184`	`copied += bytes_read;`
`2185`	`2185`
`2186`		`- /* be sure to advertise window change */`
`2187`		`- mptcp_cleanup_rbuf(msk);`
`2188`		`-`
`2189`	`2186`	`if (skb_queue_empty(&msk->receive_queue) && __mptcp_move_skbs(msk))`
`2190`	`2187`	`continue;`
`2191`	`2188`
`@@ -2234,13 +2231,16 @@ static int mptcp_recvmsg(struct sock sk, struct msghdr msg, size_t len,`
`2234`	`2231`	`}`
`2235`	`2232`
`2236`	`2233`	`pr_debug("block timeout %ld\n", timeo);`
	`2234`	`+ mptcp_cleanup_rbuf(msk, copied);`
`2237`	`2235`	`err = sk_wait_data(sk, &timeo, NULL);`
`2238`	`2236`	`if (err < 0) {`
`2239`	`2237`	`err = copied ? : err;`
`2240`	`2238`	`goto out_err;`
`2241`	`2239`	`}`
`2242`	`2240`	`}`
`2243`	`2241`
	`2242`	`+ mptcp_cleanup_rbuf(msk, copied);`
	`2243`	`+`
`2244`	`2244`	`out_err:`
`2245`	`2245`	`if (cmsg_flags && copied >= 0) {`
`2246`	`2246`	`if (cmsg_flags & MPTCP_CMSG_TS)`