mptcp: don't always assume copied data in mptcp_cleanup_rbuf()

Paolo Abeni · gregkh · commit 91b493f15d65 · 2025-01-09T13:30:07.000+01:00
commit 551844f26da2a9f76c0a698baaffa631d1178645 upstream. Under some corner cases the MPTCP protocol can end-up invoking mptcp_cleanup_rbuf() when no data has been copied, but such helper assumes the opposite condition. Explicitly drop such assumption and performs the costly call only when strictly needed - before releasing the msk socket lock. Fixes: fd89767 ("mptcp: be careful on MPTCP-level ack.") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-2-8608af434ceb@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
@@ -538,13 +538,13 @@ static void mptcp_send_ack(struct mptcp_sock *msk)
 		mptcp_subflow_send_ack(mptcp_subflow_tcp_sock(subflow));
 }
 
-static void mptcp_subflow_cleanup_rbuf(struct sock *ssk)
+static void mptcp_subflow_cleanup_rbuf(struct sock *ssk, int copied)
 {
 	bool slow;
 
 	slow = lock_sock_fast(ssk);
 	if (tcp_can_send_ack(ssk))
-		tcp_cleanup_rbuf(ssk, 1);
+		tcp_cleanup_rbuf(ssk, copied);
 	unlock_sock_fast(ssk, slow);
 }
 
@@ -561,22 +561,22 @@ static bool mptcp_subflow_could_cleanup(const struct sock *ssk, bool rx_empty)
 			      (ICSK_ACK_PUSHED2 | ICSK_ACK_PUSHED)));
 }
 
-static void mptcp_cleanup_rbuf(struct mptcp_sock *msk)
+static void mptcp_cleanup_rbuf(struct mptcp_sock *msk, int copied)
 {
 	int old_space = READ_ONCE(msk->old_wspace);
 	struct mptcp_subflow_context *subflow;
 	struct sock *sk = (struct sock *)msk;
 	int space =  __mptcp_space(sk);
 	bool cleanup, rx_empty;
 
-	cleanup = (space > 0) && (space >= (old_space << 1));
-	rx_empty = !__mptcp_rmem(sk);
+	cleanup = (space > 0) && (space >= (old_space << 1)) && copied;
+	rx_empty = !__mptcp_rmem(sk) && copied;
 
 	mptcp_for_each_subflow(msk, subflow) {
 		struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
 
 		if (cleanup || mptcp_subflow_could_cleanup(ssk, rx_empty))
-			mptcp_subflow_cleanup_rbuf(ssk);
+			mptcp_subflow_cleanup_rbuf(ssk, copied);
 	}
 }
 
@@ -2195,9 +2195,6 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
 
 		copied += bytes_read;
 
-		/* be sure to advertise window change */
-		mptcp_cleanup_rbuf(msk);
-
 		if (skb_queue_empty(&msk->receive_queue) && __mptcp_move_skbs(msk))
 			continue;
 
@@ -2249,13 +2246,16 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
 		}
 
 		pr_debug("block timeout %ld\n", timeo);
+		mptcp_cleanup_rbuf(msk, copied);
 		err = sk_wait_data(sk, &timeo, NULL);
 		if (err < 0) {
 			err = copied ? : err;
 			goto out_err;
 		}
 	}
 
+	mptcp_cleanup_rbuf(msk, copied);
+
 out_err:
 	if (cmsg_flags && copied >= 0) {
 		if (cmsg_flags & MPTCP_CMSG_TS)

Original file line number	Diff line number	Diff line change
`@@ -538,13 +538,13 @@ static void mptcp_send_ack(struct mptcp_sock *msk)`
`538`	`538`	`mptcp_subflow_send_ack(mptcp_subflow_tcp_sock(subflow));`
`539`	`539`	`}`
`540`	`540`
`541`		`-static void mptcp_subflow_cleanup_rbuf(struct sock *ssk)`
	`541`	`+static void mptcp_subflow_cleanup_rbuf(struct sock *ssk, int copied)`
`542`	`542`	`{`
`543`	`543`	`bool slow;`
`544`	`544`
`545`	`545`	`slow = lock_sock_fast(ssk);`
`546`	`546`	`if (tcp_can_send_ack(ssk))`
`547`		`- tcp_cleanup_rbuf(ssk, 1);`
	`547`	`+ tcp_cleanup_rbuf(ssk, copied);`
`548`	`548`	`unlock_sock_fast(ssk, slow);`
`549`	`549`	`}`
`550`	`550`
`@@ -561,22 +561,22 @@ static bool mptcp_subflow_could_cleanup(const struct sock *ssk, bool rx_empty)`
`561`	`561`	`(ICSK_ACK_PUSHED2 \| ICSK_ACK_PUSHED)));`
`562`	`562`	`}`
`563`	`563`
`564`		`-static void mptcp_cleanup_rbuf(struct mptcp_sock *msk)`
	`564`	`+static void mptcp_cleanup_rbuf(struct mptcp_sock *msk, int copied)`
`565`	`565`	`{`
`566`	`566`	`int old_space = READ_ONCE(msk->old_wspace);`
`567`	`567`	`struct mptcp_subflow_context *subflow;`
`568`	`568`	`struct sock sk = (struct sock )msk;`
`569`	`569`	`int space = __mptcp_space(sk);`
`570`	`570`	`bool cleanup, rx_empty;`
`571`	`571`
`572`		`- cleanup = (space > 0) && (space >= (old_space << 1));`
`573`		`- rx_empty = !__mptcp_rmem(sk);`
	`572`	`+ cleanup = (space > 0) && (space >= (old_space << 1)) && copied;`
	`573`	`+ rx_empty = !__mptcp_rmem(sk) && copied;`
`574`	`574`
`575`	`575`	`mptcp_for_each_subflow(msk, subflow) {`
`576`	`576`	`struct sock *ssk = mptcp_subflow_tcp_sock(subflow);`
`577`	`577`
`578`	`578`	`if (cleanup \|\| mptcp_subflow_could_cleanup(ssk, rx_empty))`
`579`		`- mptcp_subflow_cleanup_rbuf(ssk);`
	`579`	`+ mptcp_subflow_cleanup_rbuf(ssk, copied);`
`580`	`580`	`}`
`581`	`581`	`}`
`582`	`582`
`@@ -2195,9 +2195,6 @@ static int mptcp_recvmsg(struct sock sk, struct msghdr msg, size_t len,`
`2195`	`2195`
`2196`	`2196`	`copied += bytes_read;`
`2197`	`2197`
`2198`		`- /* be sure to advertise window change */`
`2199`		`- mptcp_cleanup_rbuf(msk);`
`2200`		`-`
`2201`	`2198`	`if (skb_queue_empty(&msk->receive_queue) && __mptcp_move_skbs(msk))`
`2202`	`2199`	`continue;`
`2203`	`2200`
`@@ -2249,13 +2246,16 @@ static int mptcp_recvmsg(struct sock sk, struct msghdr msg, size_t len,`
`2249`	`2246`	`}`
`2250`	`2247`
`2251`	`2248`	`pr_debug("block timeout %ld\n", timeo);`
	`2249`	`+ mptcp_cleanup_rbuf(msk, copied);`
`2252`	`2250`	`err = sk_wait_data(sk, &timeo, NULL);`
`2253`	`2251`	`if (err < 0) {`
`2254`	`2252`	`err = copied ? : err;`
`2255`	`2253`	`goto out_err;`
`2256`	`2254`	`}`
`2257`	`2255`	`}`
`2258`	`2256`
	`2257`	`+ mptcp_cleanup_rbuf(msk, copied);`
	`2258`	`+`
`2259`	`2259`	`out_err:`
`2260`	`2260`	`if (cmsg_flags && copied >= 0) {`
`2261`	`2261`	`if (cmsg_flags & MPTCP_CMSG_TS)`