Hi Greg,
On 21/07/2025 12:55, gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
(...)
------------------ original commit in Linus's tree ------------------
From f8a1d9b18c5efc76784f5a326e905f641f839894 Mon Sep 17 00:00:00 2001 From: Paolo Abeni pabeni@redhat.com Date: Mon, 14 Jul 2025 18:41:44 +0200 Subject: [PATCH] mptcp: make fallback action and fallback decision atomic
Syzkaller reported the following splat:
(...)
Since we need to track the 'fallback is possible' condition and the fallback status separately, there are a few possible races open between the check and the actual fallback action.
Add a spinlock to protect the fallback related information and use it close all the possible related races. While at it also remove the too-early clearing of allow_infinite_fallback in __mptcp_subflow_connect(): the field will be correctly cleared by subflow_finish_connect() if/when the connection will complete successfully.
If fallback is not possible, as per RFC, reset the current subflow.
Since the fallback operation can now fail and return value should be checked, rename the helper accordingly.
Fixes: 0530020a7c8f ("mptcp: track and update contiguous data status")
FYI, I don't think backporting this commit f8a1d9b18c5e ("mptcp: make fallback action and fallback decision atomic") in v5.15 and v5.10 is worth it: triggering this warning is difficult and required admin rights. Plus the fix is quite invasive, and causes many conflicts in these versions.
Same for commit def5b7b2643e ("mptcp: plug races between subflow fail and subflow creation") for v5.15 only which depends on the other one.
Cheers, Matt