From b680a214ec281dbd44b5ebbf3f126a57f1ecf0f7 Mon Sep 17 00:00:00 2001 From: Paolo Abeni Date: Wed, 18 Nov 2020 23:05:34 +0100 Subject: [PATCH] mptcp: update rtx timeout only if required. We must start the retransmission timer only there are pending data in the rtx queue. Otherwise we can hit a WARN_ON in mptcp_reset_timer(), as syzbot demonstrated. Reported-and-tested-by: syzbot+42aa53dafb66a07e5a24@syzkaller.appspotmail.com Fixes: d9ca1de8c0cd ("mptcp: move page frag allocation in mptcp_sendmsg()") Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Reported-by: Naresh Kamboju Tested-by: Naresh Kamboju Link: https://lore.kernel.org/r/1a72039f112cae048c44d398ffa14e0a1432db3d.1605737083.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski --- net/mptcp/protocol.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 8df013daea88..aeda4357de9a 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -1261,11 +1261,12 @@ static void mptcp_push_pending(struct sock *sk, unsigned int flags) mptcp_push_release(sk, ssk, &info); out: - /* start the timer, if it's not pending */ - if (!mptcp_timer_pending(sk)) - mptcp_reset_timer(sk); - if (copied) + if (copied) { + /* start the timer, if it's not pending */ + if (!mptcp_timer_pending(sk)) + mptcp_reset_timer(sk); __mptcp_check_send_data_fin(sk); + } } static int mptcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)