mptcp: pm: ADD_ADDR rtx: fix potential data-race

[ Upstream commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d ]

This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().

If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.

Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied hunk to `net/mptcp/pm_netlink.c` instead of `net/mptcp/pm.c` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
index 11743b37d01f67a914472f70e6bd5df6729b6e3a..b17eaea26ce4b11935d48b8921ea5b1e51a0ab0a 100644 (file)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -307,6 +307,13 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
        if (!entry->addr.id)
                return;
 
+       bh_lock_sock(sk);
+       if (sock_owned_by_user(sk)) {
+               /* Try again later. */
+               sk_reset_timer(sk, timer, jiffies + HZ / 20);
+               goto out;
+       }
+
        if (mptcp_pm_should_add_signal_addr(msk)) {
                sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
                goto out;
@@ -335,6 +342,7 @@ static void mptcp_pm_add_timer(struct timer_list *timer)
                mptcp_pm_subflow_established(msk);
 
 out:
+       bh_unlock_sock(sk);
        __sock_put(sk);
 }