From nobody Mon Feb  9 21:36:51 2026
Delivered-To: wpasupplicant.patchew@gmail.com
Received: by 2002:a02:cbb9:0:0:0:0:0 with SMTP id v25csp7776799jap;
        Tue, 14 Dec 2021 15:16:19 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJy93n+0zg4Mu2HqpPZ6bvtfKxrXCq29TeGBgxtQF6ib2w9tFhWkA+LQWW23KvqXtNUPW+uR
X-Received: by 2002:ac8:58d0:: with SMTP id u16mr9436051qta.150.1639523779164;
        Tue, 14 Dec 2021 15:16:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1639523779; cv=none;
        d=google.com; s=arc-20160816;
        b=YTtFzNStpqVKzzojT/T+nBTJmRzBOD2/SQtBJU+xRFlAdENFxLuTKkWXFv2122YlB5
         r2ua/7Y/rqpCLABnFS/savVgKqdeqYKUK8XKppKSGhHiRqbJmqqrIHDNZC2vZWHhnqPC
         MCXLj+72HDLahIpwNfQCp6DZEcuzZ2g4yN2Wq76I27K1MAUVhkcQYozvbw8iXePzbdOb
         5K4Dz2cOVIuI+Clt6Zm5Cg901DobnUywpto4GELIxEz211/T0DAo9amfRhArOsSoUHJk
         eyvzm6iSFi1aQTSZ3CCiGFEiaQdQLq/ez6WboWO1bOda13JXa+jKCZlEGakc6JlL7IYl
         c/8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=qve7J6E4xJyaIAqC5mfLblCFU1nXsNS2ShksRyv6WSo=;
        b=BYIcCXvQkLAJX9Xio9L6/WGwHsZm4hpF5r2H0yn5vVRSoG3yXDaahRw+2KcC1N6dla
         dwzBPDq3TtrIQT/dRs1gGhqQo4jaeluEVtZvXJ+0nsABdomZ5qsFXE2+G4Xy6/06Gt7P
         IROFh3AWSV3ELDzEJnYDht28Hr5ldAqzaeSZgN19bkZmVmI8yqbxlLbWz/H8XVJV9tn4
         EC3wdlOpafWRbuKkrI/AU4cMo8mqipBmqm++e4EmeCP/kQd6gXfiL+Yma5CONbrJ5By5
         S29XsLOTFDS/HVgGvB/wBIAxnotlG0kf2LRkfAO3OvxmGY/MOIOnAtOPSyPmk9uhKB60
         LKMw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of
 mptcp+bounces-2758-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender)
 smtp.mailfrom="mptcp+bounces-2758-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: 
 <mptcp+bounces-2758-wpasupplicant.patchew=gmail.com@lists.linux.dev>
Received: from ewr.edge.kernel.org (ewr.edge.kernel.org. [147.75.197.195])
        by mx.google.com with ESMTPS id z3si149875qtj.557.2021.12.14.15.16.19
        for <wpasupplicant.patchew@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 14 Dec 2021 15:16:19 -0800 (PST)
Received-SPF: pass (google.com: domain of
 mptcp+bounces-2758-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender) client-ip=147.75.197.195;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of
 mptcp+bounces-2758-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender)
 smtp.mailfrom="mptcp+bounces-2758-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ewr.edge.kernel.org (Postfix) with ESMTPS id CA64B1C0C62
	for <wpasupplicant.patchew@gmail.com>; Tue, 14 Dec 2021 23:16:18 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 4D6EA2CA4;
	Tue, 14 Dec 2021 23:16:16 +0000 (UTC)
X-Original-To: mptcp@lists.linux.dev
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 827822CB2
	for <mptcp@lists.linux.dev>; Tue, 14 Dec 2021 23:16:14 +0000 (UTC)
X-IronPort-AV: E=McAfee;i="6200,9189,10197"; a="219119108"
X-IronPort-AV: E=Sophos;i="5.88,206,1635231600";
   d="scan'208";a="219119108"
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 14 Dec 2021 15:16:10 -0800
X-IronPort-AV: E=Sophos;i="5.88,206,1635231600";
   d="scan'208";a="518491439"
Received: from mjmartin-desk2.amr.corp.intel.com (HELO
 mjmartin-desk2.intel.com) ([10.212.180.223])
  by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 14 Dec 2021 15:16:09 -0800
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
To: netdev@vger.kernel.org
Cc: Maxim Galaganov <max@internet.ru>,
	davem@davemloft.net,
	kuba@kernel.org,
	matthieu.baerts@tessares.net,
	mptcp@lists.linux.dev,
	fw@strlen.de,
	Mat Martineau <mathew.j.martineau@linux.intel.com>
Subject: [PATCH net 3/4] mptcp: fix deadlock in __mptcp_push_pending()
Date: Tue, 14 Dec 2021 15:16:03 -0800
Message-Id: <20211214231604.211016-4-mathew.j.martineau@linux.intel.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20211214231604.211016-1-mathew.j.martineau@linux.intel.com>
References: <20211214231604.211016-1-mathew.j.martineau@linux.intel.com>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Maxim Galaganov <max@internet.ru>

__mptcp_push_pending() may call mptcp_flush_join_list() with subflow
socket lock held. If such call hits mptcp_sockopt_sync_all() then
subsequently __mptcp_sockopt_sync() could try to lock the subflow
socket for itself, causing a deadlock.

sysrq: Show Blocked State
task:ss-server       state:D stack:    0 pid:  938 ppid:     1 flags:0x0000=
0000
Call Trace:
 <TASK>
 __schedule+0x2d6/0x10c0
 ? __mod_memcg_state+0x4d/0x70
 ? csum_partial+0xd/0x20
 ? _raw_spin_lock_irqsave+0x26/0x50
 schedule+0x4e/0xc0
 __lock_sock+0x69/0x90
 ? do_wait_intr_irq+0xa0/0xa0
 __lock_sock_fast+0x35/0x50
 mptcp_sockopt_sync_all+0x38/0xc0
 __mptcp_push_pending+0x105/0x200
 mptcp_sendmsg+0x466/0x490
 sock_sendmsg+0x57/0x60
 __sys_sendto+0xf0/0x160
 ? do_wait_intr_irq+0xa0/0xa0
 ? fpregs_restore_userregs+0x12/0xd0
 __x64_sys_sendto+0x20/0x30
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f9ba546c2d0
RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0
RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234
RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060
R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8
 </TASK>

Fix the issue by using __mptcp_flush_join_list() instead of plain
mptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by
Florian. The sockopt sync will be deferred to the workqueue.

Fixes: 1b3e7ede1365 ("mptcp: setsockopt: handle SO_KEEPALIVE and SO_PRIORIT=
Y")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/244
Suggested-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Maxim Galaganov <max@internet.ru>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
---
 net/mptcp/protocol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 6dc1ff07994c..54613f5b7521 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1524,7 +1524,7 @@ void __mptcp_push_pending(struct sock *sk, unsigned i=
nt flags)
 			int ret =3D 0;
=20
 			prev_ssk =3D ssk;
-			mptcp_flush_join_list(msk);
+			__mptcp_flush_join_list(msk);
 			ssk =3D mptcp_subflow_get_send(msk);
=20
 			/* First check. If the ssk has changed since
--=20
2.34.1