mptcp: update rtx timeout only if required.

We must start the retransmission timer only there are
pending data in the rtx queue.
Otherwise we can hit a WARN_ON in mptcp_reset_timer(),
as syzbot demonstrated.

Reported-and-tested-by: syzbot+42aa53dafb66a07e5a24@syzkaller.appspotmail.com
Fixes: d9ca1de8c0cd ("mptcp: move page frag allocation in mptcp_sendmsg()")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Link: https://lore.kernel.org/r/1a72039f112cae048c44d398ffa14e0a1432db3d.1605737083.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 8df013d..aeda435 100644 (file)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1261,11 +1261,12 @@ static void mptcp_push_pending(struct sock *sk, unsigned int flags)
                mptcp_push_release(sk, ssk, &info);
 
 out:
-       /* start the timer, if it's not pending */
-       if (!mptcp_timer_pending(sk))
-               mptcp_reset_timer(sk);
-       if (copied)
+       if (copied) {
+               /* start the timer, if it's not pending */
+               if (!mptcp_timer_pending(sk))
+                       mptcp_reset_timer(sk);
                __mptcp_check_send_data_fin(sk);
+       }
 }
 
 static int mptcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)