subflow: explicitly check for plain tcp rsk

When syncookie are in use, the TCP stack may feed into
subflow_syn_recv_sock() plain TCP request sockets. We can't
access mptcp_subflow_request_sock-specific fields on such
sockets. Explicitly check the rsk ops to do safe accesses.

Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Tested-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 7f3ef18..3ef445f 100644 (file)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -415,7 +415,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
 
        /* hopefully temporary handling for MP_JOIN+syncookie */
        subflow_req = mptcp_subflow_rsk(req);
-       fallback_is_fatal = subflow_req->mp_join;
+       fallback_is_fatal = tcp_rsk(req)->is_mptcp && subflow_req->mp_join;
        fallback = !tcp_rsk(req)->is_mptcp;
        if (fallback)
                goto create_child;