mptcp: Do not iterate indefinitely over write-queue

syzkaller found a way to put multiple SKBs in the write-queue while TFO
was being used. This then made the list-traversla in
mptcp_rcv_synsent_fastopen continuously iterate as we keep on moving
skbs to the end.

We really should not move an skb in the write-queue. Just adjust the
sequence numbers.

Fixes: 6b9e2a0 ("mptcp: TFO: check both queues when syn data not acked")
Cc: Benjamin Hesmans <[email protected]>
Signed-off-by: Christoph Paasch <[email protected]>
Signed-off-by: Matthieu Baerts <[email protected]>
(cherry picked from commit 366c8ca)
Signed-off-by: Matthieu Baerts <[email protected]>
(cherry picked from commit f2eb227)
Signed-off-by: Matthieu Baerts <[email protected]>

net/mptcp/mptcp_input.c

@@ -2229,8 +2229,7 @@ static void _mptcp_rcv_synsent_fastopen(struct sock *meta_sk,
 	 * comes from __tcp_retransmit_skb().
 	 */
 	if (before(TCP_SKB_CB(skb)->seq, master_tp->snd_una)) {
-		BUG_ON(before(TCP_SKB_CB(skb)->end_seq,
-			      master_tp->snd_una));
+		BUG_ON(before(TCP_SKB_CB(skb)->end_seq, master_tp->snd_una));
 		/* tcp_trim_head can only returns ENOMEM if skb is
 		 * cloned. It is not the case here (see
 		 * tcp_send_syn_data).
@@ -2246,12 +2245,11 @@ static void _mptcp_rcv_synsent_fastopen(struct sock *meta_sk,
 
 	if (rtx_queue)
 		tcp_rtx_queue_unlink(skb, meta_sk);
-	else
-		tcp_unlink_write_queue(skb, meta_sk);
 
 	INIT_LIST_HEAD(&skb->tcp_tsorted_anchor);
 
-	tcp_add_write_queue_tail(meta_sk, skb);
+	if (rtx_queue)
+		tcp_add_write_queue_tail(meta_sk, skb);
 }
 
 /* In case of fastopen, some data can already be in the write queue.
@@ -2275,7 +2273,7 @@ static void mptcp_rcv_synsent_fastopen(struct sock *meta_sk)
 	 * this data to data sequence numbers.
 	 */
 
-	WARN_ON(skb_write_head && skb_rtx_head);
+	BUG_ON(skb_write_head && skb_rtx_head);
 
 	if (skb_write_head) {
 		skb_queue_walk_from_safe(&meta_sk->sk_write_queue,