KCSAN: data-race in mptcp_recvmsg / mptcp

==================================================================
BUG: KCSAN: data-race in mptcp_recvmsg / mptcp_space

write to 0xffff888103acf620 of 1 bytes by task 7248 on cpu 0:
 mptcp_rcv_space_adjust net/mptcp/protocol.c:2050 [inline]
 __mptcp_recvmsg_mskq net/mptcp/protocol.c:2000 [inline]
 mptcp_recvmsg+0x8d8/0x1400 net/mptcp/protocol.c:2217
 inet6_recvmsg+0x171/0x290 net/ipv6/af_inet6.c:678
 sock_recvmsg_nosec net/socket.c:1023 [inline]
 sock_recvmsg+0x9a/0x170 net/socket.c:1045
 ____sys_recvmsg+0xf9/0x280 net/socket.c:2793
 ___sys_recvmsg net/socket.c:2835 [inline]
 do_recvmmsg+0x2aa/0x6d0 net/socket.c:2930
 __sys_recvmmsg net/socket.c:3004 [inline]
 __do_sys_recvmmsg net/socket.c:3027 [inline]
 __se_sys_recvmmsg net/socket.c:3020 [inline]
 __x64_sys_recvmmsg+0xe2/0x170 net/socket.c:3020
 x64_sys_call+0x2a9a/0x2dc0 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff888103acf620 of 1 bytes by interrupt on cpu 1:
 mptcp_win_from_space net/mptcp/protocol.h:394 [inline]
 mptcp_space+0x144/0x1e0 net/mptcp/subflow.c:1447
 __tcp_select_window+0x136/0x970 net/ipv4/tcp_output.c:3101
 tcp_select_window net/ipv4/tcp_output.c:278 [inline]
 __tcp_transmit_skb+0x766/0x19d0 net/ipv4/tcp_output.c:1408
 __tcp_send_ack+0x1de/0x300 net/ipv4/tcp_output.c:4275
 tcp_send_ack+0x27/0x30 net/ipv4/tcp_output.c:4281
 __tcp_ack_snd_check+0x369/0x590 net/ipv4/tcp_input.c:5787
 tcp_ack_snd_check net/ipv4/tcp_input.c:5833 [inline]
 tcp_rcv_established+0x938/0xe30 net/ipv4/tcp_input.c:6291
 tcp_v6_do_rcv+0x745/0xaa0 net/ipv6/tcp_ipv6.c:1644
 tcp_v6_rcv+0x1949/0x1c40 net/ipv6/tcp_ipv6.c:1914
 ip6_protocol_deliver_rcu+0x9f2/0x1090 net/ipv6/ip6_input.c:436
 ip6_input_finish net/ipv6/ip6_input.c:480 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_input+0xbf/0x1c0 net/ipv6/ip6_input.c:491
 dst_input include/net/dst.h:469 [inline]
 ip6_rcv_finish+0x1fa/0x330 net/ipv6/ip6_input.c:79
 ip_sabotage_in+0x139/0x150 net/bridge/br_netfilter_hooks.c:993
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0x86/0x1b0 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:269 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ipv6_rcv+0x113/0x150 net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core net/core/dev.c:5893 [inline]
 __netif_receive_skb+0xa2/0x280 net/core/dev.c:6006
 netif_receive_skb_internal net/core/dev.c:6092 [inline]
 netif_receive_skb+0x4a/0x320 net/core/dev.c:6151
 br_netif_receive_skb net/bridge/br_input.c:30 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 br_pass_frame_up+0x239/0x310 net/bridge/br_input.c:70
 br_handle_frame_finish+0xd46/0xe90
 br_nf_hook_thresh+0x1e5/0x220
 br_nf_pre_routing_finish_ipv6+0x575/0x5a0
 NF_HOOK include/linux/netfilter.h:314 [inline]
 br_nf_pre_routing_ipv6+0x1f6/0x2a0 net/bridge/br_netfilter_ipv6.c:184
 br_nf_pre_routing+0x517/0xbc0 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:282 [inline]
 br_handle_frame+0x4e0/0x9b0 net/bridge/br_input.c:433
 __netif_receive_skb_core+0xb1a/0x2350 net/core/dev.c:5787
 __netif_receive_skb_one_core net/core/dev.c:5891 [inline]
 __netif_receive_skb+0x5a/0x280 net/core/dev.c:6006
 process_backlog+0x22e/0x440 net/core/dev.c:6354
 __napi_poll+0x63/0x3c0 net/core/dev.c:7188
 napi_poll net/core/dev.c:7257 [inline]
 net_rx_action+0x3a1/0x7f0 net/core/dev.c:7379
 handle_softirqs+0xbf/0x280 kernel/softirq.c:561
 do_softirq+0x5e/0x90 kernel/softirq.c:462
 __local_bh_enable_ip+0x6e/0x70 kernel/softirq.c:389
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0xb6e/0x2090 net/core/dev.c:4676
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip6_finish_output2+0x9d9/0xd60 net/ipv6/ip6_output.c:141
 ip6_finish_output+0x438/0x540 net/ipv6/ip6_output.c:226
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0xf5/0x230 net/ipv6/ip6_output.c:247
 dst_output include/net/dst.h:459 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_xmit+0x807/0xc80 net/ipv6/ip6_output.c:366
 inet6_csk_xmit+0x1d1/0x210 net/ipv6/inet6_connection_sock.c:135
 __tcp_transmit_skb+0x12be/0x19d0 net/ipv4/tcp_output.c:1471
 tcp_transmit_skb net/ipv4/tcp_output.c:1489 [inline]
 tcp_write_xmit+0x1217/0x3020 net/ipv4/tcp_output.c:2832
 __tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:3015
 tcp_push+0x320/0x340 net/ipv4/tcp.c:751
 tcp_sendmsg_locked+0x21a1/0x26a0 net/ipv4/tcp.c:1326
 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1358
 inet6_sendmsg+0x77/0xd0 net/ipv6/af_inet6.c:659
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x8b/0x180 net/socket.c:733
 sock_sendmsg+0xc4/0x130 net/socket.c:756
 rds_tcp_xmit+0x3b8/0x610 net/rds/tcp_send.c:125
 rds_send_xmit+0xba2/0x1480 net/rds/send.c:366
 rds_send_worker+0x42/0x1d0 net/rds/threads.c:200
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0x4db/0xa20 kernel/workqueue.c:3319
 worker_thread+0x51d/0x6f0 kernel/workqueue.c:3400
 kthread+0x4ae/0x520 kernel/kthread.c:464
 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

value changed: 0x80 -> 0xbf

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 51 Comm: kworker/u8:3 Not tainted 6.14.0-rc5-syzkaller-00234-gb7c90e3e717a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: krdsd rds_send_worker
==================================================================