From nobody Thu Jan 2 20:17:38 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89DBA20E30B; Sat, 19 Oct 2024 09:30:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330257; cv=none; b=n1Etc63+GvV3h0cCe2J/GTgN7+FR/1Z6QfaWl5gXm9Gi2gALsoJijkT93hABGYI+l5ksTgAr08QVpV4DX4uBo8oh3Kba7UkyyoGmsyab6t96WZPKW87O+PDur1uym3+x5h58sEHUrGwpI7eUABy11beYhBXIwHAW9yimMwNQ1e0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330257; c=relaxed/simple; bh=dEhaXs008IelrVlpIGrKqx72zRXIFdSAvep1dnwSKUY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ue8I7yluCsc7Or0zV6Cc8HAZWrttBBi9IY+B4MMO3yVuu/7bjRi7LHIFoKDoo7V0sj9nRJWTDLvx+gmFP28svUBo1EE/l+XRMA2N6nb6wu/+ZNzCLmf9T5e+SeLxAaD2DiDvFi2p8wmF0EfXF512lF7+hwXWGr9vi9i2DmhJ0qE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZJ+X6vSg; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZJ+X6vSg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0F01EC4CED0; Sat, 19 Oct 2024 09:30:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729330257; bh=dEhaXs008IelrVlpIGrKqx72zRXIFdSAvep1dnwSKUY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZJ+X6vSgzjUdHZoZuMwuVchIDwh9PN+lG5DNH4m5gMFQNTSGzHjFOpEhGfdkbWuD/ siyo1TnF9dUwgKNaZWC2hLwvFpMrpynGKhiqjPLLltf0I/3YOEp4v4j80mc08DEebv jbm/3TivWkkxXP1MyFIbkXKADcHu8PtGvKBNvUwtyAtjnlGk3gdu5jTeikm+/Jdc5i IuWbLNp38JEHS851Fngw9YMXRc+1MR+OpbJOfph6yWowMDCLw8s7ZS9Hf7BDCDij3z +kCgI9Cneprt0rif05KfpYKdEFVO7ga6wm8w18xirnR9jpPxLJxaztHUfm/krJLJLb GI4i01dwiDzAg== From: "Matthieu Baerts (NGI0)" To: mptcp@lists.linux.dev, stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: Geliang Tang , sashal@kernel.org, Paolo Abeni , Mat Martineau , "David S . Miller" , Matthieu Baerts Subject: [PATCH 5.15.y 1/6] mptcp: track and update contiguous data status Date: Sat, 19 Oct 2024 11:30:47 +0200 Message-ID: <20241019093045.3181989-9-matttbe@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241019093045.3181989-8-matttbe@kernel.org> References: <20241019093045.3181989-8-matttbe@kernel.org> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4010; i=matttbe@kernel.org; h=from:subject; bh=MKSVi7yEwyagbUCOqgzGFgk8trdkA4n0xEqTsM+rmaY=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBnE3xFJr21UYipsChfeTnVU9WqObdx49dAtn+u5 6Sd6aYoZOSJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCZxN8RQAKCRD2t4JPQmmg czakEADb2LcUpiuz7Dhp9gU+HSuK0uVmRqc2R/BKcBb3vu1GSJnLrX3B46t6qWgz4fw4Bv11BRQ 3n7alE3HoOawKzNxhM7XI1CpERklzBd7upmZbYCD5lnSlgQVTmOQOupqoAAkfMUVzDS4iDWRt2P 4qNPXI1i7GFA/WeI93fMZyx/5Z9m81fOtoAxyf6S78X1XGxmmtxkD0FMzcUO6DzcbGQf2wQ/+PQ mIZYtvlF1QN0tzqv2oEMKpt6waSIQn/ph3xnGnsf0QKfy7OOC3YP9JSE+uDzjhoVbyCR/UQiK4g IHP2hauY9fi+CwHmkQTnweUWjXU/5r4kGiI6X0jO42onbbCTBR2iY6//V6yccazniH7nfZAmmpm tV4XzuFA4jjNdthlG5on4+DwkfZwofI5kgOVg2p1o14oANXwxfs6PaNKqGeX2R7S9KDyVU+2L8G WWdAOmt8dONVIQ6iyvCOjDppPid3ATRKCm2v1Khv2SwkJpkguiCkER68oJrBsO3+rr+K0jslaGu wHkd26643KzBaQOu4E6x26SmnE7cxPMEU/pRsuHI/Qd10B/cEcUY+eFxUldO1gHe9qVNQy3/+3K GkLrakwKwrZH5gCrNTsXwZLQzYdUdwEgdLTeTJSPz0D2pScsr2i1ksIR1xMx4DDePzwHWeRL0Ct gDYJmImKEUKcprg== X-Developer-Key: i=matttbe@kernel.org; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Geliang Tang commit 0530020a7c8f2204e784f0dbdc882bbd961fdbde upstream. This patch adds a new member allow_infinite_fallback in mptcp_sock, which is initialized to 'true' when the connection begins and is set to 'false' on any retransmit or successful MP_JOIN. Only do infinite mapping fallback if there is a single subflow AND there have been no retransmissions AND there have never been any MP_JOINs. Suggested-by: Paolo Abeni Signed-off-by: Geliang Tang Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Stable-dep-of: e32d262c89e2 ("mptcp: handle consistently DSS corruption") [ Conflicts in protocol.c, because commit 3e5014909b56 ("mptcp: cleanup MPJ subflow list handling") is not in this version. This commit is linked to a new feature, changing the context around. The new line can still be added at the same place. Conflicts in protocol.h, because commit 4f6e14bd19d6 ("mptcp: support TCP_CORK and TCP_NODELAY") is not in this version. This commit is linked to a new feature, changing the context around. The new line can still be added at the same place. Conflicts in subflow.c, because commit 0348c690ed37 ("mptcp: add the fallback check") is not in this version. This commit is linked to a new feature, changing the context around. The new line can still be added at the same place. ] Signed-off-by: Matthieu Baerts (NGI0) --- net/mptcp/protocol.c | 3 +++ net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 4 +++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index da2a1a150bc6..73a0b0d15382 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2472,6 +2472,7 @@ static void __mptcp_retrans(struct sock *sk) dfrag->already_sent =3D max(dfrag->already_sent, info.sent); tcp_push(ssk, 0, info.mss_now, tcp_sk(ssk)->nonagle, info.size_goal); + WRITE_ONCE(msk->allow_infinite_fallback, false); } =20 release_sock(ssk); @@ -2549,6 +2550,7 @@ static int __mptcp_init_sock(struct sock *sk) msk->first =3D NULL; inet_csk(sk)->icsk_sync_mss =3D mptcp_sync_mss; WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk))); + WRITE_ONCE(msk->allow_infinite_fallback, true); msk->recovery =3D false; =20 mptcp_pm_data_init(msk); @@ -3299,6 +3301,7 @@ bool mptcp_finish_join(struct sock *ssk) if (parent_sock && !ssk->sk_socket) mptcp_sock_graft(ssk, parent_sock); subflow->map_seq =3D READ_ONCE(msk->ack_seq); + WRITE_ONCE(msk->allow_infinite_fallback, false); out: mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC); return true; diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 9e0a5591d4e1..5d458c3161cd 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -249,6 +249,7 @@ struct mptcp_sock { bool rcv_fastclose; bool use_64bit_ack; /* Set when we received a 64-bit DSN */ bool csum_enabled; + bool allow_infinite_fallback; spinlock_t join_list_lock; int keepalive_cnt; int keepalive_idle; diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index e71082dd6484..412823af2c1d 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1219,7 +1219,8 @@ static bool subflow_check_data_avail(struct sock *ssk) fallback: /* RFC 8684 section 3.7. */ if (subflow->send_mp_fail) { - if (mptcp_has_another_subflow(ssk)) { + if (mptcp_has_another_subflow(ssk) || + !READ_ONCE(msk->allow_infinite_fallback)) { while ((skb =3D skb_peek(&ssk->sk_receive_queue))) sk_eat_skb(ssk, skb); } @@ -1481,6 +1482,7 @@ int __mptcp_subflow_connect(struct sock *sk, const st= ruct mptcp_addr_info *loc, /* discard the subflow socket */ mptcp_sock_graft(ssk, sk->sk_socket); iput(SOCK_INODE(sf)); + WRITE_ONCE(msk->allow_infinite_fallback, false); return err; =20 failed_unlink: --=20 2.45.2 From nobody Thu Jan 2 20:17:38 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D77D20E30B; Sat, 19 Oct 2024 09:30:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330259; cv=none; b=A10XbyimOHv9GDJ9SOp4PEwFj7EerhPVHpT5Q65PSzq/h6vSlYJzbVDrjEpduXF3XGD42uTCPPmWXu1gMUH1a4wyVKiQ42YccFouQ0BEN0IDHtwmEBvjE6rQobapDs5XL1FQ/4Ar4OAp39VetjQJPiM8JAYquhnxVVGxXmkyE88= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330259; c=relaxed/simple; bh=zbWqWPno6ENAl+Sd0MjtpCFW5vRqCOyt3vEy3ggbrpg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qRymKyJlddwsVxtCs8xP2Qfv/wkZYRULuV7oWQ6uGETLRqPF3ZdedVMbxWE3j5BJlgAcQogmvJGnAap+N0vX9qqJlbYMFJBsIUI6jtK2FIxS8qDHrbBdveT9Ug1/8yscONwnaPM80V66Yeyn3lIuUnVVRMDwt/V9P6h8k4rjc54= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ksjm/d+r; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ksjm/d+r" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8DADCC4CED1; Sat, 19 Oct 2024 09:30:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729330259; bh=zbWqWPno6ENAl+Sd0MjtpCFW5vRqCOyt3vEy3ggbrpg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ksjm/d+r5GugGcHmI8DeZbm50kwDh0ljhQFYbh4j/al6SEjm6pPU892DaeDsMRfG7 l7FgS0VBMZTWFTlQK1JhzT8T3z1O3RRQv/BhkBQIMgukgMV3CoYbOJf0NPO93p6Jlw 0H1Kjg9+lDe920cI3BiyGGzpFT6Nb/muBpvJbPCG/JV3gVme8Z0ugWWj8HvrQpcI28 2PQa5jPmNpEfqKmfQMKUgn1JhE6QmFTOHCXruOFRYtVKAGsd7tgkmqJvQcXRwGgwIX f8RomW65dVA93aXijKk9AHEdLMiWY2BODnSMCdgsJcIZ0FMBSxIwFusu1Jhb+Tgmjz F0wFuMojoxHDA== From: "Matthieu Baerts (NGI0)" To: mptcp@lists.linux.dev, stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: Paolo Abeni , sashal@kernel.org, Matthieu Baerts , Jakub Kicinski Subject: [PATCH 5.15.y 2/6] mptcp: handle consistently DSS corruption Date: Sat, 19 Oct 2024 11:30:48 +0200 Message-ID: <20241019093045.3181989-10-matttbe@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241019093045.3181989-8-matttbe@kernel.org> References: <20241019093045.3181989-8-matttbe@kernel.org> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4643; i=matttbe@kernel.org; h=from:subject; bh=k1diKjN7l3/qhTXI2VZWpsz7ytJGRrg2XYZIocF1oPU=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBnE3xF57TtytO/cAfUznN/U9ni1uyz4V23WrixV kBPUX36meOJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCZxN8RQAKCRD2t4JPQmmg cx/sD/4shQDnQuMRxeIY98no7yiQfSQYg/ZYWwdOauV6NhVLZ4KaacYTKTOreP+WJ6Jsd3ROaWz 6Wdp7e6PTUgDxVY/3cRnJod6C7Er+UOerQS/09dSHtZfpzkb8r/xUiD2nG7v8d6m4/72Wl4Vr13 NmVbwmxWIO/qsC/JSzygPulirSdWaEXP7izkMjQLuEsPZPkZc6fk5IIvmxG5fCrx3+tAaiQ9Fqe jG7BBgPnZQokM+jFVUDE6FJkav5Ddaq/Vq2mJeH7gbw69g1HsmbQwQNRk5Zdua8IsD3dMQC8cG0 +YKk49/YxEEEKUuSysOdZQPr9OnpSWemPUda+nC19ELbaUTqNA4v1tcJQXh1pR5/K0Nc3dingW8 dLtLTbCMYzKpZwTQ49sFpqaQsCcRe+xhunWxE1FZfdcWk6xDYGzUweIFw/hJewDeb79x5eVhIk3 cjziXpfh10SwDg96K8GVbfBDsKTETgHdboPWhnallpEW3hjl74vky3+nS37Avl2fR0537nQc8Dv DG5qQc5y148p7+Fke7r6KrnTfZjINJltFcuPMH05sOQDqbtbxghqH5GWqeYkLMCymSzQ8vySu2k 50Y4tjxsojxuwvvlB4KMHLZIk80sY73jChyUIT/lFW25KeOukOOHTA5s1O7lq0PJeWnYIthiMZj j2NnHxhb/hk/2eQ== X-Developer-Key: i=matttbe@kernel.org; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Paolo Abeni commit e32d262c89e2b22cb0640223f953b548617ed8a6 upstream. Bugged peer implementation can send corrupted DSS options, consistently hitting a few warning in the data path. Use DEBUG_NET assertions, to avoid the splat on some builds and handle consistently the error, dumping related MIBs and performing fallback and/or reset according to the subflow type. Fixes: 6771bfd9ee24 ("mptcp: update mptcp ack sequence from work queue") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts (NGI0) Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-1-c6fb8= e93e551@kernel.org Signed-off-by: Jakub Kicinski [ Conflicts in mib.[ch], because commit 104125b82e5c ("mptcp: add mib for infinite map sending") is linked to a new feature, not available in this version. Resolving the conflicts is easy, simply adding the new lines declaring the new "DSS corruptions" MIB entries. Also removed in protocol.c and subflow.c all DEBUG_NET_WARN_ON_ONCE because they are not defined in this version: enough with the MIB counters that have been added in this commit. ] Signed-off-by: Matthieu Baerts (NGI0) --- net/mptcp/mib.c | 2 ++ net/mptcp/mib.h | 2 ++ net/mptcp/protocol.c | 20 +++++++++++++++++--- net/mptcp/subflow.c | 2 +- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/net/mptcp/mib.c b/net/mptcp/mib.c index c2fadfcfd6d6..08f82e1ca2f7 100644 --- a/net/mptcp/mib.c +++ b/net/mptcp/mib.c @@ -26,6 +26,8 @@ static const struct snmp_mib mptcp_snmp_list[] =3D { SNMP_MIB_ITEM("MPJoinAckRx", MPTCP_MIB_JOINACKRX), SNMP_MIB_ITEM("MPJoinAckHMacFailure", MPTCP_MIB_JOINACKMAC), SNMP_MIB_ITEM("DSSNotMatching", MPTCP_MIB_DSSNOMATCH), + SNMP_MIB_ITEM("DSSCorruptionFallback", MPTCP_MIB_DSSCORRUPTIONFALLBACK), + SNMP_MIB_ITEM("DSSCorruptionReset", MPTCP_MIB_DSSCORRUPTIONRESET), SNMP_MIB_ITEM("InfiniteMapRx", MPTCP_MIB_INFINITEMAPRX), SNMP_MIB_ITEM("DSSNoMatchTCP", MPTCP_MIB_DSSTCPMISMATCH), SNMP_MIB_ITEM("DataCsumErr", MPTCP_MIB_DATACSUMERR), diff --git a/net/mptcp/mib.h b/net/mptcp/mib.h index 90025acdcf72..1b7f6d24904b 100644 --- a/net/mptcp/mib.h +++ b/net/mptcp/mib.h @@ -19,6 +19,8 @@ enum linux_mptcp_mib_field { MPTCP_MIB_JOINACKRX, /* Received an ACK + MP_JOIN */ MPTCP_MIB_JOINACKMAC, /* HMAC was wrong on ACK + MP_JOIN */ MPTCP_MIB_DSSNOMATCH, /* Received a new mapping that did not match the p= revious one */ + MPTCP_MIB_DSSCORRUPTIONFALLBACK,/* DSS corruption detected, fallback */ + MPTCP_MIB_DSSCORRUPTIONRESET, /* DSS corruption detected, MPJ subflow res= et */ MPTCP_MIB_INFINITEMAPRX, /* Received an infinite mapping */ MPTCP_MIB_DSSTCPMISMATCH, /* DSS-mapping did not map with TCP's sequence = numbers */ MPTCP_MIB_DATACSUMERR, /* The data checksum fail */ diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 73a0b0d15382..34c98596350e 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -554,6 +554,18 @@ static bool mptcp_check_data_fin(struct sock *sk) return ret; } =20 +static void mptcp_dss_corruption(struct mptcp_sock *msk, struct sock *ssk) +{ + if (READ_ONCE(msk->allow_infinite_fallback)) { + MPTCP_INC_STATS(sock_net(ssk), + MPTCP_MIB_DSSCORRUPTIONFALLBACK); + mptcp_do_fallback(ssk); + } else { + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DSSCORRUPTIONRESET); + mptcp_subflow_reset(ssk); + } +} + static bool __mptcp_move_skbs_from_subflow(struct mptcp_sock *msk, struct sock *ssk, unsigned int *bytes) @@ -626,10 +638,12 @@ static bool __mptcp_move_skbs_from_subflow(struct mpt= cp_sock *msk, moved +=3D len; seq +=3D len; =20 - if (WARN_ON_ONCE(map_remaining < len)) - break; + if (unlikely(map_remaining < len)) + mptcp_dss_corruption(msk, ssk); } else { - WARN_ON_ONCE(!fin); + if (unlikely(!fin)) + mptcp_dss_corruption(msk, ssk); + sk_eat_skb(ssk, skb); done =3D true; } diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 412823af2c1d..7eff961267d0 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -847,7 +847,7 @@ static bool skb_is_fully_mapped(struct sock *ssk, struc= t sk_buff *skb) unsigned int skb_consumed; =20 skb_consumed =3D tcp_sk(ssk)->copied_seq - TCP_SKB_CB(skb)->seq; - if (WARN_ON_ONCE(skb_consumed >=3D skb->len)) + if (unlikely(skb_consumed >=3D skb->len)) return true; =20 return skb->len - skb_consumed <=3D subflow->map_data_len - --=20 2.45.2 From nobody Thu Jan 2 20:17:38 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CBD320E30B; Sat, 19 Oct 2024 09:31:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330262; cv=none; b=C4enAN8dox3TAgsCQBtR8fZ7OHbsEIB7Nks7Vuizkx8uCcsYRPY8k0/A/VUw6zUDmKFaz14iodCUbfzhGKh59wKIl7gY+7dfOKnt1W6ouOSQxEa3KzBBXNhr++r2MZCud3dngM6VcgOWpNg9R7b5TGqjXOw0eyCp4yH/yTuLdCc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330262; c=relaxed/simple; bh=Eqr6z3KbkTPqUApEJ50WXcohNXD3TWz7yY4+vDeqEx0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=G5hUr2vnqnPnZ/a1drA5YiGctKYGTq2dKAfLW8lXs0AUsHdOEOj0JmzU2beQKQUNzK2JEhY70aNoK8euKgcZwUxPUFmC7aajG5Dotjl6zMnESSbOxNpRp8TiMH5KLRezNG8Fgafda3L8PJM/mnEveSKm/6v1vpQsQYXcYohMnyA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=k4NU+yZ4; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="k4NU+yZ4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0DF3C4CEC7; Sat, 19 Oct 2024 09:30:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729330261; bh=Eqr6z3KbkTPqUApEJ50WXcohNXD3TWz7yY4+vDeqEx0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=k4NU+yZ4S4B9pVuRnNPCXJ91YAF0mSpLPdEgo68+FXx5qDNel7Jd9+ir41odBFY4M Qj1URaWNi38AeJOrZ6k6Eyjx4o4HKKRU0nUZr30CFccDrp04aLO+eHGvO02ygD0m5E LzQ51ovyUKcOE8Ij/c6BGazgsj+jQZ4pxrx0N7NeRglfgmBmJn2cvF2TcNJFFSqk01 0uj917hzjtmZ6CQs571Cmy5UF76H1TDR/wIAyPcObwTrPVzHuG9XDI45WnI2BRp7tK iQA5lzO7KAgtG3U/zPQBChXrzyJf13MWoZNARr0j51AvQ7o4yWGAXMPHy7+biQ/8l7 tOTzr9DM8HwAQ== From: "Matthieu Baerts (NGI0)" To: mptcp@lists.linux.dev, stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: Paolo Abeni , sashal@kernel.org, syzbot+d1bff73460e33101f0e7@syzkaller.appspotmail.com, Matthieu Baerts , Jakub Kicinski Subject: [PATCH 5.15.y 3/6] tcp: fix mptcp DSS corruption due to large pmtu xmit Date: Sat, 19 Oct 2024 11:30:49 +0200 Message-ID: <20241019093045.3181989-11-matttbe@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241019093045.3181989-8-matttbe@kernel.org> References: <20241019093045.3181989-8-matttbe@kernel.org> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7338; i=matttbe@kernel.org; h=from:subject; bh=EEesvAcGMldzSFrGJp4aIcHBn9vJfDwHYwJdu9B+J7w=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBnE3xFBhFzSXoTPlsmu/kf+YuT3vYnFtyU91oW2 WblpNshuZqJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCZxN8RQAKCRD2t4JPQmmg cyQeD/9kQo/4xMlV8kAKHRjZtZBDMOvbyw9o5AJ6q5486eDDMYzXhE5RvesFa+7MTHXQ1h6bzsa tpnmp4kDOYjaavjwUdew7AhL0pnhOteUgYOPBfg2eM9RRevMFE935q3y6AkZ3sP+d3PhM9khxT5 Ey8REQ7x7nlleZkA0GO72TYJSSzFV4ZxJ0Ny5hrmYU1hLfX7IOcNySyzir4z05iEVxpUmgI2tK6 xJi6EAFV79j4qsWmZh/kixrI+qqSEzuyj7E/T3qSEH6LciZMC8+f06zWBucfcLiJOpTNI3MHFk7 OAI45+7S1piMkmJTHJpX2ezRTRgGs1tjkxtb8Ox5Uem35G3A7jdzo/eg9sJsDTMBrbrYUD5CdsE jdd1uMkrizazh4uWDbzmRYD/nzfFu59QOGyLmY544PkE6bROYQ478LWyFlztGuJ4ZTlSyW2z6K5 Q+uJOMihaISkurvCg0Ms93UG7bNKKMh2jAlT2aP8u4VSORbMCE6hbOPPVYS/pLitn7/OqCFlvIn wALa3rVrPCTSBiqwJl7NDL6S1UuUv8qU1a4+lpXQbmAc735PsP0hGv8Qg4XIPL3K/tVetyitFTi KiCYBAkEG9Q1moXmi29W9dbM5EdxMbQxkYto+2748/g1o3WDwYvWUZe3HJ3wvQNBKt4G030tHZH 1KHAGwuElKzKr4w== X-Developer-Key: i=matttbe@kernel.org; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Paolo Abeni commit 4dabcdf581217e60690467a37c956a5b8dbc6bd9 upstream. Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. S= ending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_f= rom_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkalle= r-08829-gaf9c191ac2a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 08/06/2024 RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol= .c:695 Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 4= 1 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47= ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff RSP: 0018:ffffc90000006db8 EFLAGS: 00010246 RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00 RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0 RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8 R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000 R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5 FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000= 000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: move_skbs_to_msk net/mptcp/protocol.c:811 [inline] mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854 subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490 tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283 tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451 dev_queue_xmit include/linux/netdevice.h:3094 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline] tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015 tcp_push_pending_frames include/net/tcp.h:2107 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline] tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x214/0x350 net/core/sock.c:3072 release_sock+0x61/0x1f0 net/core/sock.c:3626 mptcp_push_release net/mptcp/protocol.c:1486 [inline] __mptcp_push_pending+0x6b5/0x9f0 net/mptcp/protocol.c:1625 mptcp_sendmsg+0x10bb/0x1b10 net/mptcp/protocol.c:1903 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2603 ___sys_sendmsg net/socket.c:2657 [inline] __sys_sendmsg+0x2aa/0x390 net/socket.c:2686 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb06e9317f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f= 7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff= ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe2cfd4f98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fb06e97f468 RCX: 00007fb06e9317f9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005 RBP: 00007fb06e97f446 R08: 0000555500000000 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007fb06e97f406 R13: 0000000000000001 R14: 00007ffe2cfd4fe0 R15: 0000000000000003 Additionally syzkaller provided a nice reproducer. The repro enables pmtu on the loopback device, leading to tcp_mtu_probe() generating very large probe packets. tcp_can_coalesce_send_queue_head() currently does not check for mptcp-level invariants, and allowed the creation of cross-DSS probes, leading to the mentioned corruption. Address the issue teaching tcp_can_coalesce_send_queue_head() about mptcp using the tcp_skb_can_collapse(), also reducing the code duplication. Fixes: 85712484110d ("tcp: coalesce/collapse must respect MPTCP extensions") Cc: stable@vger.kernel.org Reported-by: syzbot+d1bff73460e33101f0e7@syzkaller.appspotmail.com Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/513 Signed-off-by: Paolo Abeni Acked-by: Matthieu Baerts (NGI0) Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-2-c6fb8= e93e551@kernel.org Signed-off-by: Jakub Kicinski [ Conflict in tcp_output.c, because commit 65249feb6b3d ("net: add support for skbs with unreadable frags"), and commit 9b65b17db723 ("net: avoid double accounting for pure zerocopy skbs") are not in this version. These commits are linked to new features and introduce new conditions which cause the conflicts. Resolving this is easy: we can ignore the missing new condition, and use tcp_skb_can_collapse() like in the original patch. ] Signed-off-by: Matthieu Baerts (NGI0) --- net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 2c9670c83202..44eedae43eaa 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2308,7 +2308,7 @@ static bool tcp_can_coalesce_send_queue_head(struct s= ock *sk, int len) if (len <=3D skb->len) break; =20 - if (unlikely(TCP_SKB_CB(skb)->eor) || tcp_has_tx_tstamp(skb)) + if (tcp_has_tx_tstamp(skb) || !tcp_skb_can_collapse(skb, next)) return false; =20 len -=3D skb->len; --=20 2.45.2 From nobody Thu Jan 2 20:17:38 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FF4120E30B; Sat, 19 Oct 2024 09:31:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330264; cv=none; b=prJmeFVVdQMTKagpFwguPC30mAejr4QTOj7iiY+UdLS5v31YrmzzUZHX5QAA2xIYKDmv8LOenqDS0n/3H52BE4xWhjiGjFC+riWwVwrhqt40g9UdDZsXOtT2AftlrHOiCM4baJy8r/NcgNPUw3NvKEy6MfArLL+ykj/I0UNvGJ8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330264; c=relaxed/simple; bh=Nyyi6ACpkxqqMbX5Gkw51cuc95MBO4KhdKwzS+r+J50=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RTW2RDp2xh/EYCEyhI6VdEnXQEkYbOsWUhVuPhQ7lp99ojUo8cGfVANdCk21if1WUnq9zuzTVyC/tlsVh+eNnmTS4CRzFbWXF4uUkCB6PM2eIshU03UqP/W54UX9puLX43PsrcBM1mfuqXsUz7jLRcftpD87JhkYmEdH3Kdj9Ns= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CmETzjzP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CmETzjzP" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0CD3EC4CED0; Sat, 19 Oct 2024 09:31:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729330263; bh=Nyyi6ACpkxqqMbX5Gkw51cuc95MBO4KhdKwzS+r+J50=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CmETzjzPnvUfEmJVTkjMHY3QsOu0CHec4Gy0NV1gmqYGjJSu9xa4Byp9JH0OkiJ/u +sN2BAH/EAnv2MJZAZtc5xiwhnVX+yxbl4dwyKZwY4I1Uvir+DKE2X/m4w9ONgdqJk 9lKDUn/gp8jYNSQLg+V/y4bYBNsUsqD+1Y8UzI7kEsBsRduBgro+/y1ULY8i4UTTwV ust6eMXB8C/WMtuMNGH3iVWE4TOiWwyJdKcjZe++shbQzWjOJw4k9Riyh+o+wd0mbC CCKe1D3KIXr+h6BE8HYmwkv3yI55gqrQVowYffEutU5TcTFm5NLz12/cVeQdrVVBuQ bUJzDTY5NPUHw== From: "Matthieu Baerts (NGI0)" To: mptcp@lists.linux.dev, stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: "Matthieu Baerts (NGI0)" , sashal@kernel.org, Christoph Paasch , Paolo Abeni , Jakub Kicinski Subject: [PATCH 5.15.y 4/6] mptcp: fallback when MPTCP opts are dropped after 1st data Date: Sat, 19 Oct 2024 11:30:50 +0200 Message-ID: <20241019093045.3181989-12-matttbe@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241019093045.3181989-8-matttbe@kernel.org> References: <20241019093045.3181989-8-matttbe@kernel.org> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3940; i=matttbe@kernel.org; h=from:subject; bh=Nyyi6ACpkxqqMbX5Gkw51cuc95MBO4KhdKwzS+r+J50=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBnE3xFGUEfEP7Ckns19rPAK/Vfztapv1oUK75vJ vh75X7ct5mJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCZxN8RQAKCRD2t4JPQmmg c8BIEACZqm8ARD/DgDdu3BGfbFcf3aVW6lDCrG6lfUI6hLAakqCtgQOKgxsDdeXDrsKBTf15Tte fZP8iW6afwRilg/ABv6jeaVzXz4MG+eikdZBMr+R8dafKRbyb/1CvmahhhOr7+CJRvUVREwzOnP I/aak9yCUZuxJd1l23HaOMvom+3Xm7Zr4USguD6me0KaEPz+Koypacrk7iT7IrMB3FUV946azWa URQza7WS1eShYn8NGPbA9pShxlPZEwgVKr+0WuT0MXIqQcSsBy2PS4NDh1rIEcu78LPu171HqN9 yxKPRQ6xRKGI2o4jpUlmzUMM6JzC9ONLWpbCmny4NnXqevd+o0crCaAB8XVDyWwpys2tkR/Twip qcgTYNLmRSI8ENuXGdsKNT27NzDeXcVehnKyhKplivnMcAp0kgZRuS6mvu11v+GCdSOSq79p/Zp cB7ZYbVZj+9sPuLDrlwRx7H0Ezv6ZaPga5hpwqyCuQZEdLWvNfHwu3+OwqOYN4E0ATcISPPNjuP 1UiTpxaCH5z+vHS0LFMwOzUQ3/hvQfLzoI0ixkI/BSLi4yYp5FUTOTozFX38/4o5qYqOaDFXPIw eZMHk+NUqx+zqUn+4FYj96oRTq0s+7Z1Dyt2fKnFB8UR3afpchhO65/zJDGQaZIWzOf+M8PRdWc JWmSIY2TYQRX2Gw== X-Developer-Key: i=matttbe@kernel.org; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" commit 119d51e225febc8152476340a880f5415a01e99e upstream. As reported by Christoph [1], before this patch, an MPTCP connection was wrongly reset when a host received a first data packet with MPTCP options after the 3wHS, but got the next ones without. According to the MPTCP v1 specs [2], a fallback should happen in this case, because the host didn't receive a DATA_ACK from the other peer, nor receive data for more than the initial window which implies a DATA_ACK being received by the other peer. The patch here re-uses the same logic as the one used in other places: by looking at allow_infinite_fallback, which is disabled at the creation of an additional subflow. It's not looking at the first DATA_ACK (or implying one received from the other side) as suggested by the RFC, but it is in continuation with what was already done, which is safer, and it fixes the reported issue. The next step, looking at this first DATA_ACK, is tracked in [4]. This patch has been validated using the following Packetdrill script: 0 socket(..., SOCK_STREAM, IPPROTO_MPTCP) =3D 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) =3D 0 +0 bind(3, ..., ...) =3D 0 +0 listen(3, 1) =3D 0 // 3WHS is OK +0.0 < S 0:0(0) win 65535 +0.0 > S. 0:0(0) ack 1 +0.1 < . 1:1(0) ack 1 win 2048 = +0 accept(3, ..., ...) =3D 4 // Data from the client with valid MPTCP options (no DATA_ACK: normal) +0.1 < P. 1:501(500) ack 1 win 2048 // From here, the MPTCP options will be dropped by a middlebox +0.0 > . 1:1(0) ack 501 +0.1 read(4, ..., 500) =3D 500 +0 write(4, ..., 100) =3D 100 // The server replies with data, still thinking MPTCP is being used +0.0 > P. 1:101(100) ack 501 // But the client already did a fallback to TCP, because the two previous= packets have been received without MPTCP options +0.1 < . 501:501(0) ack 101 win 2048 +0.0 < P. 501:601(100) ack 101 win 2048 // The server should fallback to TCP, not reset: it didn't get a DATA_ACK= , nor data for more than the initial window +0.0 > . 101:101(0) ack 601 Note that this script requires Packetdrill with MPTCP support, see [3]. Fixes: dea2b1ea9c70 ("mptcp: do not reset MP_CAPABLE subflow on mapping err= ors") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/518 [1] Link: https://datatracker.ietf.org/doc/html/rfc8684#name-fallback [2] Link: https://github.com/multipath-tcp/packetdrill [3] Link: https://github.com/multipath-tcp/mptcp_net-next/issues/519 [4] Reviewed-by: Paolo Abeni Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-3-c6fb8= e93e551@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Matthieu Baerts (NGI0) --- net/mptcp/subflow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 7eff961267d0..feb146a62f97 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1152,7 +1152,7 @@ static bool subflow_can_fallback(struct mptcp_subflow= _context *subflow) else if (READ_ONCE(msk->csum_enabled)) return !subflow->valid_csum_seen; else - return !subflow->fully_established; + return READ_ONCE(msk->allow_infinite_fallback); } =20 static bool subflow_check_data_avail(struct sock *ssk) --=20 2.45.2 From nobody Thu Jan 2 20:17:38 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BEF520E30B; Sat, 19 Oct 2024 09:31:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330266; cv=none; b=sMrLLTt5Hj4o3n/SjbqBjHqMtXoE7aswg+UP1I7Lne1uLJ59byYXqWa5diBaAo1QQVFH74UeDEjsVlPB2Og1d640kmBW/d+dLdJM7knKEhMBKez8Tj0IJm9vKqAYH3U99qZYtXa/9YcAdLxwbx/BpG1fX6DBO7fWXplzyRd3eP4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330266; c=relaxed/simple; bh=DiI5yoyAVXYkzIN4I6oTmmSGJq6ibVz2tE1CypiP6ts=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hOW2ZNxnzpfTr+TLv17cNqeqg0+h50esKfg+cErLPEM76eSh3g6MtBoaYdjxE+3YOZm/3p6gEppreSq++X+iwBdIHR9vV+HCtvQDlTgoriHUsyDiBNpB7vBtBsOBmUskrZcl57mAKfx8zbW7s3lzY2zayt6fyjFRNdAOkxzasC4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kzjauBfK; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kzjauBfK" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5BE36C4CECF; Sat, 19 Oct 2024 09:31:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729330266; bh=DiI5yoyAVXYkzIN4I6oTmmSGJq6ibVz2tE1CypiP6ts=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kzjauBfKBbgG2HI1042dY9PO52jgyVRiEGOJasmRzftWYZYqN8ZSJA0pPLbR4cKdD +GR3p825GT1jF7HPJ1wiekMsColTCQrJtf6HnOZZhXRZwLedGTHW1/wbSH/jNGoHh9 GV+nrUNZ2gwy7PbUvxUIxLfEM2Il7U8M4v2JO2nEW03wCB4DFaTDVQrQX37UpG48ud Qy468DuwjA//wbP0hH5Y/+jzQdNqnZytjtvOKYJZ5DDewRQoc/2sY+FLuZHf7Bym+D mDQi7rBUPE+e3qGEUeQ7ANEbhO+iU43V8f7cz045otouNRmxvOIxQrMnQDbspMmZ+n H0AjPrKFVBKDg== From: "Matthieu Baerts (NGI0)" To: mptcp@lists.linux.dev, stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: "Matthieu Baerts (NGI0)" , sashal@kernel.org, syzbot+3c8b7a8e7df6a2a226ca@syzkaller.appspotmail.com, Paolo Abeni Subject: [PATCH 5.15.y 5/6] mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Date: Sat, 19 Oct 2024 11:30:51 +0200 Message-ID: <20241019093045.3181989-13-matttbe@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241019093045.3181989-8-matttbe@kernel.org> References: <20241019093045.3181989-8-matttbe@kernel.org> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=14029; i=matttbe@kernel.org; h=from:subject; bh=DiI5yoyAVXYkzIN4I6oTmmSGJq6ibVz2tE1CypiP6ts=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBnE3xFb4HfiLOqxC4+a/HbXTdIKClEHe8hbPGCw b5+6nQNIHyJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCZxN8RQAKCRD2t4JPQmmg c2heEADVDA67rjjxJEWKXhyYNDFO48xJINd2fi/Nt9aJEVkJkyWIIMIFeWPW8yZh9SjzUkkcbN1 YGTnpzuf7pw5QUMD9kTLt8kGPh/t7a3qGN0FMF2G7s819+coa+PTjrYqc6Yl6TuI8kyeRYM0Mrg 3ef6gPxgMGP7t5PKXmOq/5wE0Fy3/qH6Mgjwa34rgZQGprM50mszmcxA1oeSU6ZjKhQdLMo6JAx g3Xb5sxFVrcqLbNp69JAijVb7e0P3dDmHCcB/sVfZ7B1lW+r9uRi2EBRFuoeOSVaK19FVUetxDh JwHMHKXGSG2bokuQxj5YxOEfTbySRFEsTDqwJJFx0pIKLyLQDTv0kAUMVNXR5bVjm1wXhYK0eP8 Jqps5koxwZg4UpxmCcPZFqiAJ0sIaCi9xRBqk7VNTHTTlGM0CLJPtj/TgK47ffRYch/5vLXtCZL TSBcq+leX0XcFEBMVozOnkvmamXc1GGwFiIaHUoDlnGgre4hjLhl5DDElQVMGtLnMn6uFwvjYQI Sw8+z0lbfrtwCeqw3/yfodAnbZNnCmpXhqrW8/bihzbU5kpBfht1CCRr8zPGBY97Pprz/3P9/l2 rhO4ME274q8WhufozWjWRuQj4Si2JvptIsWkL+/dknA376XhOIkFMuotkDDPHhEm81lFrL8zw1c lSbpKYLxzYRy3zA== X-Developer-Key: i=matttbe@kernel.org; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" commit 7decd1f5904a489d3ccdcf131972f94645681689 upstream. Syzkaller reported this splat: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0= xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkalle= r-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.= 16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 0= 0 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90= 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink= .c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 113: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x14f/0x4b0 mm/slub.c:4727 kvfree+0x47/0x50 mm/util.c:701 kvfree_rcu_list+0xf5/0x2c0 kernel/rcu/tree.c:3423 kvfree_rcu_drain_ready kernel/rcu/tree.c:3563 [inline] kfree_rcu_monitor+0x503/0x8b0 kernel/rcu/tree.c:3632 kfree_rcu_shrink_scan+0x245/0x3a0 kernel/rcu/tree.c:3966 do_shrink_slab+0x44f/0x11c0 mm/shrinker.c:435 shrink_slab+0x32b/0x12a0 mm/shrinker.c:662 shrink_one+0x47e/0x7b0 mm/vmscan.c:4818 shrink_many mm/vmscan.c:4879 [inline] lru_gen_shrink_node mm/vmscan.c:4957 [inline] shrink_node+0x2452/0x39d0 mm/vmscan.c:5937 kswapd_shrink_node mm/vmscan.c:6765 [inline] balance_pgdat+0xc19/0x18f0 mm/vmscan.c:6957 kswapd+0x5ea/0xbf0 mm/vmscan.c:7226 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Last potentially related work creation: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541 kvfree_call_rcu+0x74/0xbe0 kernel/rcu/tree.c:3810 subflow_ulp_release+0x2ae/0x350 net/mptcp/subflow.c:2009 tcp_cleanup_ulp+0x7c/0x130 net/ipv4/tcp_ulp.c:124 tcp_v4_destroy_sock+0x1c5/0x6a0 net/ipv4/tcp_ipv4.c:2541 inet_csk_destroy_sock+0x1a3/0x440 net/ipv4/inet_connection_sock.c:1293 tcp_done+0x252/0x350 net/ipv4/tcp.c:4870 tcp_rcv_state_process+0x379b/0x4f30 net/ipv4/tcp_input.c:6933 tcp_v4_do_rcv+0x1ad/0xa90 net/ipv4/tcp_ipv4.c:1938 sk_backlog_rcv include/net/sock.h:1115 [inline] __release_sock+0x31b/0x400 net/core/sock.c:3072 __tcp_close+0x4f3/0xff0 net/ipv4/tcp.c:3142 __mptcp_close_ssk+0x331/0x14d0 net/mptcp/protocol.c:2489 mptcp_close_ssk net/mptcp/protocol.c:2543 [inline] mptcp_close_ssk+0x150/0x220 net/mptcp/protocol.c:2526 mptcp_pm_nl_rm_addr_or_subflow+0x2be/0xcc0 net/mptcp/pm_netlink.c:878 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e The buggy address belongs to the object at ffff8880569ac800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 88 bytes inside of freed 512-byte region [ffff8880569ac800, ffff8880569aca00) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x569ac head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x4fff00000000040(head|node=3D1|zone=3D1|lastcpupid=3D0x7ff) page_type: f5(slab) raw: 04fff00000000040 ffff88801ac42c80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 head: 04fff00000000040 ffff88801ac42c80 dead000000000100 dead000000000122 head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 head: 04fff00000000002 ffffea00015a6b01 ffffffffffffffff 0000000000000000 head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(= __GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), = pid 10238, tgid 10238 (kworker/u32:6), ts 597403252405, free_ts 597177952947 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265 alloc_slab_page mm/slub.c:2412 [inline] allocate_slab mm/slub.c:2578 [inline] new_slab+0x2ba/0x3f0 mm/slub.c:2631 ___slab_alloc+0xd1d/0x16f0 mm/slub.c:3818 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908 __slab_alloc_node mm/slub.c:3961 [inline] slab_alloc_node mm/slub.c:4122 [inline] __kmalloc_cache_noprof+0x2c5/0x310 mm/slub.c:4290 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] mld_add_delrec net/ipv6/mcast.c:743 [inline] igmp6_leave_group net/ipv6/mcast.c:2625 [inline] igmp6_group_dropped+0x4ab/0xe40 net/ipv6/mcast.c:723 __ipv6_dev_mc_dec+0x281/0x360 net/ipv6/mcast.c:979 addrconf_leave_solict net/ipv6/addrconf.c:2253 [inline] __ipv6_ifa_notify+0x3f6/0xc30 net/ipv6/addrconf.c:6283 addrconf_ifdown.isra.0+0xef9/0x1a20 net/ipv6/addrconf.c:3982 addrconf_notify+0x220/0x19c0 net/ipv6/addrconf.c:3781 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1996 call_netdevice_notifiers_extack net/core/dev.c:2034 [inline] call_netdevice_notifiers net/core/dev.c:2048 [inline] dev_close_many+0x333/0x6a0 net/core/dev.c:1589 page last free pid 13136 tgid 13136 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 stack_depot_save_flags+0x2da/0x900 lib/stackdepot.c:666 kasan_save_stack+0x42/0x60 mm/kasan/common.c:48 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4085 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_noprof+0x121/0x2f0 mm/slub.c:4141 skb_clone+0x190/0x3f0 net/core/skbuff.c:2084 do_one_broadcast net/netlink/af_netlink.c:1462 [inline] netlink_broadcast_filtered+0xb11/0xef0 net/netlink/af_netlink.c:1540 netlink_broadcast+0x39/0x50 net/netlink/af_netlink.c:1564 uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline] kobject_uevent_net_broadcast lib/kobject_uevent.c:410 [inline] kobject_uevent_env+0xacd/0x1670 lib/kobject_uevent.c:608 device_del+0x623/0x9f0 drivers/base/core.c:3882 snd_card_disconnect.part.0+0x58a/0x7c0 sound/core/init.c:546 snd_card_disconnect+0x1f/0x30 sound/core/init.c:495 snd_usx2y_disconnect+0xe9/0x1f0 sound/usb/usx2y/usbusx2y.c:417 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 That's because 'subflow' is used just after 'mptcp_close_ssk(subflow)', which will initiate the release of its memory. Even if it is very likely the release and the re-utilisation will be done later on, it is of course better to avoid any issues and read the content of 'subflow' before closing it. Fixes: 1c1f72137598 ("mptcp: pm: only decrement add_addr_accepted for MPJ r= eq") Cc: stable@vger.kernel.org Reported-by: syzbot+3c8b7a8e7df6a2a226ca@syzkaller.appspotmail.com Closes: https://lore.kernel.org/670d7337.050a0220.4cbc0.004f.GAE@google.com Signed-off-by: Matthieu Baerts (NGI0) Acked-by: Paolo Abeni Link: https://patch.msgid.link/20241015-net-mptcp-uaf-pm-rm-v1-1-c4ee5d987a= 64@kernel.org Signed-off-by: Paolo Abeni [ Conflicts in pm_netlink.c, because commit a88c9e496937 ("mptcp: do not block subflows creation on errors") is linked to a new feature, not available in this version. This commit modifies the context. Resolving the conflicts is easy, simply moving the lines the same way it was done in the original patch, ignoring the comment that is not in this version. ] Signed-off-by: Matthieu Baerts (NGI0) --- net/mptcp/pm_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index e524171291bc..133c5f2b3ba6 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -793,10 +793,10 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mpt= cp_sock *msk, i, rm_list->ids[i], subflow->local_id, subflow->remote_id); spin_unlock_bh(&msk->pm.lock); mptcp_subflow_shutdown(sk, ssk, how); + removed |=3D subflow->request_join; mptcp_close_ssk(sk, ssk, subflow); spin_lock_bh(&msk->pm.lock); =20 - removed |=3D subflow->request_join; msk->pm.subflows--; if (rm_type =3D=3D MPTCP_MIB_RMSUBFLOW) __MPTCP_INC_STATS(sock_net(sk), rm_type); --=20 2.45.2 From nobody Thu Jan 2 20:17:38 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1ED8C20E30B; Sat, 19 Oct 2024 09:31:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330269; cv=none; b=b3G0/J3XyEi0Fu/+8QsP7upoeCjs/n0dIV48lId8gQkg96dS3AfRZ4y2iluA8/aI8qYkRw6HpRrw5FR+EKER5YxzlSLBJ15D1qFm4F01qRSYcCii54blIIwjTwo47m2cIh02r0KEUVvpM+M9qz9ISXKS3kqpVYllxlH1qiIK3+8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729330269; c=relaxed/simple; bh=zlogGTnvb7AMvpzZonk8dFYbaTlgUY02Wyx1RXhK7GA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MUMy7vjJd9gZwVAwp/T5AfVQFlEWfe2qxCoxL15/C3u60t/ZHFx0qtulxbACkLUJ5XVRzc9gqhmh/CyC7S+bZOO3yRMvDWIuG+cVRKH1xHoZQQkMqlnrxDdaahk9+Roc+CSYj+mWTUcrqHxFKGuG30fbTddG+BAkfv31V5ouHg4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hnMfBsKs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hnMfBsKs" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D2A5C4CED0; Sat, 19 Oct 2024 09:31:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729330268; bh=zlogGTnvb7AMvpzZonk8dFYbaTlgUY02Wyx1RXhK7GA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hnMfBsKsOH692ii7EMtHgXehcPjQxkg3MQEDRUMYvtOlGGpYgk7LvMSkJlZfTBELc YLAgpgjE9Wte55CPK4P93ZNXijEn1RO7ohmZzGK4KYmtjJLNRucZG215R+sKy102Ob nWaw9eCBKRCZaECr0k0xh1bhGcG1o4tFa2D4rL/vy4Vay11/SHjyHoGM0a1/oLwtus iG0EKM94EdtG+O9ElEfc8ClSjt8fjXxx/sn0vqtQQPoo3Q2l4iJa4hLhfNREX7tRM2 QrQRVcZkemhDUv9BOx8h14UMzaGB3v2H4Abe088SVSvWkjnK2xqSEunJLPpa8DYMVk Siirt1TaqaiYg== From: "Matthieu Baerts (NGI0)" To: mptcp@lists.linux.dev, stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: Paolo Abeni , sashal@kernel.org, syzbot+f4aacdfef2c6a6529c3e@syzkaller.appspotmail.com, Cong Wang , Matthieu Baerts , Mat Martineau , Jakub Kicinski Subject: [PATCH 5.15.y 6/6] mptcp: prevent MPC handshake on port-based signal endpoints Date: Sat, 19 Oct 2024 11:30:52 +0200 Message-ID: <20241019093045.3181989-14-matttbe@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241019093045.3181989-8-matttbe@kernel.org> References: <20241019093045.3181989-8-matttbe@kernel.org> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=13089; i=matttbe@kernel.org; h=from:subject; bh=5y6o2mi/HAJaSf2m//aSYWbZafFkkLyfVThYSoI/AFM=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBnE3xFUoJluAmpWW2JdkuirHQB5QybVr5gZLkNz MtNNZqS/oaJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCZxN8RQAKCRD2t4JPQmmg c/GsD/9SaI1XWrtM05gr644zs64mBN8cdrhGSOlfPnrHyu7zPzVhdXbnliLolZH2clBjZQE2ec9 59UArO9AEbpj5C+Q0oHCyoKaHxTcTQg1m3NKB9D2cBmbszKVaFUxLzpkyKvRyPIiSWcF6hXzvHm brEwSYle208XPckpPfag8tZyfKr1nnh/E6LZbnpncLkXCKhv3d5gFl6pGKItOLtyNlzwtf/08f/ HyepPLhuYypHZJbNmZSw0JSX8sQO22T51I8I6Z+Bq08n35f+w+QYZOxrF3ZFhgVocO1s7iGEePP A+gdzyfWdgzGDok5ADjt1AMp5KjXxQl7VYSSUistGBkMJ4C+ujS/24hpgYiSCdbekK1HQC55Kdm fIVNGOdNLSXc9eWDI3b4IkuijTNsEEVo8QwM3mQqZ9vfElDYxW7oJN2zu28Rq2gtRAyLWbxrKjX cqdBq50DSI2NYw33lvG9RuV9A44WWF9THo4NWHQOP3N3VVuwGll1aK+ZJEHcbixwOYsFAJrp3MG a7YPepzkGBze/P85y+cVyiHLrLHCIOXG8ByJl0SA1wSuE5h2Vrsn8g0RH7cVWYL4f9GVG6bNDFI 9H1QWUUGcJq/Zublaih7wko1NDf1j63Rp1rFJqgc9PhE0YdQDKD/wNoigG7apk5fgK+XS0fHDMa Cff3xaqCRobVLQg== X-Developer-Key: i=matttbe@kernel.org; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Paolo Abeni commit 3d041393ea8c815f773020fb4a995331a69c0139 upstream. Syzkaller reported a lockdep splat: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D WARNING: possible recursive locking detected 6.11.0-rc6-syzkaller-00019-g67784a74e258 #0 Not tainted -------------------------------------------- syz-executor364/5113 is trying to acquire lock: ffff8880449f1958 (k-slock-AF_INET){+.-.}-{2:2}, at: spin_lock include/lin= ux/spinlock.h:351 [inline] ffff8880449f1958 (k-slock-AF_INET){+.-.}-{2:2}, at: sk_clone_lock+0x2cd/0= xf40 net/core/sock.c:2328 but task is already holding lock: ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: spin_lock include/lin= ux/spinlock.h:351 [inline] ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: sk_clone_lock+0x2cd/0= xf40 net/core/sock.c:2328 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(k-slock-AF_INET); lock(k-slock-AF_INET); *** DEADLOCK *** May be due to missing lock nesting notation 7 locks held by syz-executor364/5113: #0: ffff8880449f0e18 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock includ= e/net/sock.h:1607 [inline] #0: ffff8880449f0e18 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x= 153/0x1b10 net/mptcp/protocol.c:1806 #1: ffff88803fe39ad8 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock incl= ude/net/sock.h:1607 [inline] #1: ffff88803fe39ad8 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg_= fastopen+0x11f/0x530 net/mptcp/protocol.c:1727 #2: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire i= nclude/linux/rcupdate.h:326 [inline] #2: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock incl= ude/linux/rcupdate.h:838 [inline] #2: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x= 5f/0x1b80 net/ipv4/ip_output.c:470 #3: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire i= nclude/linux/rcupdate.h:326 [inline] #3: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock incl= ude/linux/rcupdate.h:838 [inline] #3: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+= 0x45f/0x1390 net/ipv4/ip_output.c:228 #4: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: local_lock_acquire= include/linux/local_lock_internal.h:29 [inline] #4: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: process_backlog+0x= 33b/0x15b0 net/core/dev.c:6104 #5: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire i= nclude/linux/rcupdate.h:326 [inline] #5: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock incl= ude/linux/rcupdate.h:838 [inline] #5: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_f= inish+0x230/0x5f0 net/ipv4/ip_input.c:232 #6: ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: spin_lock includ= e/linux/spinlock.h:351 [inline] #6: ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: sk_clone_lock+0x= 2cd/0xf40 net/core/sock.c:2328 stack backtrace: CPU: 0 UID: 0 PID: 5113 Comm: syz-executor364 Not tainted 6.11.0-rc6-syzk= aller-00019-g67784a74e258 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.= 16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 check_deadlock kernel/locking/lockdep.c:3061 [inline] validate_chain+0x15d3/0x5900 kernel/locking/lockdep.c:3855 __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] sk_clone_lock+0x2cd/0xf40 net/core/sock.c:2328 mptcp_sk_clone_init+0x32/0x13c0 net/mptcp/protocol.c:3279 subflow_syn_recv_sock+0x931/0x1920 net/mptcp/subflow.c:874 tcp_check_req+0xfe4/0x1a20 net/ipv4/tcp_minisocks.c:853 tcp_v4_rcv+0x1c3e/0x37f0 net/ipv4/tcp_ipv4.c:2267 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x1763/0x3e90 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:235 ip_local_out net/ipv4/ip_output.c:129 [inline] __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:535 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6542 [inline] tcp_rcv_state_process+0x2c32/0x4570 net/ipv4/tcp_input.c:6729 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1934 sk_backlog_rcv include/net/sock.h:1111 [inline] __release_sock+0x214/0x350 net/core/sock.c:3004 release_sock+0x61/0x1f0 net/core/sock.c:3558 mptcp_sendmsg_fastopen+0x1ad/0x530 net/mptcp/protocol.c:1733 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1812 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline] __se_sys_sendmmsg net/socket.c:2763 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f04fb13a6b9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f= 7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff= ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd651f42d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f04fb13a6b9 RDX: 0000000000000001 RSI: 0000000020000d00 RDI: 0000000000000004 RBP: 00007ffd651f4310 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000020000080 R11: 0000000000000246 R12: 00000000000f4240 R13: 00007f04fb187449 R14: 00007ffd651f42f4 R15: 00007ffd651f4300 As noted by Cong Wang, the splat is false positive, but the code path leading to the report is an unexpected one: a client is attempting an MPC handshake towards the in-kernel listener created by the in-kernel PM for a port based signal endpoint. Such connection will be never accepted; many of them can make the listener queue full and preventing the creation of MPJ subflow via such listener - its intended role. Explicitly detect this scenario at initial-syn time and drop the incoming MPC request. Fixes: 1729cf186d8a ("mptcp: create the listening socket for new port") Cc: stable@vger.kernel.org Reported-by: syzbot+f4aacdfef2c6a6529c3e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Df4aacdfef2c6a6529c3e Cc: Cong Wang Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts (NGI0) Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20241014-net-mptcp-mpc-port-endp-v2-1-7faea8= e6b6ae@kernel.org Signed-off-by: Jakub Kicinski [ Conflicts in mib.[ch], because commit 6982826fe5e5 ("mptcp: fallback to TCP after SYN+MPC drops"), and commit 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole") are linked to new features, not available in this version. Resolving the conflicts is easy, simply adding the new lines declaring the new "endpoint attempt" MIB entry. Also a conflict in protocol.h, because commit fce68b03086f ("mptcp: add scheduled in mptcp_subflow_context") is not in this version, and changes the context by introducing 'scheduled' variable just before. Also a conflict in pm_netlink.c, because commit 3aa362494170 ("mptcp: avoid ssock usage in mptcp_pm_nl_create_listen_socket()") is not in this version, and refactor the function: that's fine, we can still set pm_listener before doing the 'listen()', taking 'ssock->sk' as 'ssk' is not defined before this refactoring. There is also a conflict because the context has been changed later in commit 69925a346acb ("mptcp: ensure listener is unhashed before updating the sk status"). ] Signed-off-by: Matthieu Baerts (NGI0) --- net/mptcp/mib.c | 1 + net/mptcp/mib.h | 1 + net/mptcp/pm_netlink.c | 1 + net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 11 +++++++++++ 5 files changed, 15 insertions(+) diff --git a/net/mptcp/mib.c b/net/mptcp/mib.c index 08f82e1ca2f7..3e773259fa83 100644 --- a/net/mptcp/mib.c +++ b/net/mptcp/mib.c @@ -15,6 +15,7 @@ static const struct snmp_mib mptcp_snmp_list[] =3D { SNMP_MIB_ITEM("MPCapableACKRX", MPTCP_MIB_MPCAPABLEPASSIVEACK), SNMP_MIB_ITEM("MPCapableFallbackACK", MPTCP_MIB_MPCAPABLEPASSIVEFALLBACK), SNMP_MIB_ITEM("MPCapableFallbackSYNACK", MPTCP_MIB_MPCAPABLEACTIVEFALLBAC= K), + SNMP_MIB_ITEM("MPCapableEndpAttempt", MPTCP_MIB_MPCAPABLEENDPATTEMPT), SNMP_MIB_ITEM("MPFallbackTokenInit", MPTCP_MIB_TOKENFALLBACKINIT), SNMP_MIB_ITEM("MPTCPRetrans", MPTCP_MIB_RETRANSSEGS), SNMP_MIB_ITEM("MPJoinNoTokenFound", MPTCP_MIB_JOINNOTOKEN), diff --git a/net/mptcp/mib.h b/net/mptcp/mib.h index 1b7f6d24904b..0690db18fc95 100644 --- a/net/mptcp/mib.h +++ b/net/mptcp/mib.h @@ -8,6 +8,7 @@ enum linux_mptcp_mib_field { MPTCP_MIB_MPCAPABLEPASSIVEACK, /* Received third ACK with MP_CAPABLE */ MPTCP_MIB_MPCAPABLEPASSIVEFALLBACK,/* Server-side fallback during 3-way h= andshake */ MPTCP_MIB_MPCAPABLEACTIVEFALLBACK, /* Client-side fallback during 3-way h= andshake */ + MPTCP_MIB_MPCAPABLEENDPATTEMPT, /* Prohibited MPC to port-based endp */ MPTCP_MIB_TOKENFALLBACKINIT, /* Could not init/allocate token */ MPTCP_MIB_RETRANSSEGS, /* Segments retransmitted at the MPTCP-level */ MPTCP_MIB_JOINNOTOKEN, /* Received MP_JOIN but the token was not found */ diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 133c5f2b3ba6..a7a46d99d5a3 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -991,6 +991,7 @@ static int mptcp_pm_nl_create_listen_socket(struct sock= *sk, goto out; } =20 + WRITE_ONCE(mptcp_subflow_ctx(ssock->sk)->pm_listener, true); err =3D kernel_listen(ssock, backlog); if (err) { pr_warn("kernel_listen error, err=3D%d", err); diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 5d458c3161cd..8f5e5a66babf 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -446,6 +446,7 @@ struct mptcp_subflow_context { close_event_done : 1, /* has done the post-closed part */ __unused : 11; enum mptcp_data_avail data_avail; + bool pm_listener; /* a listener managed by the kernel PM? */ u32 remote_nonce; u64 thmac; u32 local_nonce; diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index feb146a62f97..d8b33e10750b 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -129,6 +129,13 @@ static void subflow_add_reset_reason(struct sk_buff *s= kb, u8 reason) } } =20 +static int subflow_reset_req_endp(struct request_sock *req, struct sk_buff= *skb) +{ + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEENDPATTEMPT); + subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); + return -EPERM; +} + /* Init mptcp request socket. * * Returns an error code if a JOIN has failed and a TCP reset @@ -160,6 +167,8 @@ static int subflow_check_req(struct request_sock *req, if (opt_mp_capable) { SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEPASSIVE); =20 + if (unlikely(listener->pm_listener)) + return subflow_reset_req_endp(req, skb); if (opt_mp_join) return 0; } else if (opt_mp_join) { @@ -167,6 +176,8 @@ static int subflow_check_req(struct request_sock *req, =20 if (mp_opt.backup) SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINSYNBACKUPRX); + } else if (unlikely(listener->pm_listener)) { + return subflow_reset_req_endp(req, skb); } =20 if (opt_mp_capable && listener->request_mptcp) { --=20 2.45.2