From nobody Tue May 5 11:22:01 2026 Received: from sender4-of-o54.zoho.com (sender4-of-o54.zoho.com [136.143.188.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 516AB25EF9C for ; Mon, 27 Apr 2026 23:50:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=136.143.188.54 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777333843; cv=pass; b=j/BM4vWOxv3+niN/eqyWzgYtKyHF+64t6douLflBlv/XPbXOz2djGXbpSrnbFDpZpC5Dr0S5y1lg0OizWR9Cp6xpGTlmFyE1jxcVFNBAJHNa4WGjclTrBEOUevGLRzQ59kKHiq+vKgZoGqfeVIs3TUQO9/2ZmAKRxkwd3tQluQo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777333843; c=relaxed/simple; bh=6H9B8viJHMdRgWfVa71sTWomqky/aO5XNzH8uHWvAvg=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=GkM99bSP2kD3hzqN5B1x+3t2sIDH8eyFoM3gQBRX9azmFNwlm7ws7rzq2EDYOIKQ3V+5JG8quR5aTtgwB530M6ZZViIz75VNWaZlhcLIcV9BLhGaDPpl6pykvNUBPfUqBZqiLSIQ1Sid3OiOiucG+9sOcsVXJs/Pak0sZGrhIKI= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mpiricsoftware.com; spf=pass smtp.mailfrom=mpiricsoftware.com; dkim=pass (1024-bit key) header.d=mpiricsoftware.com header.i=shardul.b@mpiricsoftware.com header.b=nqYFNf0F; arc=pass smtp.client-ip=136.143.188.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mpiricsoftware.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mpiricsoftware.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mpiricsoftware.com header.i=shardul.b@mpiricsoftware.com header.b="nqYFNf0F" ARC-Seal: i=1; a=rsa-sha256; t=1777333834; cv=none; d=zohomail.com; s=zohoarc; b=VGEB8GdLEjb8rDNxOcppYitvtn2z6MsUAkDLceDCEMRqqKMWH0ZiDVZRdrFS5urhg5OihgABicHQ0D8UYGmQltDHFmc+9X+Wd9y0rDy+Ou1XfprEPsdvzojalCGDxULx2EY3Zd+pSKBSxsPf5KRB2b6qXJpEpvDFfO9WGHstaUY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1777333834; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=KgHNHwy986mQko+AXCe15b4cFbyoBz/VH5W9uV60InA=; b=AUVDd3/1TPKwOxwOYlFSViE+AT01QMN/Z2qOVfFHnattMy8YHix+dVuecoLuIgyuYoU9xt35GpmHAa3qxB5jJxNtzVxJe7ZV32IBLzAvEDQmUKj5Hxj230ZiaBBvswkULmbT2arfH1GjZXSTkTqLXQLaiefVQDjTTrc3jsD8ngo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=mpiricsoftware.com; spf=pass smtp.mailfrom=shardul.b@mpiricsoftware.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1777333834; s=mpiric; d=mpiricsoftware.com; i=shardul.b@mpiricsoftware.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=KgHNHwy986mQko+AXCe15b4cFbyoBz/VH5W9uV60InA=; b=nqYFNf0F/b1Qr9O5p2FNYYnyqXjsBbySejZZESlPE6IWjORjQ9i4DQvDIeHLLuEf OWFftbyiVebqDOK4KM7Ctev3bVuCUIbX2U3T8otfK5y/DX/9mQFJtFShyLHqDAIuumY WFkegwjnh5j5nYgsFA9dcG868LhT0o9sBuV/XCTY= Received: by mx.zohomail.com with SMTPS id 1777333832000463.8710881772233; Mon, 27 Apr 2026 16:50:32 -0700 (PDT) From: Shardul Bankar To: mptcp@lists.linux.dev Cc: matttbe@kernel.org, martineau@kernel.org, geliang@kernel.org, pabeni@redhat.com, janak@mpiric.us, kalpan.jani@mpiricsoftware.com, shardulsb08@gmail.com, Shardul Bankar , stable@vger.kernel.org Subject: [PATCH mptcp-net] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Date: Tue, 28 Apr 2026 05:19:34 +0530 Message-Id: <20260427234934.1611893-1-shardul.b@mpiricsoftware.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Content-Type: text/plain; charset="utf-8" When HMAC validation fails on a received ACK + MP_JOIN in subflow_syn_recv_sock(), the subflow is reset with reason MPTCP_RST_EPROHIBIT ("Administratively prohibited"). This is incorrect: HMAC validation failure is an MPTCP protocol-level error, not an administrative policy denial. The mirror site on the client, in subflow_finish_connect(), already uses MPTCP_RST_EMPTCP ("MPTCP-specific error") for the same kind of HMAC failure on the SYN/ACK + MP_JOIN. Use the same reason on the server side for symmetry and accuracy. Suggested-by: Matthieu Baerts (NGI0) Fixes: 443041deb5ef ("mptcp: fix NULL pointer in can_accept_new_subflow") Cc: stable@vger.kernel.org Signed-off-by: Shardul Bankar Reviewed-by: Matthieu Baerts (NGI0) --- net/mptcp/subflow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index e2cb9d23e4a0..afb174ed9c47 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -908,7 +908,7 @@ static struct sock *subflow_syn_recv_sock(const struct = sock *sk, =20 if (!subflow_hmac_valid(subflow_req, &mp_opt)) { SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); - subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); + subflow_add_reset_reason(skb, MPTCP_RST_EMPTCP); goto dispose_child; } =20 --=20 2.34.1