1. Patchew
  2. MPTCP
  3. View series

[PATCH mptcp-net] tcp: check mptcp-level constraints for backlog calescing

Paolo Abeni posted 1 patch 2 years, 4 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/multipath-tcp/mptcp_net-next tags/patchew/b41dd0ae28701666ba2c59170acedaafdb41726c.1696439853.git.pabeni@redhat.com
Maintainers: Eric Dumazet <edumazet@google.com>, "David S. Miller" <davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Matthieu Baerts <matttbe@kernel.org>, Peter Krystad <peter.krystad@linux.intel.com>, Christoph Paasch <cpaasch@apple.com>, Florian Westphal <fw@strlen.de>
net/ipv4/tcp_ipv4.c | 1 +
1 file changed, 1 insertion(+)
[PATCH mptcp-net] tcp: check mptcp-level constraints for backlog calescing
Posted by Paolo Abeni 2 years, 4 months ago 
The MPTCP protocol can acquire the subflow-level socket lock, and
cause the tcp backlog usage. When inserting new skb into the
backlog, the stack will try to coalesce them.

Currently we have no check in place to ensure that such coalescing
will respect the MPTCP-level DSS, and that may cause data stream
corruption as reported by Christoph.

Address the issue adding the relevant admission check for coalescing
in tcp_add_backlog().

Note the issue is not easy to reproduce, as the MPTCP protocol tries
hard to avoid acquiring the subflow-level socket lock.

Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path")
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/ipv4/tcp_ipv4.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index f13eb7e23d03..52b6a0b22086 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1869,6 +1869,7 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb,
 #ifdef CONFIG_TLS_DEVICE
 	    tail->decrypted != skb->decrypted ||
 #endif
+	    mptcp_skb_can_collapse(tail, skb) ||
 	    thtail->doff != th->doff ||
 	    memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th)))
 		goto no_coalesce;
-- 
2.41.0
Re: [PATCH mptcp-net] tcp: check mptcp-level constraints for backlog calescing
Posted by Mat Martineau 2 years, 4 months ago 
On Wed, 4 Oct 2023, Paolo Abeni wrote:

> The MPTCP protocol can acquire the subflow-level socket lock, and
> cause the tcp backlog usage. When inserting new skb into the
> backlog, the stack will try to coalesce them.
>
> Currently we have no check in place to ensure that such coalescing
> will respect the MPTCP-level DSS, and that may cause data stream
> corruption as reported by Christoph.
>
> Address the issue adding the relevant admission check for coalescing
> in tcp_add_backlog().
>
> Note the issue is not easy to reproduce, as the MPTCP protocol tries
> hard to avoid acquiring the subflow-level socket lock.
>
> Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path")
> Reported-by: Christoph Paasch <cpaasch@apple.com>
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> net/ipv4/tcp_ipv4.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index f13eb7e23d03..52b6a0b22086 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -1869,6 +1869,7 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb,
> #ifdef CONFIG_TLS_DEVICE
> 	    tail->decrypted != skb->decrypted ||
> #endif
> +	    mptcp_skb_can_collapse(tail, skb) ||

Hi Paolo -

Shouldn't this be !mptcp_skb_can_collapse()?

Also, the subject line needs the 'o' in "coalescing".

- Mat

> 	    thtail->doff != th->doff ||
> 	    memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th)))
> 		goto no_coalesce;
> -- 
> 2.41.0
>
>
>
Re: [PATCH mptcp-net] tcp: check mptcp-level constraints for backlog calescing
Posted by Paolo Abeni 2 years, 3 months ago 
On Tue, 2023-10-10 at 18:00 -0700, Mat Martineau wrote:
> On Wed, 4 Oct 2023, Paolo Abeni wrote:
> 
> > The MPTCP protocol can acquire the subflow-level socket lock, and
> > cause the tcp backlog usage. When inserting new skb into the
> > backlog, the stack will try to coalesce them.
> > 
> > Currently we have no check in place to ensure that such coalescing
> > will respect the MPTCP-level DSS, and that may cause data stream
> > corruption as reported by Christoph.
> > 
> > Address the issue adding the relevant admission check for coalescing
> > in tcp_add_backlog().
> > 
> > Note the issue is not easy to reproduce, as the MPTCP protocol tries
> > hard to avoid acquiring the subflow-level socket lock.
> > 
> > Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path")
> > Reported-by: Christoph Paasch <cpaasch@apple.com>
> > Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420
> > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > ---
> > net/ipv4/tcp_ipv4.c | 1 +
> > 1 file changed, 1 insertion(+)
> > 
> > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> > index f13eb7e23d03..52b6a0b22086 100644
> > --- a/net/ipv4/tcp_ipv4.c
> > +++ b/net/ipv4/tcp_ipv4.c
> > @@ -1869,6 +1869,7 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb,
> > #ifdef CONFIG_TLS_DEVICE
> > 	    tail->decrypted != skb->decrypted ||
> > #endif
> > +	    mptcp_skb_can_collapsen(tail, skb) ||
> 
> Hi Paolo -
> 
> Shouldn't this be !mptcp_skb_can_collapse()?
> 
> Also, the subject line needs the 'o' in "coalescing".

Indeed! thanks for checking!

I'll send a v2!

Cheers,

Paolo

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.