From nobody Wed Dec 17 15:34:20 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 48DC6C61DF7
	for <linux-kernel@archiver.kernel.org>; Fri, 24 Nov 2023 00:27:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230034AbjKXA12 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 23 Nov 2023 19:27:28 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48654 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229478AbjKXA1Z (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Nov 2023 19:27:25 -0500
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com
 [IPv6:2a00:1450:4864:20::22c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0B2310C2
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:31 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id
 38308e7fff4ca-2c83d37a492so17885741fa.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1700785650; x=1701390450;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=haVpn9fvl3FQKPXQqTZq8l5X+Z7fEQLSNTR+x6poikY=;
        b=kuZ0+Y15aZOHrCN9ILYMuzyTZdieBL7vLkhqKn9r8miQfqXTteHyAKyIrWNKqfIRD0
         PcltV302f7NG7g/Ou+M02IdWVYcKpNMCvCLdxFcXyNi1uEtXYg1mI2nCz2U24Zow4Lvt
         mvtPfh2uN9WRwsiYo1GXP7uiUCs/YClsiwzXKWYfhqRZO7jviNxuuAZ9MknB2jp5Iqgy
         Q8+9hg8DGYwLkXY/TZUETAVEJ+4QzNXHovp4+ZZqWJKs9UpskErUvXHWgjhEG0IcbDwT
         rI0IOpQoBlT5kHCtS6PiIRK1RmNRB/T7gav60+N/QsIvjSZ7u+EUbU9TFpDeprbZZY1f
         W3mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700785650; x=1701390450;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=haVpn9fvl3FQKPXQqTZq8l5X+Z7fEQLSNTR+x6poikY=;
        b=F4meHhGimDVU/ErGf0lnXqJDaRmGhL7nSHBfamEElYiwwjnjeQBZqCpPHaGHUKIkAg
         q+1pp/KtSaE53gk02LCQQJuYp+WWEK+be4QI2knkkxIBWzWrZnIir/uX312O03QyTQaV
         t7fHjnjvfmnNFFH7DqlZs3s0Z9Yiq01R/+Rjk+QpzqHYrZQ1WziduSWYkqjf77M3fWxN
         Xd2jxxyIEP2WBkiCyP9g1tcHfUx1pp0Bd8D8i3o8OvfhSW3DHRFudliYXE/ecjXMHTJx
         dtip09mD6HZt88u81RCOKdTIimyYT+D+ek8XCkQGauG/4heTG/06rlQ4Jwvp9X79ms2D
         4k6A==
X-Gm-Message-State: AOJu0YydD1UCxbUW8BGxr/rqtK3vOO/VQjdd6LbyBIjhyfQRKt272hiK
        SGdyC6mKLI53MqEbHf0fY4CP1w==
X-Google-Smtp-Source: 
 AGHT+IHvSX4dfruCcOgcRtZCAUPbc5qH1FOaW1B+QFPdn0Cp+RKfLN7Aj9D7LHFfPa23KeJI5ynAGQ==
X-Received: by 2002:a05:651c:1208:b0:2c8:8813:2e7b with SMTP id
 i8-20020a05651c120800b002c888132e7bmr649558lja.2.1700785649997;
        Thu, 23 Nov 2023 16:27:29 -0800 (PST)
Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166])
        by smtp.gmail.com with ESMTPSA id
 g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Nov 2023 16:27:29 -0800 (PST)
From: Dmitry Safonov <dima@arista.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <horms@kernel.org>, netdev@vger.kernel.org,
        Markus Elfring <Markus.Elfring@web.de>,
        Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org
Subject: [PATCH v2 1/7] Documentation/tcp: Fix an obvious typo
Date: Fri, 24 Nov 2023 00:27:14 +0000
Message-ID: <20231124002720.102537-2-dima@arista.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231124002720.102537-1-dima@arista.com>
References: <20231124002720.102537-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

Yep, my VIM spellchecker is not good enough for typos like this one.

Fixes: 7fe0e38bb669 ("Documentation/tcp: Add TCP-AO documentation")
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Reported-by: Markus Elfring <Markus.Elfring@web.de>
Closes: https://lore.kernel.org/all/2745ab4e-acac-40d4-83bf-37f2600d0c3d@we=
b.de/
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 Documentation/networking/tcp_ao.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Documentation/networking/tcp_ao.rst b/Documentation/networking=
/tcp_ao.rst
index cfa5bf1cc542..8a58321acce7 100644
--- a/Documentation/networking/tcp_ao.rst
+++ b/Documentation/networking/tcp_ao.rst
@@ -99,7 +99,7 @@ also [6.1]::
    when it is no longer considered permitted.
=20
 Linux TCP-AO will try its best to prevent you from removing a key that's
-being used, considering it a key management failure. But sine keeping
+being used, considering it a key management failure. But since keeping
 an outdated key may become a security issue and as a peer may
 unintentionally prevent the removal of an old key by always setting
 it as RNextKeyID - a forced key removal mechanism is provided, where
--=20
2.43.0
From nobody Wed Dec 17 15:34:20 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EE582C636D0
	for <linux-kernel@archiver.kernel.org>; Fri, 24 Nov 2023 00:27:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230139AbjKXA1e (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 23 Nov 2023 19:27:34 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48664 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230008AbjKXA11 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Nov 2023 19:27:27 -0500
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com
 [IPv6:2a00:1450:4864:20::236])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4202A10C2
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:33 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id
 38308e7fff4ca-2c5087d19a6so15825251fa.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1700785651; x=1701390451;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=zRr0rFRhIAja+Gljgch1Q8003LvnsWZV0PahHhgXGlI=;
        b=IG3NDI+09K6XuaAP1IfjO+/qnmy/2RtNg73oPRyn1lou9p8f+7IpSPDy3ZvxMFkrbX
         /JqLgsZDhrK5F6WASpeXpItO+GzMaWGRrN9JdLPS6kZl/gQG9mGtTGtZHuPypei7dEla
         xWfsGARdMmD2yDjX95Xg8eK7SSVrF/RLsES1Epp/gk8d0+YRIk4Va55DnwJcsFaoSavJ
         ru0JO97OVDfwq19izDgfmKcV2+pc5dcJI4tlNiqdHRpvRxWtt7rGAFnXqjDd7e0QWeoy
         l9mbKI3SBlQi1y8BJgDa3TT6kp7c2cLqzNMyVHBk5+u7JnVqp1LmqBEM6/4epag+8Ew3
         HccQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700785651; x=1701390451;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=zRr0rFRhIAja+Gljgch1Q8003LvnsWZV0PahHhgXGlI=;
        b=Jf1vkNYntgL+0xjvhUO3lXOWE3F7MHC6BH5FmKWn5z8szpzRuAcI7O+xod8TjjJvTh
         gGPZiegUEUSUxFkfve4PY1gBLqXgfPmeTtugyPRX0Sqni9FXn/LJeGkSSzNgXtiFq9dL
         NAhV9MAyFtL8ekgiTvM4h5C8+3SZl9jmVOvSzR9YCp7Pa5FzkM0N040QlXk8k2CV2B+4
         Lm+tw1ZmeI7O1LqAT6qhtDNEWOptKVRS1RveOozWHWOftkMWFmf+z8Jo0kdd86uPfywc
         q0ygohYi3Y99aVI/q12xdmqR6O3gZv19Br9TVtRh1OllzMgu7BM/TbE7Dr4u5u3oHksa
         SV6Q==
X-Gm-Message-State: AOJu0YxAgXZoixhbJglvirLdSpDMmrtE2PQOvQJEsZKK6FZvC7frTx3Q
        DNDm/vOdebUUDizzMZwkXBXrBw==
X-Google-Smtp-Source: 
 AGHT+IECNSLVVGbdrioLI0SEhRdQ/Bu8ddJ4oMGkht/Q/SYm0am/9reyIFf79jCbTgCBwH7mtPYWpA==
X-Received: by 2002:a2e:7d18:0:b0:2c8:330b:7181 with SMTP id
 y24-20020a2e7d18000000b002c8330b7181mr632580ljc.38.1700785651438;
        Thu, 23 Nov 2023 16:27:31 -0800 (PST)
Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166])
        by smtp.gmail.com with ESMTPSA id
 g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Nov 2023 16:27:30 -0800 (PST)
From: Dmitry Safonov <dima@arista.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <horms@kernel.org>, netdev@vger.kernel.org
Subject: [PATCH v2 2/7] net/tcp: Consistently align TCP-AO option in the
 header
Date: Fri, 24 Nov 2023 00:27:15 +0000
Message-ID: <20231124002720.102537-3-dima@arista.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231124002720.102537-1-dima@arista.com>
References: <20231124002720.102537-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

Currently functions that pre-calculate TCP header options length use
unaligned TCP-AO header + MAC-length for skb reservation.
And the functions that actually write TCP-AO options into skb do align
the header. Nothing good can come out of this for ((maclen % 4) !=3D 0).

Provide tcp_ao_len_aligned() helper and use it everywhere for TCP
header options space calculations.

Fixes: 1e03d32bea8e ("net/tcp: Add TCP-AO sign to outgoing packets")
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 include/net/tcp_ao.h     | 6 ++++++
 net/ipv4/tcp_ao.c        | 4 ++--
 net/ipv4/tcp_ipv4.c      | 4 ++--
 net/ipv4/tcp_minisocks.c | 2 +-
 net/ipv4/tcp_output.c    | 6 +++---
 net/ipv6/tcp_ipv6.c      | 2 +-
 6 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index b56be10838f0..647781080613 100644
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -62,11 +62,17 @@ static inline int tcp_ao_maclen(const struct tcp_ao_key=
 *key)
 	return key->maclen;
 }
=20
+/* Use tcp_ao_len_aligned() for TCP header calculations */
 static inline int tcp_ao_len(const struct tcp_ao_key *key)
 {
 	return tcp_ao_maclen(key) + sizeof(struct tcp_ao_hdr);
 }
=20
+static inline int tcp_ao_len_aligned(const struct tcp_ao_key *key)
+{
+	return round_up(tcp_ao_len(key), 4);
+}
+
 static inline unsigned int tcp_ao_digest_size(struct tcp_ao_key *key)
 {
 	return key->digest_size;
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 7696417d0640..c8be1d526eac 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -1100,7 +1100,7 @@ void tcp_ao_connect_init(struct sock *sk)
 			ao_info->current_key =3D key;
 		if (!ao_info->rnext_key)
 			ao_info->rnext_key =3D key;
-		tp->tcp_header_len +=3D tcp_ao_len(key);
+		tp->tcp_header_len +=3D tcp_ao_len_aligned(key);
=20
 		ao_info->lisn =3D htonl(tp->write_seq);
 		ao_info->snd_sne =3D 0;
@@ -1346,7 +1346,7 @@ static int tcp_ao_parse_crypto(struct tcp_ao_add *cmd=
, struct tcp_ao_key *key)
 	syn_tcp_option_space -=3D TCPOLEN_MSS_ALIGNED;
 	syn_tcp_option_space -=3D TCPOLEN_TSTAMP_ALIGNED;
 	syn_tcp_option_space -=3D TCPOLEN_WSCALE_ALIGNED;
-	if (tcp_ao_len(key) > syn_tcp_option_space) {
+	if (tcp_ao_len_aligned(key) > syn_tcp_option_space) {
 		err =3D -EMSGSIZE;
 		goto err_kfree;
 	}
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 5f693bbd578d..0c50c5a32b84 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -690,7 +690,7 @@ static bool tcp_v4_ao_sign_reset(const struct sock *sk,=
 struct sk_buff *skb,
=20
 	reply_options[0] =3D htonl((TCPOPT_AO << 24) | (tcp_ao_len(key) << 16) |
 				 (aoh->rnext_keyid << 8) | keyid);
-	arg->iov[0].iov_len +=3D round_up(tcp_ao_len(key), 4);
+	arg->iov[0].iov_len +=3D tcp_ao_len_aligned(key);
 	reply->doff =3D arg->iov[0].iov_len / 4;
=20
 	if (tcp_ao_hash_hdr(AF_INET, (char *)&reply_options[1],
@@ -978,7 +978,7 @@ static void tcp_v4_send_ack(const struct sock *sk,
 					  (tcp_ao_len(key->ao_key) << 16) |
 					  (key->ao_key->sndid << 8) |
 					  key->rcv_next);
-		arg.iov[0].iov_len +=3D round_up(tcp_ao_len(key->ao_key), 4);
+		arg.iov[0].iov_len +=3D tcp_ao_len_aligned(key->ao_key);
 		rep.th.doff =3D arg.iov[0].iov_len / 4;
=20
 		tcp_ao_hash_hdr(AF_INET, (char *)&rep.opt[offset],
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index a9807eeb311c..9e85f2a0bddd 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -615,7 +615,7 @@ struct sock *tcp_create_openreq_child(const struct sock=
 *sk,
 	ao_key =3D treq->af_specific->ao_lookup(sk, req,
 				tcp_rsk(req)->ao_keyid, -1);
 	if (ao_key)
-		newtp->tcp_header_len +=3D tcp_ao_len(ao_key);
+		newtp->tcp_header_len +=3D tcp_ao_len_aligned(ao_key);
  #endif
 	if (skb->len >=3D TCP_MSS_DEFAULT + newtp->tcp_header_len)
 		newicsk->icsk_ack.last_seg_size =3D skb->len - newtp->tcp_header_len;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index eb13a55d660c..93eef1dbbc55 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -825,7 +825,7 @@ static unsigned int tcp_syn_options(struct sock *sk, st=
ruct sk_buff *skb,
 		timestamps =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps);
 		if (tcp_key_is_ao(key)) {
 			opts->options |=3D OPTION_AO;
-			remaining -=3D tcp_ao_len(key->ao_key);
+			remaining -=3D tcp_ao_len_aligned(key->ao_key);
 		}
 	}
=20
@@ -915,7 +915,7 @@ static unsigned int tcp_synack_options(const struct soc=
k *sk,
 			ireq->tstamp_ok &=3D !ireq->sack_ok;
 	} else if (tcp_key_is_ao(key)) {
 		opts->options |=3D OPTION_AO;
-		remaining -=3D tcp_ao_len(key->ao_key);
+		remaining -=3D tcp_ao_len_aligned(key->ao_key);
 		ireq->tstamp_ok &=3D !ireq->sack_ok;
 	}
=20
@@ -982,7 +982,7 @@ static unsigned int tcp_established_options(struct sock=
 *sk, struct sk_buff *skb
 		size +=3D TCPOLEN_MD5SIG_ALIGNED;
 	} else if (tcp_key_is_ao(key)) {
 		opts->options |=3D OPTION_AO;
-		size +=3D tcp_ao_len(key->ao_key);
+		size +=3D tcp_ao_len_aligned(key->ao_key);
 	}
=20
 	if (likely(tp->rx_opt.tstamp_ok)) {
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 937a02c2e534..8c6623496dd7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -881,7 +881,7 @@ static void tcp_v6_send_response(const struct sock *sk,=
 struct sk_buff *skb, u32
 	if (tcp_key_is_md5(key))
 		tot_len +=3D TCPOLEN_MD5SIG_ALIGNED;
 	if (tcp_key_is_ao(key))
-		tot_len +=3D tcp_ao_len(key->ao_key);
+		tot_len +=3D tcp_ao_len_aligned(key->ao_key);
=20
 #ifdef CONFIG_MPTCP
 	if (rst && !tcp_key_is_md5(key)) {
--=20
2.43.0
From nobody Wed Dec 17 15:34:20 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D9360C61D85
	for <linux-kernel@archiver.kernel.org>; Fri, 24 Nov 2023 00:27:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230048AbjKXA1f (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 23 Nov 2023 19:27:35 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48676 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230031AbjKXA12 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Nov 2023 19:27:28 -0500
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com
 [IPv6:2a00:1450:4864:20::430])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9696C10D9
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:34 -0800 (PST)
Received: by mail-wr1-x430.google.com with SMTP id
 ffacd0b85a97d-32f737deedfso789465f8f.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1700785653; x=1701390453;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dH55LyAvyZzawnq9+CybIblcEgwIvM5k9Dss3KgMZik=;
        b=KyTb8XJFTur8dPrC3de1g8Vk/S8ze/Uv/lZ9Ot5vHOscxuoGloR0ffhdznpFeJteLy
         xMQ56X+X3N8xIhQxt/JaW4WVq73I22bhI0CUC/3ZfPKZ+6VxQO8qVS4K/SXTLKM8eHsQ
         jrpBsB/0nsoJujnM2XDhnZ3euMZ0RfT2n/nuxm0r7gH2aXNJuBy7bKJ55JJFyP8dvG4p
         d6A0U7KtoOCTjSLJ/nHbILwtCBXzaBTmAC9CyeBN8yWhJ6A4L0CR1u/npMkvGyH+gaYj
         b98Vfx+3vZ2kP+1VaxlciXo1sDZC71eZbIIdNTq/i0Bi4E6wI1qsNjwOze7EWSerJWkD
         SEag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700785653; x=1701390453;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dH55LyAvyZzawnq9+CybIblcEgwIvM5k9Dss3KgMZik=;
        b=PmQ1TIwkbrIp7soSKQXG3aiQQmrSwLSfov3FDwFqtsEh1Zp0edpxIjkuDfYKf42c0h
         7fqlxGPSo+vYc9cwWuDzgDI+gY0X3snzPFTYrr51rt6HbZeds23l7uGLtg10pBvX8GRw
         NRJfdIcY4vaYpr0inr68UzmlSt9As35fVg1wFAcgwXvBui77Gh5vtxuSpAn1DiIWzX8n
         3CZPqKinRAIwyuG+eFiRYHc70MTl9kSc4hGESZXhAUso+cbDpT6srAueu4FbH4Q2envF
         uT92J13XUNudOVjfe4s/wxPF01CXAElCAI8TV+qJ2BXiAnG5mABQwOQdyG+ISALdEH4a
         op3g==
X-Gm-Message-State: AOJu0YwZUtcP2zEY727zgRHcFaKiDjPJJAS9WiDp4Rs8dnscJPLs5ZKT
        MrHX1EbzQ9DbcK41qzHMsCaqsA==
X-Google-Smtp-Source: 
 AGHT+IFT357fLdv+9VPLUo9JyrvYwmlakZqhgzZ1DUTRUDGIr00buQXKS16JWd7Hv3B31+VpUgT0Qg==
X-Received: by 2002:adf:e6c9:0:b0:32f:e1a2:526a with SMTP id
 y9-20020adfe6c9000000b0032fe1a2526amr649526wrm.67.1700785653098;
        Thu, 23 Nov 2023 16:27:33 -0800 (PST)
Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166])
        by smtp.gmail.com with ESMTPSA id
 g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Nov 2023 16:27:32 -0800 (PST)
From: Dmitry Safonov <dima@arista.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <horms@kernel.org>, netdev@vger.kernel.org
Subject: [PATCH v2 3/7] net/tcp: Limit TCP_AO_REPAIR to non-listen sockets
Date: Fri, 24 Nov 2023 00:27:16 +0000
Message-ID: <20231124002720.102537-4-dima@arista.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231124002720.102537-1-dima@arista.com>
References: <20231124002720.102537-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

Listen socket is not an established TCP connection, so
setsockopt(TCP_AO_REPAIR) doesn't have any impact.

Restrict this uAPI for listen sockets.

Fixes: faadfaba5e01 ("net/tcp: Add TCP_AO_REPAIR")
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 net/ipv4/tcp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 53bcc17c91e4..b1fe4eb01829 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3594,6 +3594,10 @@ int do_tcp_setsockopt(struct sock *sk, int level, in=
t optname,
 		break;
=20
 	case TCP_AO_REPAIR:
+		if (!tcp_can_repair_sock(sk)) {
+			err =3D -EPERM;
+			break;
+		}
 		err =3D tcp_ao_set_repair(sk, optval, optlen);
 		break;
 #ifdef CONFIG_TCP_AO
@@ -4293,6 +4297,8 @@ int do_tcp_getsockopt(struct sock *sk, int level,
 	}
 #endif
 	case TCP_AO_REPAIR:
+		if (!tcp_can_repair_sock(sk))
+			return -EPERM;
 		return tcp_ao_get_repair(sk, optval, optlen);
 	case TCP_AO_GET_KEYS:
 	case TCP_AO_INFO: {
--=20
2.43.0
From nobody Wed Dec 17 15:34:20 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C5D4EC636BD
	for <linux-kernel@archiver.kernel.org>; Fri, 24 Nov 2023 00:27:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230341AbjKXA1m (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 23 Nov 2023 19:27:42 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48692 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230041AbjKXA13 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Nov 2023 19:27:29 -0500
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com
 [IPv6:2a00:1450:4864:20::42b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28F3810C8
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:36 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id
 ffacd0b85a97d-331733acbacso927869f8f.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1700785654; x=1701390454;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=H1xPXn0VYaTrAb1Nt5Hiecyvp9SYb9ivj7o6hsBOhvw=;
        b=kNX70Na8pKjSa3xGst8Rpujm+GWUhvSGTclIDfRRCyNe8VAGiC0kCFDs2LgBC6QAsi
         PWMlwGHQjC3/9UhgOpfCnlPzbv5+NDyJY3iVHirdie19HeFLHKsh9i8zgZ4eHaSPHSSs
         6LQjHDwNHnX+P0JXGGG2Rfx/NqwuN/9fxgwmMaGq1aruqptUAM6zZM2Mt6IrXe51po3q
         6coH0/w8jZrLHxlulDYTy6OLgTPJ4zjybVb6atjr3bOoiIXxlFbTktzWj4cV4v3DWXIw
         9JwVYh0yZhKk0cUt0NhoYd8alsx5EMEy4yKs16bvC9Wsmg8wsDazytOou2f5CqFFrC2D
         DuUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700785654; x=1701390454;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=H1xPXn0VYaTrAb1Nt5Hiecyvp9SYb9ivj7o6hsBOhvw=;
        b=W3974M5aXnYQ+4PPEZa6UHoNYb0v7DhA28d5NaAWRDejzdRHOUiYWunrMPkCxwpbbF
         82mPGHWrh3K70gsRZjZeMO1cYGx0SW/RJIDtpU9BFV4iovQjZ4bS8XVuk6SD9FD0pKXM
         DAA74RrPXqVnJJ7w03SNNKTsksZbGHTbK8WjeUmMv8vJAxvNN+vYfE6feowEmsI7EgSu
         I7eM554FLQ+mJnssKb37GvY/ECqvP0Y2tTE6GWNfBRgUm3aKNHU+VnCPqYNS5RH4B0Fh
         t/8gPMvwM2Il+/GApfw/AVsKAU0xNM8A/zlj5YQCpJIJNKk7G5W94MUgM2oJWDjrhLhj
         HLnQ==
X-Gm-Message-State: AOJu0Ywy8hzX0561kkMT96MV+khj17wToizz1cw1sF57q9RCSJYfs4e+
        Dnet58diBWfNZpouyontlySLDg==
X-Google-Smtp-Source: 
 AGHT+IG6PXq1iNo8Vk7aSZGEmmqJsJVa5x8rz0czmMerFM1PyZtMnYrAhUZ5YJhqhvDh+LrGls+v7w==
X-Received: by 2002:a5d:5488:0:b0:32f:83e4:50e7 with SMTP id
 h8-20020a5d5488000000b0032f83e450e7mr596208wrv.12.1700785654680;
        Thu, 23 Nov 2023 16:27:34 -0800 (PST)
Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166])
        by smtp.gmail.com with ESMTPSA id
 g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Nov 2023 16:27:34 -0800 (PST)
From: Dmitry Safonov <dima@arista.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <horms@kernel.org>, netdev@vger.kernel.org
Subject: [PATCH v2 4/7] net/tcp: Allow removing current/rnext TCP-AO keys on
 TCP_LISTEN sockets
Date: Fri, 24 Nov 2023 00:27:17 +0000
Message-ID: <20231124002720.102537-5-dima@arista.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231124002720.102537-1-dima@arista.com>
References: <20231124002720.102537-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

TCP_LISTEN sockets are not connected to any peer, so having
current_key/rnext_key doesn't make sense.

The userspace may falter over this issue by setting current or rnext
TCP-AO key before listen() syscall. setsockopt(TCP_AO_DEL_KEY) doesn't
allow removing a key that is in use (in accordance to RFC 5925), so
it might be inconvenient to have keys that can be destroyed only with
listener socket.

Fixes: 4954f17ddefc ("net/tcp: Introduce TCP_AO setsockopt()s")
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 net/ipv4/tcp_ao.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index c8be1d526eac..bf41be6d4721 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -1818,8 +1818,16 @@ static int tcp_ao_del_cmd(struct sock *sk, unsigned =
short int family,
 		if (!new_rnext)
 			return -ENOENT;
 	}
-	if (cmd.del_async && sk->sk_state !=3D TCP_LISTEN)
-		return -EINVAL;
+	if (sk->sk_state =3D=3D TCP_LISTEN) {
+		/* Cleaning up possible "stale" current/rnext keys state,
+		 * that may have preserved from TCP_CLOSE, before sys_listen()
+		 */
+		ao_info->current_key =3D NULL;
+		ao_info->rnext_key =3D NULL;
+	} else {
+		if (cmd.del_async)
+			return -EINVAL;
+	}
=20
 	if (family =3D=3D AF_INET) {
 		struct sockaddr_in *sin =3D (struct sockaddr_in *)&cmd.addr;
--=20
2.43.0
From nobody Wed Dec 17 15:34:20 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AAA36C61DF7
	for <linux-kernel@archiver.kernel.org>; Fri, 24 Nov 2023 00:27:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230252AbjKXA1j (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 23 Nov 2023 19:27:39 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60040 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230072AbjKXA1c (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Nov 2023 19:27:32 -0500
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com
 [IPv6:2a00:1450:4864:20::32e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BAC4D10DD
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:37 -0800 (PST)
Received: by mail-wm1-x32e.google.com with SMTP id
 5b1f17b1804b1-40b2fa4ec5eso9570365e9.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1700785656; x=1701390456;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+1zqOorwszBSy7715/FfAd+B6Hz5TxCnBSal1fxWdU4=;
        b=etBESr/f2VjgTzn3inyxg6UneJVdC7Fa4+ZseWqcIoQa8GewJeDwQDA3HYFuxRB7fI
         0LAxLNIUbwvexclfq8uBGaPwZSXlEiuzScqSyw//F7FjpdlRZ+ClBQ6nNQX/bos2V9j/
         JT5/CP6QKt1OJPinehlPoykwSwpt7MBEm/tr/WicarrcBYpV07aZYvetxz/EB98bYH/Z
         gQMQvCHBY8ldHRySoSojBfgwt3XCJsSrcltFcNMcpxB+Fs/xfF+vQdM2leIW3bTKD8tY
         95pj82MZTo9+nwfz8PYDV8HNfDBKrrUY2ozWng3VIafR0GYcaS2BdLZ+Hu/3dwtcmsEp
         gT0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700785656; x=1701390456;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+1zqOorwszBSy7715/FfAd+B6Hz5TxCnBSal1fxWdU4=;
        b=Wujxzv3y+wE8Nmd6L0RmvONKWViSwTo5SbrdWJtV9sEb0dyMH8rr2/1XdiHnWBmI0k
         p1JbGeTSVBr8F9mtFUBQRE9XXOswj3FPGfTGesZDH04ubT5X5pAmxIe0BjYHD1HyWSRW
         E45BYLY0GTUpmK7K5Sdv40lT94kQ6tGSz9eYgmiBV2NpxhC26agHq84sQm3NvAMq6dhe
         /CUg5qeEkPG+kTNawlWSz8uhDZKHqzaUqMYzUe9ILd+F1Cg902uaalvEWI9bCgZZQ7RG
         7tVIygTDnFh3z2EtQWJ5OIR4P3HhWMnBaeRJErms5Yf6iKnTVAwBjUrMzTRKdzr6acX2
         OO4g==
X-Gm-Message-State: AOJu0YwmBUsUTnMX1A1j1XYIjIrlDI6yBQm848RWOv+OiazS9r7I7KFr
        uW8FQ01ow5CkzWrYgi/jBYP7yw==
X-Google-Smtp-Source: 
 AGHT+IGZzgd8txvbEnx/qem7XVY1WoQcmi+WWFOs5wKmthWsn/NDewmniq56CwG6us8dLSqITcBg2w==
X-Received: by 2002:a05:600c:3ba5:b0:409:325:e499 with SMTP id
 n37-20020a05600c3ba500b004090325e499mr957416wms.32.1700785656074;
        Thu, 23 Nov 2023 16:27:36 -0800 (PST)
Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166])
        by smtp.gmail.com with ESMTPSA id
 g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Nov 2023 16:27:35 -0800 (PST)
From: Dmitry Safonov <dima@arista.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <horms@kernel.org>, netdev@vger.kernel.org
Subject: [PATCH v2 5/7] net/tcp: Don't add key with non-matching VRF on
 connected sockets
Date: Fri, 24 Nov 2023 00:27:18 +0000
Message-ID: <20231124002720.102537-6-dima@arista.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231124002720.102537-1-dima@arista.com>
References: <20231124002720.102537-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

If the connection was established, don't allow adding TCP-AO keys that
don't match the peer. Currently, there are checks for ip-address
matching, but L3 index check is missing. Add it to restrict userspace
shooting itself somewhere.

Fixes: 248411b8cb89 ("net/tcp: Wire up l3index to TCP-AO")
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 net/ipv4/tcp_ao.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index bf41be6d4721..2d000e275ce7 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -1608,6 +1608,9 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned s=
hort int family,
 		if (!dev || !l3index)
 			return -EINVAL;
=20
+		if (!((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)))
+			return -EINVAL;
+
 		/* It's still possible to bind after adding keys or even
 		 * re-bind to a different dev (with CAP_NET_RAW).
 		 * So, no reason to return error here, rather try to be
--=20
2.43.0
From nobody Wed Dec 17 15:34:20 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 74C53C636BD
	for <linux-kernel@archiver.kernel.org>; Fri, 24 Nov 2023 00:27:55 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231140AbjKXA1p (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 23 Nov 2023 19:27:45 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60050 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230118AbjKXA1d (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Nov 2023 19:27:33 -0500
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com
 [IPv6:2a00:1450:4864:20::32c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 26F8510EF
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:39 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id
 5b1f17b1804b1-40b2c9ee8ecso9405725e9.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1700785657; x=1701390457;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LV5EkLuNSBfoQx/kzqLjwykT0kFRG1MCX3eqbiNCe28=;
        b=C3x6Ua/pj0oOXjgeuzhqWpgjUj23qAaw6dbelQhqM3IsVzzqwA1te5VDD4epFakXLZ
         1aLXQ/UP2L8bGB96BEKKYg61xHGbMM43jCYqcg274nF+1ueBozuSaytNxkMTtKT8fXiI
         wEo2YcX7V3kbybBDzjNYF0UZrI1QTtsUPLYFxgKIRtkajhnzgZ7VT0fpyxj3kHC0BWxS
         xmHWRPjqWvC+kLwodMl3Q6tZPMk2banA7D3oe7H6FE9hW9IypUz+JjSlzyGeftZk7khl
         sd+vYCgiqoq6eSHizoc1IeYO22D4kSDYApJvUJYpi9u399avVz/hqUHxazqI57AvkJzc
         xDqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700785657; x=1701390457;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=LV5EkLuNSBfoQx/kzqLjwykT0kFRG1MCX3eqbiNCe28=;
        b=t37YaHhniGAscUr3Fpa9q9kO16QFpcw9ZYD/it7NlJAswqgC5WDKDfkWB47Xgl7eVq
         aYwzo6wdI5Iztob/DuDE/4RT5ZI64IYwQ1yQ6En5z5HpykkJAeZAw9L/S0oH6TL+9qRj
         isR4JduvSKQ0hCghLaTaRE+iQheQoKNzgiGLMlA7EXwYAyACOxPgTtyAfVB+O/x5rWEk
         LSBnM/rnAkHjCdUwaWVcU33nus8xD7loRigmBIzQuRNIz1gD0STlbPrnZgZEoG8iEGgw
         9JejAnS/I1FJwqvIf4R7is80lm4lkYG22s6LEn8fHFkcadQhtBhyoGXRrjxpKZwKBXda
         6zFg==
X-Gm-Message-State: AOJu0YxqOIWFf1JmOEc62919k1j9dvNnmGdS/ddAvBYCjn/z9dyHRauS
        MXgqPQ5ExOsHGXhi5U3VdckRDg==
X-Google-Smtp-Source: 
 AGHT+IEtMz34JcW1vswAZ9iuNJ5pIajSVsqMInCxGKXkwHpYb4iNfvC5/PyDF6S/UhnHKNquYq5uBA==
X-Received: by 2002:a05:600c:1d1b:b0:40b:36e6:9f15 with SMTP id
 l27-20020a05600c1d1b00b0040b36e69f15mr928127wms.26.1700785657476;
        Thu, 23 Nov 2023 16:27:37 -0800 (PST)
Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166])
        by smtp.gmail.com with ESMTPSA id
 g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Nov 2023 16:27:36 -0800 (PST)
From: Dmitry Safonov <dima@arista.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <horms@kernel.org>, netdev@vger.kernel.org
Subject: [PATCH v2 6/7] net/tcp: Add sne_lock to access SNEs
Date: Fri, 24 Nov 2023 00:27:19 +0000
Message-ID: <20231124002720.102537-7-dima@arista.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231124002720.102537-1-dima@arista.com>
References: <20231124002720.102537-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

RFC 5925 (6.2):
> TCP-AO emulates a 64-bit sequence number space by inferring when to
> increment the high-order 32-bit portion (the SNE) based on
> transitions in the low-order portion (the TCP sequence number).

snd_sne and rcv_sne are the upper 4 bytes of extended SEQ number.
Unfortunately, reading two 4-bytes pointers can't be performed
atomically (without synchronization).

Let's keep it KISS and add an rwlock - that shouldn't create much
contention as SNE are updated every 4Gb of traffic and the atomic region
is quite small.

Fixes: 64382c71a557 ("net/tcp: Add TCP-AO SNE support")
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 include/net/tcp_ao.h |  2 +-
 net/ipv4/tcp_ao.c    | 34 +++++++++++++++++++++-------------
 net/ipv4/tcp_input.c | 16 ++++++++++++++--
 3 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index 647781080613..beea3e6b39e2 100644
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -123,6 +123,7 @@ struct tcp_ao_info {
 	 */
 	u32			snd_sne;
 	u32			rcv_sne;
+	rwlock_t		sne_lock;
 	refcount_t		refcnt;		/* Protects twsk destruction */
 	struct rcu_head		rcu;
 };
@@ -212,7 +213,6 @@ enum skb_drop_reason tcp_inbound_ao_hash(struct sock *s=
k,
 			const struct sk_buff *skb, unsigned short int family,
 			const struct request_sock *req, int l3index,
 			const struct tcp_ao_hdr *aoh);
-u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq);
 struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, int l3index,
 				    const union tcp_ao_addr *addr,
 				    int family, int sndid, int rcvid);
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 2d000e275ce7..74db80aeeef3 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -230,6 +230,7 @@ static struct tcp_ao_info *tcp_ao_alloc_info(gfp_t flag=
s)
 		return NULL;
 	INIT_HLIST_HEAD(&ao->head);
 	refcount_set(&ao->refcnt, 1);
+	rwlock_init(&ao->sne_lock);
=20
 	return ao;
 }
@@ -472,10 +473,8 @@ static int tcp_ao_hash_pseudoheader(unsigned short int=
 family,
 	return -EAFNOSUPPORT;
 }
=20
-u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq)
+static u32 tcp_ao_compute_sne(u32 sne, u32 next_seq, u32 seq)
 {
-	u32 sne =3D next_sne;
-
 	if (before(seq, next_seq)) {
 		if (seq > next_seq)
 			sne--;
@@ -483,7 +482,6 @@ u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 =
seq)
 		if (seq < next_seq)
 			sne++;
 	}
-
 	return sne;
 }
=20
@@ -763,14 +761,15 @@ int tcp_ao_prepare_reset(const struct sock *sk, struc=
t sk_buff *skb,
 		*keyid =3D (*key)->rcvid;
 	} else {
 		struct tcp_ao_key *rnext_key;
-		u32 snd_basis;
+		const u32 *snd_basis;
+		unsigned long flags;
=20
 		if (sk->sk_state =3D=3D TCP_TIME_WAIT) {
 			ao_info =3D rcu_dereference(tcp_twsk(sk)->ao_info);
-			snd_basis =3D tcp_twsk(sk)->tw_snd_nxt;
+			snd_basis =3D &tcp_twsk(sk)->tw_snd_nxt;
 		} else {
 			ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info);
-			snd_basis =3D tcp_sk(sk)->snd_una;
+			snd_basis =3D &tcp_sk(sk)->snd_una;
 		}
 		if (!ao_info)
 			return -ENOENT;
@@ -781,8 +780,10 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct=
 sk_buff *skb,
 		*traffic_key =3D snd_other_key(*key);
 		rnext_key =3D READ_ONCE(ao_info->rnext_key);
 		*keyid =3D rnext_key->rcvid;
-		*sne =3D tcp_ao_compute_sne(READ_ONCE(ao_info->snd_sne),
-					  snd_basis, seq);
+		read_lock_irqsave(&ao_info->sne_lock, flags);
+		*sne =3D tcp_ao_compute_sne(ao_info->snd_sne,
+					  READ_ONCE(*snd_basis), seq);
+		read_unlock_irqrestore(&ao_info->sne_lock, flags);
 	}
 	return 0;
 }
@@ -795,6 +796,7 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff=
 *skb,
 	struct tcp_sock *tp =3D tcp_sk(sk);
 	struct tcp_ao_info *ao;
 	void *tkey_buf =3D NULL;
+	unsigned long flags;
 	u8 *traffic_key;
 	u32 sne;
=20
@@ -816,8 +818,10 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buf=
f *skb,
 		tp->af_specific->ao_calc_key_sk(key, traffic_key,
 						sk, ao->lisn, disn, true);
 	}
-	sne =3D tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una),
-				 ntohl(th->seq));
+	read_lock_irqsave(&ao->sne_lock, flags);
+	sne =3D tcp_ao_compute_sne(ao->snd_sne,
+				 READ_ONCE(tp->snd_una), ntohl(th->seq));
+	read_unlock_irqrestore(&ao->sne_lock, flags);
 	tp->af_specific->calc_ao_hash(hash_location, key, sk, skb, traffic_key,
 				      hash_location - (u8 *)th, sne);
 	kfree(tkey_buf);
@@ -938,8 +942,9 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu=
ff *skb,
=20
 	/* Fast-path */
 	if (likely((1 << sk->sk_state) & TCP_AO_ESTABLISHED)) {
-		enum skb_drop_reason err;
 		struct tcp_ao_key *current_key;
+		enum skb_drop_reason err;
+		unsigned long flags;
=20
 		/* Check if this socket's rnext_key matches the keyid in the
 		 * packet. If not we lookup the key based on the keyid
@@ -956,8 +961,11 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_b=
uff *skb,
 		if (unlikely(th->syn && !th->ack))
 			goto verify_hash;
=20
-		sne =3D tcp_ao_compute_sne(info->rcv_sne, tcp_sk(sk)->rcv_nxt,
+		read_lock_irqsave(&info->sne_lock, flags);
+		sne =3D tcp_ao_compute_sne(info->rcv_sne,
+					 READ_ONCE(tcp_sk(sk)->rcv_nxt),
 					 ntohl(th->seq));
+		read_unlock_irqrestore(&info->sne_lock, flags);
 		/* Established socket, traffic key are cached */
 		traffic_key =3D rcv_other_key(key);
 		err =3D tcp_ao_verify_hash(sk, skb, family, info, aoh, key,
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index bcb55d98004c..fc3c27ce2b73 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3582,8 +3582,14 @@ static void tcp_snd_sne_update(struct tcp_sock *tp, =
u32 ack)
=20
 	ao =3D rcu_dereference_protected(tp->ao_info,
 				       lockdep_sock_is_held((struct sock *)tp));
-	if (ao && ack < tp->snd_una)
+	if (ao && ack < tp->snd_una) {
+		unsigned long flags;
+
+		write_lock_irqsave(&ao->sne_lock, flags);
 		ao->snd_sne++;
+		tp->snd_una =3D ack;
+		write_unlock_irqrestore(&ao->sne_lock, flags);
+	}
 #endif
 }
=20
@@ -3608,8 +3614,14 @@ static void tcp_rcv_sne_update(struct tcp_sock *tp, =
u32 seq)
=20
 	ao =3D rcu_dereference_protected(tp->ao_info,
 				       lockdep_sock_is_held((struct sock *)tp));
-	if (ao && seq < tp->rcv_nxt)
+	if (ao && seq < tp->rcv_nxt) {
+		unsigned long flags;
+
+		write_lock_irqsave(&ao->sne_lock, flags);
 		ao->rcv_sne++;
+		WRITE_ONCE(tp->rcv_nxt, seq);
+		write_unlock_irqrestore(&ao->sne_lock, flags);
+	}
 #endif
 }
=20
--=20
2.43.0
From nobody Wed Dec 17 15:34:20 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3B3F5C61D85
	for <linux-kernel@archiver.kernel.org>; Fri, 24 Nov 2023 00:27:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231158AbjKXA1t (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 23 Nov 2023 19:27:49 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60072 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230133AbjKXA1f (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Nov 2023 19:27:35 -0500
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com
 [IPv6:2a00:1450:4864:20::433])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3C0A10E6
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:40 -0800 (PST)
Received: by mail-wr1-x433.google.com with SMTP id
 ffacd0b85a97d-332e7630a9dso318737f8f.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Nov 2023 16:27:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1700785659; x=1701390459;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=z+xjuCITs6Hv9gSdP5tkhTp9hyYcojUzFzOsLW1PoYI=;
        b=K61bA4Dj07U41I/enlM+jFWwgf5GrwH1ZZsyd1msZm96/x39u7ygoXCYPYoJj5HucA
         gti5mIOWAOYwV9JBm9+Z68v7AFTQz/KLi55mw//W35xKY0XMrHWpBWpn23KsFpGlD9QF
         zcuH22VrdQLkwmfE66nKKS/BwJYZjcCdMQ0hxKmpV1IvCPbBzzrs7MeCg870+z0z0kXC
         ygSeO5bjPVSDd5c3whYNUMH0LynueDkPtL6wzUgbKs883uoXYoPMWsfrU6Katf1rzNKa
         MKSRxLUI7lZLXGw0KZVGbOIODNHtZA0V2jVCY+ALaws0JPplOUQ8y0oEzV/jfHorsGF0
         UmpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700785659; x=1701390459;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=z+xjuCITs6Hv9gSdP5tkhTp9hyYcojUzFzOsLW1PoYI=;
        b=gPH96Qcm6NonBhq4mErKar2H1JHipsWRLZCXSqoQcaZ7CxmkZ25lu4QInrjRGEXdmG
         uu4U88H1+taGg9J64t/X+S9WbUKn9jnUklAxV7h7rnZ3OP5PPztcT/C1B4lgt1m/tbJa
         GhD4HML81bL/u/8cGw8ctcBCah5Z5jAKmB6yxwGBLN7v5AO7uKpZqIi0ZB9m4gAEMIw1
         AyAX1f7ZPQG84AibPfvvIMPrFpFuWtAlCVbY8pU+eIkLeuuYLw81JdjzvD1FIVVhVjQS
         +eF5JByXpDdS8NPY2C93QiIvfJsYHJ7RsRa878V9z/bcI3Xei2ZNkwG8m6acw5YDQie5
         ZC4Q==
X-Gm-Message-State: AOJu0YyVwzBoMj0LnwZFRjoHRnO7LdltNHc4j+vp4qEbWMQawVXCsEz3
        cASkkt06GOpZEI0REL8GGyNpWw==
X-Google-Smtp-Source: 
 AGHT+IHbSUYFXCRpczlpyhRrAyziYifakMY/lsH2oafyE/3Mz23Zj7iFfIe/KGa4ctGfG+6kMqaOkw==
X-Received: by 2002:a5d:63d1:0:b0:332:ca10:37f with SMTP id
 c17-20020a5d63d1000000b00332ca10037fmr643730wrw.43.1700785659176;
        Thu, 23 Nov 2023 16:27:39 -0800 (PST)
Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166])
        by smtp.gmail.com with ESMTPSA id
 g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Nov 2023 16:27:38 -0800 (PST)
From: Dmitry Safonov <dima@arista.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <horms@kernel.org>, netdev@vger.kernel.org
Subject: [PATCH v2 7/7] net/tcp: Don't store TCP-AO maclen on reqsk
Date: Fri, 24 Nov 2023 00:27:20 +0000
Message-ID: <20231124002720.102537-8-dima@arista.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231124002720.102537-1-dima@arista.com>
References: <20231124002720.102537-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

This extra check doesn't work for a handshake when SYN segment has
(current_key.maclen !=3D rnext_key.maclen). It could be amended to
preserve rnext_key.maclen instead of current_key.maclen, but that
requires a lookup on listen socket.

Originally, this extra maclen check was introduced just because it was
cheap. Drop it and convert tcp_request_sock::maclen into boolean
tcp_request_sock::used_tcp_ao.

Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 include/linux/tcp.h   | 8 ++------
 net/ipv4/tcp_ao.c     | 4 ++--
 net/ipv4/tcp_input.c  | 5 +++--
 net/ipv4/tcp_output.c | 9 +++------
 4 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index 68f3d315d2e1..b646b574b060 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -169,7 +169,7 @@ struct tcp_request_sock {
 #ifdef CONFIG_TCP_AO
 	u8				ao_keyid;
 	u8				ao_rcv_next;
-	u8				maclen;
+	bool				used_tcp_ao;
 #endif
 };
=20
@@ -180,14 +180,10 @@ static inline struct tcp_request_sock *tcp_rsk(const =
struct request_sock *req)
=20
 static inline bool tcp_rsk_used_ao(const struct request_sock *req)
 {
-	/* The real length of MAC is saved in the request socket,
-	 * signing anything with zero-length makes no sense, so here is
-	 * a little hack..
-	 */
 #ifndef CONFIG_TCP_AO
 	return false;
 #else
-	return tcp_rsk(req)->maclen !=3D 0;
+	return tcp_rsk(req)->used_tcp_ao;
 #endif
 }
=20
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 74db80aeeef3..cfa264c320a7 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -855,7 +855,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_=
buff *skb,
 	const struct tcp_ao_hdr *aoh;
 	struct tcp_ao_key *key;
=20
-	treq->maclen =3D 0;
+	treq->used_tcp_ao =3D false;
=20
 	if (tcp_parse_auth_options(th, NULL, &aoh) || !aoh)
 		return;
@@ -867,7 +867,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_=
buff *skb,
=20
 	treq->ao_rcv_next =3D aoh->keyid;
 	treq->ao_keyid =3D aoh->rnext_keyid;
-	treq->maclen =3D tcp_ao_maclen(key);
+	treq->used_tcp_ao =3D true;
 }
=20
 static enum skb_drop_reason
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index fc3c27ce2b73..0135a6c6f600 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -7194,11 +7194,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_o=
ps,
 	if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh))
 		goto drop_and_release; /* Invalid TCP options */
 	if (aoh) {
-		tcp_rsk(req)->maclen =3D aoh->length - sizeof(struct tcp_ao_hdr);
+		tcp_rsk(req)->used_tcp_ao =3D true;
 		tcp_rsk(req)->ao_rcv_next =3D aoh->keyid;
 		tcp_rsk(req)->ao_keyid =3D aoh->rnext_keyid;
+
 	} else {
-		tcp_rsk(req)->maclen =3D 0;
+		tcp_rsk(req)->used_tcp_ao =3D false;
 	}
 #endif
 	tcp_rsk(req)->snt_isn =3D isn;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 93eef1dbbc55..f5ef15e1d9ac 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3720,7 +3720,6 @@ struct sk_buff *tcp_make_synack(const struct sock *sk=
, struct dst_entry *dst,
 	if (tcp_rsk_used_ao(req)) {
 #ifdef CONFIG_TCP_AO
 		struct tcp_ao_key *ao_key =3D NULL;
-		u8 maclen =3D tcp_rsk(req)->maclen;
 		u8 keyid =3D tcp_rsk(req)->ao_keyid;
=20
 		ao_key =3D tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req),
@@ -3730,13 +3729,11 @@ struct sk_buff *tcp_make_synack(const struct sock *=
sk, struct dst_entry *dst,
 		 * for another peer-matching key, but the peer has requested
 		 * ao_keyid (RFC5925 RNextKeyID), so let's keep it simple here.
 		 */
-		if (unlikely(!ao_key || tcp_ao_maclen(ao_key) !=3D maclen)) {
-			u8 key_maclen =3D ao_key ? tcp_ao_maclen(ao_key) : 0;
-
+		if (unlikely(!ao_key)) {
 			rcu_read_unlock();
 			kfree_skb(skb);
-			net_warn_ratelimited("TCP-AO: the keyid %u with maclen %u|%u from SYN p=
acket is not present - not sending SYNACK\n",
-					     keyid, maclen, key_maclen);
+			net_warn_ratelimited("TCP-AO: the keyid %u from SYN packet is not prese=
nt - not sending SYNACK\n",
+					     keyid);
 			return NULL;
 		}
 		key.ao_key =3D ao_key;
--=20
2.43.0