From nobody Wed Dec 17 05:49:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F255DC4167B for ; Wed, 29 Nov 2023 16:57:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232726AbjK2Q53 (ORCPT ); Wed, 29 Nov 2023 11:57:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229509AbjK2Q5Z (ORCPT ); Wed, 29 Nov 2023 11:57:25 -0500 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3736C9 for ; Wed, 29 Nov 2023 08:57:31 -0800 (PST) Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-40b2ddab817so50795835e9.3 for ; Wed, 29 Nov 2023 08:57:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701277050; x=1701881850; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=haVpn9fvl3FQKPXQqTZq8l5X+Z7fEQLSNTR+x6poikY=; b=Tp265x1fhPLXtlKDHuVj5etiN7JYsgEtxBISRdzxuZZU0HwArfSUI3KpGecEM84dzY Zihc23R+ePWn5NtRAhrQpRqAOUNwio2Yg82pq2u/2OVKbmCHoN0kQ7Jf5d5GDsCBNj2W DtQnOKJo0irihLhy3eueXLosXVWrqcQcN7gL65JsJCOv1Sxj0KzWQV5nVGPvnY3j+SMD awlodOIqem9lH9wjHogG7ihyUeftCSgHHXSFtfwHY6R5ejzXZaIBCmwOIU8ilTetrPJH kOHGq0t0ss/gYnowWWuf0Ie+oDuWc1np+iqxrnMI9H/WrKBClBzqpH50FHMu6l8bzQbx PZRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701277050; x=1701881850; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=haVpn9fvl3FQKPXQqTZq8l5X+Z7fEQLSNTR+x6poikY=; b=iAWBRrCHPQpzjOo5tFocZPyMfnVOXwwLD69eGXu1/mKPl4+YLYeEwNzU3xVdtVC4Zn 61QDtBZPC3h6uMjm/8UGTcWSJJFq8YNXmtkAjsBQnqzh/LTocMhHI4Syc/Gf0NOemebE IHC0zbuGzCntZIXWe09ACLIK9qS0eASTezQiCQ5G+1ynO8NW8SV5CoXu0APHTKMW4vDE 1vpDHptIZ1WmxMqbUp5NppUlgjGowRYQFZWw+rXNMsu5nUpWtNHeFuoVqrGL9uVwzfM4 p5M3JyEfddQGdqx663nowE8aUMFjpdhLEjYkK+ZfDRRtG5GQDNqXmmmgAfhLUz89PSBl 7y9w== X-Gm-Message-State: AOJu0Yx9ngYts59cfIdfy2ulWkw3IKwOF0lgGKXoM+80lcxQUYAFQta4 oB0WS3jPWTDWjvamz2Eth9Rdpw== X-Google-Smtp-Source: AGHT+IGJnXl3K0OuahWJysbyTRWRNB8Me8pMC0aRC2KPiav1kUKZXJAHnaxaCezYw9nnmAEbaRY6hw== X-Received: by 2002:a05:600c:524a:b0:40b:4ba1:c502 with SMTP id fc10-20020a05600c524a00b0040b4ba1c502mr4512827wmb.37.1701277050092; Wed, 29 Nov 2023 08:57:30 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id s20-20020a05600c45d400b003fe1fe56202sm2876823wmo.33.2023.11.29.08.57.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 08:57:29 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org, Markus Elfring , Jonathan Corbet , linux-doc@vger.kernel.org Subject: [PATCH v4 1/7] Documentation/tcp: Fix an obvious typo Date: Wed, 29 Nov 2023 16:57:15 +0000 Message-ID: <20231129165721.337302-2-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231129165721.337302-1-dima@arista.com> References: <20231129165721.337302-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Yep, my VIM spellchecker is not good enough for typos like this one. Fixes: 7fe0e38bb669 ("Documentation/tcp: Add TCP-AO documentation") Cc: Jonathan Corbet Cc: linux-doc@vger.kernel.org Reported-by: Markus Elfring Closes: https://lore.kernel.org/all/2745ab4e-acac-40d4-83bf-37f2600d0c3d@we= b.de/ Signed-off-by: Dmitry Safonov --- Documentation/networking/tcp_ao.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/networking/tcp_ao.rst b/Documentation/networking= /tcp_ao.rst index cfa5bf1cc542..8a58321acce7 100644 --- a/Documentation/networking/tcp_ao.rst +++ b/Documentation/networking/tcp_ao.rst @@ -99,7 +99,7 @@ also [6.1]:: when it is no longer considered permitted. =20 Linux TCP-AO will try its best to prevent you from removing a key that's -being used, considering it a key management failure. But sine keeping +being used, considering it a key management failure. But since keeping an outdated key may become a security issue and as a peer may unintentionally prevent the removal of an old key by always setting it as RNextKeyID - a forced key removal mechanism is provided, where --=20 2.43.0 From nobody Wed Dec 17 05:49:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E29DFC4167B for ; Wed, 29 Nov 2023 16:57:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233003AbjK2Q5c (ORCPT ); Wed, 29 Nov 2023 11:57:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229498AbjK2Q51 (ORCPT ); Wed, 29 Nov 2023 11:57:27 -0500 Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 12203BC for ; Wed, 29 Nov 2023 08:57:33 -0800 (PST) Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-40b4f6006d5so15391015e9.1 for ; Wed, 29 Nov 2023 08:57:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701277051; x=1701881851; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zRr0rFRhIAja+Gljgch1Q8003LvnsWZV0PahHhgXGlI=; b=iVFWG8DpihDlTH9F531C+DC9jMEnzuolNei2Be/SprkKwz5MNbVlObNlDnxHpUlEXl h3inQBmVvkczVX+emm5Hubp8DxvyYjR0/Cjvaywyfa8V54bnFcNNXJnZhfTvLkr4bTEM /n6Lm20nzJJuZ3o0agks3M8eW6Be+6z+fgGWXsncLP9TnmUShAtuBxdLVI8r8qoigx4n QVdPOMJy3JDzrfot+oba1HFqTg/8d9KG+vsNzxTi/IarXQGKGBPeTtZ21PaLZrBWzhhW 4/shYei+jck7qpswDshLLmN03xs1i9yaSs4b8PAmmyUs6ln3ukgQJ+JqWug4KjQ/rYT0 ibXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701277051; x=1701881851; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zRr0rFRhIAja+Gljgch1Q8003LvnsWZV0PahHhgXGlI=; b=eeg5cGpOWyBLnEAQGJkV6jmIqqV0z47WoqycQUV2vlALxbcrO+ekcNqRq6OiSg6zzJ TzHydyJlMNqLTt/2m1HanPZGcP1uESuiiGXTemgAWITmHN2DXFd2Gg0bX6tacnwE2b6T 8PVuXHTAX/V249FrXn8OZZdJXFTmaU55oQ5koxhP5bouQdufrTTIIKjPqhbnsvlPkCa6 Oe9FS71XFuaHt6Du6oiZQ9AWowtX/PBOCcphuOMYJmakf6evATFJ1oLhxnuM5SD12iG5 ukLcT+vItct1sBZrqjfmhw7tRaeiuBszhoWnwAhjajZ5/suIj7GpUTpORAszk3pmZx6E jjKQ== X-Gm-Message-State: AOJu0YyysXRqTYqFerH4LzPeiiIVka/e5tzqZrQutT3wxoeYcuKCw6s8 a7QXnimyWpsKIxJs86BejBjrsQ== X-Google-Smtp-Source: AGHT+IGM0QkYqeGxKXo3pm1Yl1kOXGGz8lTPb97hSGB/Hm4pijFn2omG8mm3Mh5qmVl5MbhGKpHiig== X-Received: by 2002:a05:600c:4ec7:b0:40b:4b69:b189 with SMTP id g7-20020a05600c4ec700b0040b4b69b189mr4399137wmq.26.1701277051518; Wed, 29 Nov 2023 08:57:31 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id s20-20020a05600c45d400b003fe1fe56202sm2876823wmo.33.2023.11.29.08.57.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 08:57:30 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v4 2/7] net/tcp: Consistently align TCP-AO option in the header Date: Wed, 29 Nov 2023 16:57:16 +0000 Message-ID: <20231129165721.337302-3-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231129165721.337302-1-dima@arista.com> References: <20231129165721.337302-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Currently functions that pre-calculate TCP header options length use unaligned TCP-AO header + MAC-length for skb reservation. And the functions that actually write TCP-AO options into skb do align the header. Nothing good can come out of this for ((maclen % 4) !=3D 0). Provide tcp_ao_len_aligned() helper and use it everywhere for TCP header options space calculations. Fixes: 1e03d32bea8e ("net/tcp: Add TCP-AO sign to outgoing packets") Signed-off-by: Dmitry Safonov Reviewed-by: Eric Dumazet --- include/net/tcp_ao.h | 6 ++++++ net/ipv4/tcp_ao.c | 4 ++-- net/ipv4/tcp_ipv4.c | 4 ++-- net/ipv4/tcp_minisocks.c | 2 +- net/ipv4/tcp_output.c | 6 +++--- net/ipv6/tcp_ipv6.c | 2 +- 6 files changed, 15 insertions(+), 9 deletions(-) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index b56be10838f0..647781080613 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -62,11 +62,17 @@ static inline int tcp_ao_maclen(const struct tcp_ao_key= *key) return key->maclen; } =20 +/* Use tcp_ao_len_aligned() for TCP header calculations */ static inline int tcp_ao_len(const struct tcp_ao_key *key) { return tcp_ao_maclen(key) + sizeof(struct tcp_ao_hdr); } =20 +static inline int tcp_ao_len_aligned(const struct tcp_ao_key *key) +{ + return round_up(tcp_ao_len(key), 4); +} + static inline unsigned int tcp_ao_digest_size(struct tcp_ao_key *key) { return key->digest_size; diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 7696417d0640..c8be1d526eac 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1100,7 +1100,7 @@ void tcp_ao_connect_init(struct sock *sk) ao_info->current_key =3D key; if (!ao_info->rnext_key) ao_info->rnext_key =3D key; - tp->tcp_header_len +=3D tcp_ao_len(key); + tp->tcp_header_len +=3D tcp_ao_len_aligned(key); =20 ao_info->lisn =3D htonl(tp->write_seq); ao_info->snd_sne =3D 0; @@ -1346,7 +1346,7 @@ static int tcp_ao_parse_crypto(struct tcp_ao_add *cmd= , struct tcp_ao_key *key) syn_tcp_option_space -=3D TCPOLEN_MSS_ALIGNED; syn_tcp_option_space -=3D TCPOLEN_TSTAMP_ALIGNED; syn_tcp_option_space -=3D TCPOLEN_WSCALE_ALIGNED; - if (tcp_ao_len(key) > syn_tcp_option_space) { + if (tcp_ao_len_aligned(key) > syn_tcp_option_space) { err =3D -EMSGSIZE; goto err_kfree; } diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 5f693bbd578d..0c50c5a32b84 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -690,7 +690,7 @@ static bool tcp_v4_ao_sign_reset(const struct sock *sk,= struct sk_buff *skb, =20 reply_options[0] =3D htonl((TCPOPT_AO << 24) | (tcp_ao_len(key) << 16) | (aoh->rnext_keyid << 8) | keyid); - arg->iov[0].iov_len +=3D round_up(tcp_ao_len(key), 4); + arg->iov[0].iov_len +=3D tcp_ao_len_aligned(key); reply->doff =3D arg->iov[0].iov_len / 4; =20 if (tcp_ao_hash_hdr(AF_INET, (char *)&reply_options[1], @@ -978,7 +978,7 @@ static void tcp_v4_send_ack(const struct sock *sk, (tcp_ao_len(key->ao_key) << 16) | (key->ao_key->sndid << 8) | key->rcv_next); - arg.iov[0].iov_len +=3D round_up(tcp_ao_len(key->ao_key), 4); + arg.iov[0].iov_len +=3D tcp_ao_len_aligned(key->ao_key); rep.th.doff =3D arg.iov[0].iov_len / 4; =20 tcp_ao_hash_hdr(AF_INET, (char *)&rep.opt[offset], diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index a9807eeb311c..9e85f2a0bddd 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -615,7 +615,7 @@ struct sock *tcp_create_openreq_child(const struct sock= *sk, ao_key =3D treq->af_specific->ao_lookup(sk, req, tcp_rsk(req)->ao_keyid, -1); if (ao_key) - newtp->tcp_header_len +=3D tcp_ao_len(ao_key); + newtp->tcp_header_len +=3D tcp_ao_len_aligned(ao_key); #endif if (skb->len >=3D TCP_MSS_DEFAULT + newtp->tcp_header_len) newicsk->icsk_ack.last_seg_size =3D skb->len - newtp->tcp_header_len; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index eb13a55d660c..93eef1dbbc55 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -825,7 +825,7 @@ static unsigned int tcp_syn_options(struct sock *sk, st= ruct sk_buff *skb, timestamps =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps); if (tcp_key_is_ao(key)) { opts->options |=3D OPTION_AO; - remaining -=3D tcp_ao_len(key->ao_key); + remaining -=3D tcp_ao_len_aligned(key->ao_key); } } =20 @@ -915,7 +915,7 @@ static unsigned int tcp_synack_options(const struct soc= k *sk, ireq->tstamp_ok &=3D !ireq->sack_ok; } else if (tcp_key_is_ao(key)) { opts->options |=3D OPTION_AO; - remaining -=3D tcp_ao_len(key->ao_key); + remaining -=3D tcp_ao_len_aligned(key->ao_key); ireq->tstamp_ok &=3D !ireq->sack_ok; } =20 @@ -982,7 +982,7 @@ static unsigned int tcp_established_options(struct sock= *sk, struct sk_buff *skb size +=3D TCPOLEN_MD5SIG_ALIGNED; } else if (tcp_key_is_ao(key)) { opts->options |=3D OPTION_AO; - size +=3D tcp_ao_len(key->ao_key); + size +=3D tcp_ao_len_aligned(key->ao_key); } =20 if (likely(tp->rx_opt.tstamp_ok)) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 937a02c2e534..8c6623496dd7 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -881,7 +881,7 @@ static void tcp_v6_send_response(const struct sock *sk,= struct sk_buff *skb, u32 if (tcp_key_is_md5(key)) tot_len +=3D TCPOLEN_MD5SIG_ALIGNED; if (tcp_key_is_ao(key)) - tot_len +=3D tcp_ao_len(key->ao_key); + tot_len +=3D tcp_ao_len_aligned(key->ao_key); =20 #ifdef CONFIG_MPTCP if (rst && !tcp_key_is_md5(key)) { --=20 2.43.0 From nobody Wed Dec 17 05:49:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18A5CC4167B for ; Wed, 29 Nov 2023 16:57:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233332AbjK2Q5g (ORCPT ); Wed, 29 Nov 2023 11:57:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232705AbjK2Q52 (ORCPT ); Wed, 29 Nov 2023 11:57:28 -0500 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94985B6 for ; Wed, 29 Nov 2023 08:57:34 -0800 (PST) Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-40b4c2ef5cdso17684885e9.2 for ; Wed, 29 Nov 2023 08:57:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701277053; x=1701881853; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dH55LyAvyZzawnq9+CybIblcEgwIvM5k9Dss3KgMZik=; b=j8pc+UZDa62f/c+qFGBN5Mz3r305vAeUpt+nQs/rEajQI0OBe0Lj3D97baonnDOx+Z NS4Gc8kKoqJJN9MH39t9F9v3n0hPHyeVmWAYKytsaReDiBvBzyvKYXMWXjAgpqVABa4u QOYIxo6bdySjZJS/ZTzo/1G2QcyD3fsu29NKbgpUJiNgRogtzD4SNqeeGQfa/4MuiShV 2rEGFviYteUyBPOgtsNoVxNQppAtgRSKDefibt7Cl9hv634x1GoopC7B+veQ+oqgmVFs XnAQc+8C2Z9TLeJfk+PaqGI0T4zW2Z04ZLOcjWVS65tJdK4r8LO6CT/rcs+y93x0jFF6 y6PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701277053; x=1701881853; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dH55LyAvyZzawnq9+CybIblcEgwIvM5k9Dss3KgMZik=; b=LRfigpOkNOMV7H9dzqIcTvfJYK+k+iTq5Pt+T6+MkAGh3/MRKFoLW+gZ/7hW82mvHl aHXI3ehFxhnTrdS+RsDVsDEB+ItLZn7v9ljKNG5+vO+iUXm/aA0Bp3frTxocGPn0s2A/ jE/OEMSY1kfbTAyVXe0uxAAB7rYxz3kYcE6UayD7Y9zbm3UM0TZJBUqHKuGraSigPvVy r9uy+Hrz5jt2GzpvrYBVlokSRQr1/aPDxW88Xxpb6fH3T+hvZlCs9fOIOYPEeMUekwWz VuQYLJFf36LRAfS2WoXKNXyYQepbn7CYi5mvoPAz+9oNSD5TJdJsgcEFYAktnqARBEYe hfjA== X-Gm-Message-State: AOJu0YxDLAZSJzf7vux3MQrla6uw7z4MoUDoJVaNbGb2nSznS/ZmIXGF u9ef2KhpuJFrTHh+bYqipdHm6A== X-Google-Smtp-Source: AGHT+IE0qW6+CGImPLkSMdoP6jUwi6RitG/CiFlOiEI5qiKsdgyQfjlYJD5XpTFWDPXVSoi7ktogYQ== X-Received: by 2002:a05:600c:548f:b0:40b:4a7f:c9ca with SMTP id iv15-20020a05600c548f00b0040b4a7fc9camr4714881wmb.34.1701277053177; Wed, 29 Nov 2023 08:57:33 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id s20-20020a05600c45d400b003fe1fe56202sm2876823wmo.33.2023.11.29.08.57.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 08:57:32 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v4 3/7] net/tcp: Limit TCP_AO_REPAIR to non-listen sockets Date: Wed, 29 Nov 2023 16:57:17 +0000 Message-ID: <20231129165721.337302-4-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231129165721.337302-1-dima@arista.com> References: <20231129165721.337302-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Listen socket is not an established TCP connection, so setsockopt(TCP_AO_REPAIR) doesn't have any impact. Restrict this uAPI for listen sockets. Fixes: faadfaba5e01 ("net/tcp: Add TCP_AO_REPAIR") Signed-off-by: Dmitry Safonov Reviewed-by: Eric Dumazet --- net/ipv4/tcp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 53bcc17c91e4..b1fe4eb01829 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3594,6 +3594,10 @@ int do_tcp_setsockopt(struct sock *sk, int level, in= t optname, break; =20 case TCP_AO_REPAIR: + if (!tcp_can_repair_sock(sk)) { + err =3D -EPERM; + break; + } err =3D tcp_ao_set_repair(sk, optval, optlen); break; #ifdef CONFIG_TCP_AO @@ -4293,6 +4297,8 @@ int do_tcp_getsockopt(struct sock *sk, int level, } #endif case TCP_AO_REPAIR: + if (!tcp_can_repair_sock(sk)) + return -EPERM; return tcp_ao_get_repair(sk, optval, optlen); case TCP_AO_GET_KEYS: case TCP_AO_INFO: { --=20 2.43.0 From nobody Wed Dec 17 05:49:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DB45C10DAA for ; Wed, 29 Nov 2023 16:57:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233185AbjK2Q5j (ORCPT ); Wed, 29 Nov 2023 11:57:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51854 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232977AbjK2Q5a (ORCPT ); Wed, 29 Nov 2023 11:57:30 -0500 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECFDED1 for ; Wed, 29 Nov 2023 08:57:35 -0800 (PST) Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-4079ed65582so52155025e9.1 for ; Wed, 29 Nov 2023 08:57:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701277054; x=1701881854; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H1xPXn0VYaTrAb1Nt5Hiecyvp9SYb9ivj7o6hsBOhvw=; b=Pv4S8DPZMX5/yJB6NyJjYkxlQmb6aEawoms8eFOetLImorKodqBHQbb4dRD9ES12ua xxEkrlFkMLaEGLDY4ygW5OAE68wVYm3/cGKPZR3qCE1r0nspXmSlgEKKR2+lge3lcpjq aOXEwW5xrcvf45wyHz5L1MzvN0U9mcipwT/PF3jBPiM+k5vb1S0NuwWb1A1y7TINcZF6 aOzeNVzSFw+VRIn8pUYuPsV0D5whxrSE/skGnNEB5X2+dQH/pO5FEVRI26iWXlU+ZTrg nY6nilz2Ewl5HUk7Bm6BZ/sDAQYVo2Tc459NTJN2h7bQXnP7fqSZtAeNKYqi+ZDSP0XP 6CUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701277054; x=1701881854; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H1xPXn0VYaTrAb1Nt5Hiecyvp9SYb9ivj7o6hsBOhvw=; b=nyZ4z1u15VnQ+T9YWQy1uz+0a/Nk2jtLs42kg5dsyyts6rmNQpNqlai2uZT+aaJQa8 PZ0gxjL53P181ckY+aPQPwxEEvahpot9KxjJneQbQynAJ+5N3QqDRgi/m4dlwBaGe5AL ihQoYIZJUz/9WyXej8E6gHmvz+hIdK6ELUxc35IZnFApOp53Rt2EIhbUxe9a1zFRQWDp y7wJfEY8vpt+J6+zZ2t8Yy53+3kuamCDw47xhaGYdqW7a7kCsQwNqMGoO4sC6HpE4G3a 4LRKFAjIrWhimFtlM9EmNKCvhbxcfNEahoTMs6w//UoPIUYogI55WMD9J1ANorHw22eZ U1Yw== X-Gm-Message-State: AOJu0YwTreJDc1O+J0GKi6KsFcI9q3WfB4K9M+fuPgBNXP3M+WRVWWC1 VK/fj751MPCaGYVykqX5DXr9KKFQVd3BaL5PgKc= X-Google-Smtp-Source: AGHT+IFv98Y4Evt6w+wZRYZ89u3q4f4c2LuS+DT8e2Kj7frzoOkMGoBzs8DH8FfxGqGxmfUrJaLBlg== X-Received: by 2002:a05:600c:4507:b0:40b:338b:5f10 with SMTP id t7-20020a05600c450700b0040b338b5f10mr14391772wmo.32.1701277054520; Wed, 29 Nov 2023 08:57:34 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id s20-20020a05600c45d400b003fe1fe56202sm2876823wmo.33.2023.11.29.08.57.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 08:57:33 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v4 4/7] net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets Date: Wed, 29 Nov 2023 16:57:18 +0000 Message-ID: <20231129165721.337302-5-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231129165721.337302-1-dima@arista.com> References: <20231129165721.337302-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" TCP_LISTEN sockets are not connected to any peer, so having current_key/rnext_key doesn't make sense. The userspace may falter over this issue by setting current or rnext TCP-AO key before listen() syscall. setsockopt(TCP_AO_DEL_KEY) doesn't allow removing a key that is in use (in accordance to RFC 5925), so it might be inconvenient to have keys that can be destroyed only with listener socket. Fixes: 4954f17ddefc ("net/tcp: Introduce TCP_AO setsockopt()s") Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ao.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index c8be1d526eac..bf41be6d4721 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1818,8 +1818,16 @@ static int tcp_ao_del_cmd(struct sock *sk, unsigned = short int family, if (!new_rnext) return -ENOENT; } - if (cmd.del_async && sk->sk_state !=3D TCP_LISTEN) - return -EINVAL; + if (sk->sk_state =3D=3D TCP_LISTEN) { + /* Cleaning up possible "stale" current/rnext keys state, + * that may have preserved from TCP_CLOSE, before sys_listen() + */ + ao_info->current_key =3D NULL; + ao_info->rnext_key =3D NULL; + } else { + if (cmd.del_async) + return -EINVAL; + } =20 if (family =3D=3D AF_INET) { struct sockaddr_in *sin =3D (struct sockaddr_in *)&cmd.addr; --=20 2.43.0 From nobody Wed Dec 17 05:49:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5BE8C4167B for ; Wed, 29 Nov 2023 16:57:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233459AbjK2Q5i (ORCPT ); Wed, 29 Nov 2023 11:57:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233059AbjK2Q5d (ORCPT ); Wed, 29 Nov 2023 11:57:33 -0500 Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DAD2C9 for ; Wed, 29 Nov 2023 08:57:38 -0800 (PST) Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2c9bd3ec4f6so113801fa.2 for ; Wed, 29 Nov 2023 08:57:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701277056; x=1701881856; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xsdu422pJQjO0BqPdllEZym2Fb8ES6Mcal0EPWQmR7E=; b=f9KL3HCOpaCvbTPJvpOn8D0J3f1avIaNEjj+RMSuSeFUKWJAvCwHuqitcdo3qetluG g5HacNcFJWcDNKTuAFtv3sE+QeVR2jkC5EXJFQ7Rq633wQHwiGRTQu5ryaGLm77KmkpN 44Vl8SmP5zgXVtzMHUNbEju9HivJ/2xZP6UE7qjYNMSODcBFIFwGeTTvvUeKKCo3YmUW EN85tZS/HIX9TQOGgPaoDgT3kUCD86ApRAlgpepk3b/y/nefI099bJYh3OmL2iMw7JD4 He9igxqxABuke729glawqOj4jSQoawZLum6PpVCVCehmsAL2JKhk6ebu1dU8zt1BFaO3 Xlhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701277056; x=1701881856; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xsdu422pJQjO0BqPdllEZym2Fb8ES6Mcal0EPWQmR7E=; b=cr3bdOyhemJaBn7BkmH6DJs97HrI9tm/xOVPlJRpgcZ5GOUbomaiGBoDsMAf1Hp6tE cViU1G5Xnq5TFZ6DKYnsM3n1LoigGZg9BjqEnDH8LbSE0ubT/a5VEmbT2OOGQnmia85e 7Wm5zc0JVoZkyfNkCqh98jZxgP2Lxuh643SKjwOXnznogI5jfDUcRWxXR7wcWTkuTo1e Spz9/F4y6fy6jCJpF8jWIWqxp89+E4nCPU/fhftlWVdtlIkyUBnHTOHxQR8qidlPX7Ku VZF9pQk/gC6/NqUMM0qSF2javN4RQJWdaPE5Fgx6Wa1ioNpvXjwEy4g1+5rYU9Nfe+y0 ewOQ== X-Gm-Message-State: AOJu0YxLXL9PQj+fmeGtKbYXAxVVJGQdEwuxaomzShvHN2sj26GnLlX5 fDCsImwIxGYIg8gTOQlxqyFbUw== X-Google-Smtp-Source: AGHT+IEBO3LAafujznmh7ddUReBPPzlczL2XBtI86mq9ciLp32HOOwqam9My6KHDcct7H9Y/uKljTw== X-Received: by 2002:a2e:80da:0:b0:2c9:bfd4:28a5 with SMTP id r26-20020a2e80da000000b002c9bfd428a5mr1496955ljg.16.1701277056099; Wed, 29 Nov 2023 08:57:36 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id s20-20020a05600c45d400b003fe1fe56202sm2876823wmo.33.2023.11.29.08.57.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 08:57:35 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v4 5/7] net/tcp: Don't add key with non-matching VRF on connected sockets Date: Wed, 29 Nov 2023 16:57:19 +0000 Message-ID: <20231129165721.337302-6-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231129165721.337302-1-dima@arista.com> References: <20231129165721.337302-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If the connection was established, don't allow adding TCP-AO keys that don't match the peer. Currently, there are checks for ip-address matching, but L3 index check is missing. Add it to restrict userspace shooting itself somewhere. Yet, nothing restricts the CAP_NET_RAW user from trying to shoot themselves by performing setsockopt(SO_BINDTODEVICE) or setsockopt(SO_BINDTOIFINDEX) over an established TCP-AO connection. So, this is just "minimum effort" to potentially save someone's debugging time, rather than a full restriction on doing weird things. Fixes: 248411b8cb89 ("net/tcp: Wire up l3index to TCP-AO") Signed-off-by: Dmitry Safonov Reviewed-by: Eric Dumazet --- net/ipv4/tcp_ao.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index bf41be6d4721..465c871786aa 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1608,6 +1608,15 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned = short int family, if (!dev || !l3index) return -EINVAL; =20 + if (!bound_dev_if || bound_dev_if !=3D cmd.ifindex) { + /* tcp_ao_established_key() doesn't expect having + * non peer-matching key on an established TCP-AO + * connection. + */ + if (!((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))) + return -EINVAL; + } + /* It's still possible to bind after adding keys or even * re-bind to a different dev (with CAP_NET_RAW). * So, no reason to return error here, rather try to be --=20 2.43.0 From nobody Wed Dec 17 05:49:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AFF0C4167B for ; Wed, 29 Nov 2023 16:57:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233824AbjK2Q5t (ORCPT ); Wed, 29 Nov 2023 11:57:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233569AbjK2Q5j (ORCPT ); Wed, 29 Nov 2023 11:57:39 -0500 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 68113D6E for ; Wed, 29 Nov 2023 08:57:39 -0800 (PST) Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-40b427507b7so29901005e9.2 for ; Wed, 29 Nov 2023 08:57:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701277058; x=1701881858; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oi8Skx4aWAQOpxaAf1O+XSW/sJby2iOtLR3lXtnQgoE=; b=QErX7TZCS9dDK245i5WzwXIJ+GdUtLHyLB1RgVH/VWpuSq+zNTsRhjvrSr3zkAt+/w jFw5TmjA+/awAdccVXUqn99b/IO1dhJbyPL8RksILR8m9625g2tk6floapEXcjakLYzL X2wQGFhwyIr8LhVe6OJyK1WqCf+RsJ8Z+M9lTLooz7eGAYsGsuEyizGmCLWkPNUaFCJi sXSSAzXGLKjG4+wfrK6KXyh2kx2u2/qk+n1yWMjXxduuYYw4vEGiMIF2+zlL627xUdqH ALd4VMBKLw8aKFQ1vJTcCzX7XMOZnsANL1pDbhxhZtCuOxqC4bEpWTmzzkZXJJXEqARP +3ZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701277058; x=1701881858; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oi8Skx4aWAQOpxaAf1O+XSW/sJby2iOtLR3lXtnQgoE=; b=hm8XrP50yX8h5bZ4/tFHiJNyJ35Cq7NkLR1Boy2A9Anxw6Ti9g9Nj8ztjnGn0ycqkv k0mM7Bszut8R/0+LjkmeX65MPasKL3bloMnCjUM80j9Bivd0gGrP4w1oe4t8sM22kZwX wJo8hbkHvJ7b55PN1TEN6mZGVTkNwCb2Np7dVaPjrcG8Vb6yH9U+rJuhE4gcDiaUG5Cq Vl59KRauT/UtOCAVoqhE705B3IrpxutTTXa8FrkRMgOmOYo2Irc/LNp8zFETk2KgamEa E/5XxJQU4sX8cka5IkIdNFuavjXeByCrTEarOY3Kuacmp6Oz31H+f7fcF1DhRddj2om5 kx0Q== X-Gm-Message-State: AOJu0YxWi255TvSj+zJkcMiuAvXKARECkgxJERYKpFYNZ2X6R+VSjo/u oTC6eu6MuVdli3lwhI3J9F6Gzw== X-Google-Smtp-Source: AGHT+IFvllNi4Z63FArapLGEs3qNVefpv/xdz3TpXZ7uQjK0WYDHNnlAtpUlmc2/UDDX1x1IlndIPQ== X-Received: by 2002:a05:600c:458f:b0:40b:2afd:70a6 with SMTP id r15-20020a05600c458f00b0040b2afd70a6mr13128274wmo.1.1701277057736; Wed, 29 Nov 2023 08:57:37 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id s20-20020a05600c45d400b003fe1fe56202sm2876823wmo.33.2023.11.29.08.57.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 08:57:37 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v4 6/7] net/tcp: Store SNEs + SEQs on ao_info Date: Wed, 29 Nov 2023 16:57:20 +0000 Message-ID: <20231129165721.337302-7-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231129165721.337302-1-dima@arista.com> References: <20231129165721.337302-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" RFC 5925 (6.2): > TCP-AO emulates a 64-bit sequence number space by inferring when to > increment the high-order 32-bit portion (the SNE) based on > transitions in the low-order portion (the TCP sequence number). snd_sne and rcv_sne are the upper 4 bytes of extended SEQ number. Unfortunately, reading two 4-bytes pointers can't be performed atomically (without synchronization). In order to avoid locks on TCP fastpath, let's just double-account for SEQ changes: snd_una/rcv_nxt will be lower 4 bytes of snd_sne/rcv_sne. Fixes: 64382c71a557 ("net/tcp: Add TCP-AO SNE support") Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 25 +++++++++++++++++--- net/ipv4/tcp.c | 7 ++++-- net/ipv4/tcp_ao.c | 51 ++++++++++++++++++++++------------------- net/ipv4/tcp_fastopen.c | 2 ++ net/ipv4/tcp_input.c | 21 ++++++++++------- net/ipv4/tcp_output.c | 1 + 6 files changed, 71 insertions(+), 36 deletions(-) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 647781080613..b8ef25d4b632 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -121,8 +121,8 @@ struct tcp_ao_info { * - for time-wait sockets the basis is tw_rcv_nxt/tw_snd_nxt. * tw_snd_nxt is not expected to change, while tw_rcv_nxt may. */ - u32 snd_sne; - u32 rcv_sne; + u64 snd_sne; + u64 rcv_sne; refcount_t refcnt; /* Protects twsk destruction */ struct rcu_head rcu; }; @@ -212,7 +212,6 @@ enum skb_drop_reason tcp_inbound_ao_hash(struct sock *s= k, const struct sk_buff *skb, unsigned short int family, const struct request_sock *req, int l3index, const struct tcp_ao_hdr *aoh); -u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq); struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, int l3index, const union tcp_ao_addr *addr, int family, int sndid, int rcvid); @@ -353,6 +352,26 @@ static inline int tcp_ao_set_repair(struct sock *sk, } #endif =20 +static inline void tcp_ao_sne_set(struct tcp_sock *tp, bool send, u64 sne) +{ +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao; + + if (!static_branch_unlikely(&tcp_ao_needed.key)) + return; + + ao =3D rcu_dereference_protected(tp->ao_info, + lockdep_sock_is_held((struct sock *)tp)); + if (!ao) + return; + + if (send) + WRITE_ONCE(ao->snd_sne, sne); + else + WRITE_ONCE(ao->rcv_sne, sne); +#endif +} + #if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) int tcp_do_parse_auth_options(const struct tcphdr *th, const u8 **md5_hash, const u8 **ao_hash); diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index b1fe4eb01829..431c10917d27 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3545,16 +3545,19 @@ int do_tcp_setsockopt(struct sock *sk, int level, i= nt optname, if (sk->sk_state !=3D TCP_CLOSE) { err =3D -EPERM; } else if (tp->repair_queue =3D=3D TCP_SEND_QUEUE) { - if (!tcp_rtx_queue_empty(sk)) + if (!tcp_rtx_queue_empty(sk)) { err =3D -EPERM; - else + } else { WRITE_ONCE(tp->write_seq, val); + tcp_ao_sne_set(tp, true, val); + } } else if (tp->repair_queue =3D=3D TCP_RECV_QUEUE) { if (tp->rcv_nxt !=3D tp->copied_seq) { err =3D -EPERM; } else { WRITE_ONCE(tp->rcv_nxt, val); WRITE_ONCE(tp->copied_seq, val); + tcp_ao_sne_set(tp, false, val); } } else { err =3D -EINVAL; diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 465c871786aa..25fbb1e0a0ad 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -472,9 +472,10 @@ static int tcp_ao_hash_pseudoheader(unsigned short int= family, return -EAFNOSUPPORT; } =20 -u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq) +static u32 tcp_ao_compute_sne(u64 seq_sne, u32 seq) { - u32 sne =3D next_sne; + u32 next_seq =3D (u32)(seq_sne & 0xffffffff); + u32 sne =3D seq_sne >> 32; =20 if (before(seq, next_seq)) { if (seq > next_seq) @@ -483,7 +484,6 @@ u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 = seq) if (seq < next_seq) sne++; } - return sne; } =20 @@ -731,7 +731,7 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct = sk_buff *skb, =20 sisn =3D htonl(tcp_rsk(req)->rcv_isn); disn =3D htonl(tcp_rsk(req)->snt_isn); - *sne =3D tcp_ao_compute_sne(0, tcp_rsk(req)->snt_isn, seq); + *sne =3D tcp_ao_compute_sne(tcp_rsk(req)->snt_isn, seq); } else { sisn =3D th->seq; disn =3D 0; @@ -763,14 +763,11 @@ int tcp_ao_prepare_reset(const struct sock *sk, struc= t sk_buff *skb, *keyid =3D (*key)->rcvid; } else { struct tcp_ao_key *rnext_key; - u32 snd_basis; =20 if (sk->sk_state =3D=3D TCP_TIME_WAIT) { ao_info =3D rcu_dereference(tcp_twsk(sk)->ao_info); - snd_basis =3D tcp_twsk(sk)->tw_snd_nxt; } else { ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info); - snd_basis =3D tcp_sk(sk)->snd_una; } if (!ao_info) return -ENOENT; @@ -781,8 +778,7 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct = sk_buff *skb, *traffic_key =3D snd_other_key(*key); rnext_key =3D READ_ONCE(ao_info->rnext_key); *keyid =3D rnext_key->rcvid; - *sne =3D tcp_ao_compute_sne(READ_ONCE(ao_info->snd_sne), - snd_basis, seq); + *sne =3D tcp_ao_compute_sne(READ_ONCE(ao_info->snd_sne), seq); } return 0; } @@ -816,8 +812,7 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff= *skb, tp->af_specific->ao_calc_key_sk(key, traffic_key, sk, ao->lisn, disn, true); } - sne =3D tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una), - ntohl(th->seq)); + sne =3D tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), ntohl(th->seq)); tp->af_specific->calc_ao_hash(hash_location, key, sk, skb, traffic_key, hash_location - (u8 *)th, sne); kfree(tkey_buf); @@ -938,8 +933,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu= ff *skb, =20 /* Fast-path */ if (likely((1 << sk->sk_state) & TCP_AO_ESTABLISHED)) { - enum skb_drop_reason err; struct tcp_ao_key *current_key; + enum skb_drop_reason err; =20 /* Check if this socket's rnext_key matches the keyid in the * packet. If not we lookup the key based on the keyid @@ -956,8 +951,7 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu= ff *skb, if (unlikely(th->syn && !th->ack)) goto verify_hash; =20 - sne =3D tcp_ao_compute_sne(info->rcv_sne, tcp_sk(sk)->rcv_nxt, - ntohl(th->seq)); + sne =3D tcp_ao_compute_sne(READ_ONCE(info->rcv_sne), ntohl(th->seq)); /* Established socket, traffic key are cached */ traffic_key =3D rcv_other_key(key); err =3D tcp_ao_verify_hash(sk, skb, family, info, aoh, key, @@ -992,7 +986,7 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu= ff *skb, if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_NEW_SYN_RECV)) { /* Make the initial syn the likely case here */ if (unlikely(req)) { - sne =3D tcp_ao_compute_sne(0, tcp_rsk(req)->rcv_isn, + sne =3D tcp_ao_compute_sne(tcp_rsk(req)->rcv_isn, ntohl(th->seq)); sisn =3D htonl(tcp_rsk(req)->rcv_isn); disn =3D htonl(tcp_rsk(req)->snt_isn); @@ -1000,8 +994,7 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_b= uff *skb, /* Possible syncookie packet */ sisn =3D htonl(ntohl(th->seq) - 1); disn =3D htonl(ntohl(th->ack_seq) - 1); - sne =3D tcp_ao_compute_sne(0, ntohl(sisn), - ntohl(th->seq)); + sne =3D tcp_ao_compute_sne(ntohl(sisn), ntohl(th->seq)); } else if (unlikely(!th->syn)) { /* no way to figure out initial sisn/disn - drop */ return SKB_DROP_REASON_TCP_FLAGS; @@ -1103,7 +1096,8 @@ void tcp_ao_connect_init(struct sock *sk) tp->tcp_header_len +=3D tcp_ao_len_aligned(key); =20 ao_info->lisn =3D htonl(tp->write_seq); - ao_info->snd_sne =3D 0; + ao_info->snd_sne =3D htonl(tp->write_seq); + ao_info->rcv_sne =3D 0; } else { /* Can't happen: tcp_connect() verifies that there's * at least one tcp-ao key that matches the remote peer. @@ -1139,7 +1133,7 @@ void tcp_ao_finish_connect(struct sock *sk, struct sk= _buff *skb) return; =20 WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq); - ao->rcv_sne =3D 0; + WRITE_ONCE(ao->rcv_sne, ntohl(tcp_hdr(skb)->seq)); =20 hlist_for_each_entry_rcu(key, &ao->head, node) tcp_ao_cache_traffic_keys(sk, ao, key); @@ -1169,6 +1163,8 @@ int tcp_ao_copy_all_matching(const struct sock *sk, s= truct sock *newsk, return -ENOMEM; new_ao->lisn =3D htonl(tcp_rsk(req)->snt_isn); new_ao->risn =3D htonl(tcp_rsk(req)->rcv_isn); + new_ao->snd_sne =3D tcp_rsk(req)->snt_isn; + new_ao->rcv_sne =3D tcp_rsk(req)->rcv_isn; new_ao->ao_required =3D ao->ao_required; new_ao->accept_icmps =3D ao->accept_icmps; =20 @@ -1700,6 +1696,8 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned s= hort int family, goto err_free_sock; } sk_gso_disable(sk); + WRITE_ONCE(ao_info->snd_sne, tcp_sk(sk)->snd_una); + WRITE_ONCE(ao_info->rcv_sne, tcp_sk(sk)->rcv_nxt); rcu_assign_pointer(tcp_sk(sk)->ao_info, ao_info); } =20 @@ -2340,6 +2338,7 @@ int tcp_ao_set_repair(struct sock *sk, sockptr_t optv= al, unsigned int optlen) struct tcp_ao_repair cmd; struct tcp_ao_key *key; struct tcp_ao_info *ao; + u64 sne; int err; =20 if (optlen < sizeof(cmd)) @@ -2360,8 +2359,14 @@ int tcp_ao_set_repair(struct sock *sk, sockptr_t opt= val, unsigned int optlen) =20 WRITE_ONCE(ao->lisn, cmd.snt_isn); WRITE_ONCE(ao->risn, cmd.rcv_isn); - WRITE_ONCE(ao->snd_sne, cmd.snd_sne); - WRITE_ONCE(ao->rcv_sne, cmd.rcv_sne); + + sne =3D READ_ONCE(ao->snd_sne) & 0xffffffff; + sne +=3D (u64)cmd.snd_sne << 32; + WRITE_ONCE(ao->snd_sne, sne); + + sne =3D READ_ONCE(ao->rcv_sne) & 0xffffffff; + sne +=3D (u64)cmd.rcv_sne << 32; + WRITE_ONCE(ao->rcv_sne, sne); =20 hlist_for_each_entry_rcu(key, &ao->head, node) tcp_ao_cache_traffic_keys(sk, ao, key); @@ -2394,8 +2399,8 @@ int tcp_ao_get_repair(struct sock *sk, sockptr_t optv= al, sockptr_t optlen) =20 opt.snt_isn =3D ao->lisn; opt.rcv_isn =3D ao->risn; - opt.snd_sne =3D READ_ONCE(ao->snd_sne); - opt.rcv_sne =3D READ_ONCE(ao->rcv_sne); + opt.snd_sne =3D READ_ONCE(ao->snd_sne) >> 32; + opt.rcv_sne =3D READ_ONCE(ao->rcv_sne) >> 32; rcu_read_unlock(); =20 if (copy_to_sockptr(optval, &opt, min_t(int, len, sizeof(opt)))) diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index 8ed54e7334a9..d28d0df300d3 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c @@ -194,6 +194,7 @@ void tcp_fastopen_add_skb(struct sock *sk, struct sk_bu= ff *skb) TCP_SKB_CB(skb)->tcp_flags &=3D ~TCPHDR_SYN; =20 tp->rcv_nxt =3D TCP_SKB_CB(skb)->end_seq; + tcp_ao_sne_set(tp, false, TCP_SKB_CB(skb)->end_seq); __skb_queue_tail(&sk->sk_receive_queue, skb); tp->syn_data_acked =3D 1; =20 @@ -282,6 +283,7 @@ static struct sock *tcp_fastopen_create_child(struct so= ck *sk, tcp_init_transfer(child, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB, skb); =20 tp->rcv_nxt =3D TCP_SKB_CB(skb)->seq + 1; + tcp_ao_sne_set(tp, false, TCP_SKB_CB(skb)->seq + 1); =20 tcp_fastopen_add_skb(child, skb); =20 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index bcb55d98004c..0a58447c33b1 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3572,7 +3572,7 @@ static inline bool tcp_may_update_window(const struct= tcp_sock *tp, (ack_seq =3D=3D tp->snd_wl1 && (nwin > tp->snd_wnd || !nwin)); } =20 -static void tcp_snd_sne_update(struct tcp_sock *tp, u32 ack) +static void tcp_ao_snd_sne_update(struct tcp_sock *tp, u32 delta) { #ifdef CONFIG_TCP_AO struct tcp_ao_info *ao; @@ -3582,8 +3582,9 @@ static void tcp_snd_sne_update(struct tcp_sock *tp, u= 32 ack) =20 ao =3D rcu_dereference_protected(tp->ao_info, lockdep_sock_is_held((struct sock *)tp)); - if (ao && ack < tp->snd_una) - ao->snd_sne++; + if (!ao) + return; + WRITE_ONCE(ao->snd_sne, ao->snd_sne + delta); #endif } =20 @@ -3594,11 +3595,11 @@ static void tcp_snd_una_update(struct tcp_sock *tp,= u32 ack) =20 sock_owned_by_me((struct sock *)tp); tp->bytes_acked +=3D delta; - tcp_snd_sne_update(tp, ack); + tcp_ao_snd_sne_update(tp, delta); tp->snd_una =3D ack; } =20 -static void tcp_rcv_sne_update(struct tcp_sock *tp, u32 seq) +static void tcp_ao_rcv_sne_update(struct tcp_sock *tp, u32 delta) { #ifdef CONFIG_TCP_AO struct tcp_ao_info *ao; @@ -3608,8 +3609,9 @@ static void tcp_rcv_sne_update(struct tcp_sock *tp, u= 32 seq) =20 ao =3D rcu_dereference_protected(tp->ao_info, lockdep_sock_is_held((struct sock *)tp)); - if (ao && seq < tp->rcv_nxt) - ao->rcv_sne++; + if (!ao) + return; + WRITE_ONCE(ao->rcv_sne, ao->rcv_sne + delta); #endif } =20 @@ -3620,7 +3622,7 @@ static void tcp_rcv_nxt_update(struct tcp_sock *tp, u= 32 seq) =20 sock_owned_by_me((struct sock *)tp); tp->bytes_received +=3D delta; - tcp_rcv_sne_update(tp, seq); + tcp_ao_rcv_sne_update(tp, delta); WRITE_ONCE(tp->rcv_nxt, seq); } =20 @@ -6400,6 +6402,7 @@ static int tcp_rcv_synsent_state_process(struct sock = *sk, struct sk_buff *skb, * move to established. */ WRITE_ONCE(tp->rcv_nxt, TCP_SKB_CB(skb)->seq + 1); + tcp_ao_sne_set(tp, false, TCP_SKB_CB(skb)->seq + 1); tp->rcv_wup =3D TCP_SKB_CB(skb)->seq + 1; =20 /* RFC1323: The window in SYN & SYN/ACK segments is @@ -6510,6 +6513,7 @@ static int tcp_rcv_synsent_state_process(struct sock = *sk, struct sk_buff *skb, } =20 WRITE_ONCE(tp->rcv_nxt, TCP_SKB_CB(skb)->seq + 1); + tcp_ao_sne_set(tp, false, TCP_SKB_CB(skb)->seq + 1); WRITE_ONCE(tp->copied_seq, tp->rcv_nxt); tp->rcv_wup =3D TCP_SKB_CB(skb)->seq + 1; =20 @@ -6722,6 +6726,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_= buff *skb) if (sk->sk_socket) sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT); =20 + tcp_ao_sne_set(tp, true, TCP_SKB_CB(skb)->ack_seq); tp->snd_una =3D TCP_SKB_CB(skb)->ack_seq; tp->snd_wnd =3D ntohs(th->window) << tp->rx_opt.snd_wscale; tcp_init_wl(tp, TCP_SKB_CB(skb)->seq); diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 93eef1dbbc55..3ddd057fb6f7 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3882,6 +3882,7 @@ static void tcp_connect_init(struct sock *sk) tp->snd_wnd =3D 0; tcp_init_wl(tp, 0); tcp_write_queue_purge(sk); + tcp_ao_sne_set(tp, true, tp->write_seq); tp->snd_una =3D tp->write_seq; tp->snd_sml =3D tp->write_seq; tp->snd_up =3D tp->write_seq; --=20 2.43.0 From nobody Wed Dec 17 05:49:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 215E3C4167B for ; Wed, 29 Nov 2023 16:58:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233934AbjK2Q5w (ORCPT ); Wed, 29 Nov 2023 11:57:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233580AbjK2Q5j (ORCPT ); Wed, 29 Nov 2023 11:57:39 -0500 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D09710A for ; Wed, 29 Nov 2023 08:57:41 -0800 (PST) Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-40b34563987so7493325e9.1 for ; Wed, 29 Nov 2023 08:57:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701277059; x=1701881859; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qmBiYbeRYeqEOWnh9NtuJRqQCUW1g+S+1n2KtbA3qWw=; b=juLZN//eJC4/L99bKGgH+oz2FiN/OPF3a/iY4L8LvQGOR/ENQGU/lcPdW5yKVKMluA Fj1MZdjLhZY95jErYdmBYafCI6DT9utdwSHoaPrMMajdo/z6UQlKffaK+nq6jTf+BOgo ErWGYkJe9SGK1XBj7Ref24A4SR0ej/hkOsr3E9FSnyP6iYrdCXDgjoYK0p6NQ/QP+PdX OlWbKhWUHPXhkUJwcT+wfDBxlBVL9Yr+oHYJt7tdTF917xqYCcwfRqTYEy9QbYwOwXgF Xmbm4JTBhHAtCDWKsMZJkUqOnJomcpt3whwu2lG/+yCRFGir2X8dpBLAgPzp7bUjNm/0 y6fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701277059; x=1701881859; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qmBiYbeRYeqEOWnh9NtuJRqQCUW1g+S+1n2KtbA3qWw=; b=fjHJs0SGFfEgnz6JYHY++oPyRk3m2heJ3ZSSFJS5K+021Soj0v1TC59NNbXLKrDwoN WIm9EniFMZNjRd8d8+k18YR6gBJD9mbVO6uxzlbCDWYXwr2cTMLQFAtjAGAKkgeDxcsr OVMmIOaEwpv8xbZoyaJks4ElnXY0xMSX+6lqlurkZFvKvF0TPxuBQ0GjZBmk3RlzYS6Q 00WFdVu5pOWU9AqLJ1Z5BHGcGDrcMH1bgxwolvfqhcap/V+JnQTVdXYXB4IW396RRfrV MjbYODIbnEa78EuxaUjD5ymCo48vG1F8lww9AWb8N7N9mIalHrXCXTIjWfJAx0FudZqS sMxA== X-Gm-Message-State: AOJu0YxnWdNDCkH+wLCGTkD1AO0xyUFX1rfgabLThXGcu4fqiQnOdoU9 WUm3pEtEa2Xkvj+8+JERpF0a6g== X-Google-Smtp-Source: AGHT+IG3m8FsQjSYSIjukTgNd4NpOUwy+N8TV/YPwCpLFnzlNQFr5Ua7TZrb+VA7k+5VV4xMsElbdg== X-Received: by 2002:a05:600c:3003:b0:407:73fc:6818 with SMTP id j3-20020a05600c300300b0040773fc6818mr19316555wmh.2.1701277059584; Wed, 29 Nov 2023 08:57:39 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id s20-20020a05600c45d400b003fe1fe56202sm2876823wmo.33.2023.11.29.08.57.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 08:57:38 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v4 7/7] net/tcp: Don't store TCP-AO maclen on reqsk Date: Wed, 29 Nov 2023 16:57:21 +0000 Message-ID: <20231129165721.337302-8-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231129165721.337302-1-dima@arista.com> References: <20231129165721.337302-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This extra check doesn't work for a handshake when SYN segment has (current_key.maclen !=3D rnext_key.maclen). It could be amended to preserve rnext_key.maclen instead of current_key.maclen, but that requires a lookup on listen socket. Originally, this extra maclen check was introduced just because it was cheap. Drop it and convert tcp_request_sock::maclen into boolean tcp_request_sock::used_tcp_ao. Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets") Signed-off-by: Dmitry Safonov Reviewed-by: Eric Dumazet --- include/linux/tcp.h | 8 ++------ net/ipv4/tcp_ao.c | 4 ++-- net/ipv4/tcp_input.c | 5 +++-- net/ipv4/tcp_output.c | 9 +++------ 4 files changed, 10 insertions(+), 16 deletions(-) diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 68f3d315d2e1..b646b574b060 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -169,7 +169,7 @@ struct tcp_request_sock { #ifdef CONFIG_TCP_AO u8 ao_keyid; u8 ao_rcv_next; - u8 maclen; + bool used_tcp_ao; #endif }; =20 @@ -180,14 +180,10 @@ static inline struct tcp_request_sock *tcp_rsk(const = struct request_sock *req) =20 static inline bool tcp_rsk_used_ao(const struct request_sock *req) { - /* The real length of MAC is saved in the request socket, - * signing anything with zero-length makes no sense, so here is - * a little hack.. - */ #ifndef CONFIG_TCP_AO return false; #else - return tcp_rsk(req)->maclen !=3D 0; + return tcp_rsk(req)->used_tcp_ao; #endif } =20 diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 25fbb1e0a0ad..dbfea165ff44 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -846,7 +846,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_= buff *skb, const struct tcp_ao_hdr *aoh; struct tcp_ao_key *key; =20 - treq->maclen =3D 0; + treq->used_tcp_ao =3D false; =20 if (tcp_parse_auth_options(th, NULL, &aoh) || !aoh) return; @@ -858,7 +858,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_= buff *skb, =20 treq->ao_rcv_next =3D aoh->keyid; treq->ao_keyid =3D aoh->rnext_keyid; - treq->maclen =3D tcp_ao_maclen(key); + treq->used_tcp_ao =3D true; } =20 static enum skb_drop_reason diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 0a58447c33b1..9bcbde89ab5c 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -7187,11 +7187,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_o= ps, if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) goto drop_and_release; /* Invalid TCP options */ if (aoh) { - tcp_rsk(req)->maclen =3D aoh->length - sizeof(struct tcp_ao_hdr); + tcp_rsk(req)->used_tcp_ao =3D true; tcp_rsk(req)->ao_rcv_next =3D aoh->keyid; tcp_rsk(req)->ao_keyid =3D aoh->rnext_keyid; + } else { - tcp_rsk(req)->maclen =3D 0; + tcp_rsk(req)->used_tcp_ao =3D false; } #endif tcp_rsk(req)->snt_isn =3D isn; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 3ddd057fb6f7..335ab90afe65 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3720,7 +3720,6 @@ struct sk_buff *tcp_make_synack(const struct sock *sk= , struct dst_entry *dst, if (tcp_rsk_used_ao(req)) { #ifdef CONFIG_TCP_AO struct tcp_ao_key *ao_key =3D NULL; - u8 maclen =3D tcp_rsk(req)->maclen; u8 keyid =3D tcp_rsk(req)->ao_keyid; =20 ao_key =3D tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req), @@ -3730,13 +3729,11 @@ struct sk_buff *tcp_make_synack(const struct sock *= sk, struct dst_entry *dst, * for another peer-matching key, but the peer has requested * ao_keyid (RFC5925 RNextKeyID), so let's keep it simple here. */ - if (unlikely(!ao_key || tcp_ao_maclen(ao_key) !=3D maclen)) { - u8 key_maclen =3D ao_key ? tcp_ao_maclen(ao_key) : 0; - + if (unlikely(!ao_key)) { rcu_read_unlock(); kfree_skb(skb); - net_warn_ratelimited("TCP-AO: the keyid %u with maclen %u|%u from SYN p= acket is not present - not sending SYNACK\n", - keyid, maclen, key_maclen); + net_warn_ratelimited("TCP-AO: the keyid %u from SYN packet is not prese= nt - not sending SYNACK\n", + keyid); return NULL; } key.ao_key =3D ao_key; --=20 2.43.0