From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD0E719066D; Tue, 10 Sep 2024 10:19:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725963552; cv=none; b=XAmNun2VhWdUDdzVFA0QmannzOtAQCquG5G3nsWGpBXEy61XULesdZwsZx8XYsJdu7zcvZQXDsd+C7w/ka3GywazzjZF5tF4EAzHMmYyl4R4f1GNiRDf/IDZUMako21/+RqvgG+d7/08XPagM2ih6u40qNnaKyRctFDLpgrpTSA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725963552; c=relaxed/simple; bh=0XPUSgZiij6ypSkK3QGXsUGI1bvBbqpvOcvfZ/GfPIk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OZm7w5WLxotoBs5TchSeB4heXUrAswB3dNiqHpBjvYEt+mwgnsS0O+qNd9EbU1GWNujG9oOZEFeT/YMbD66YsHXKpwYH/qvNRfhwWCxOP6ZcW+tOi1wJJCsJ9EVaPl0Wv05XpMGQNgsTxj1LEl2f0jpmhQT73iS4khDpCKMrX8o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ck92toxu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ck92toxu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4AFD9C4CEC3; Tue, 10 Sep 2024 10:19:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1725963552; bh=0XPUSgZiij6ypSkK3QGXsUGI1bvBbqpvOcvfZ/GfPIk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ck92toxuzjrsq6l6zJZhnDIaqN1ltGunkMhF5duCLcF+sf5MYcWdn2IMwhQavr8zn 3If1ErEGq5VzJYN4pQE9ia0Scaf+swBIA4aLRVALphfQJi6iJhW7c89EYlwDGFAQ9L YU4290NdbG6o2pSWftqx/DGIsdLfgSYFf6rN7mdg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mat Martineau , "Matthieu Baerts (NGI0)" , Jakub Kicinski Subject: [PATCH 5.15 097/214] mptcp: close subflow when receiving TCP+FIN Date: Tue, 10 Sep 2024 11:31:59 +0200 Message-ID: <20240910092602.758111039@linuxfoundation.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240910092558.714365667@linuxfoundation.org> References: <20240910092558.714365667@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: "Matthieu Baerts (NGI0)" commit f09b0ad55a1196f5891663f8888463c0541059cb upstream. When a peer decides to close one subflow in the middle of a connection having multiple subflows, the receiver of the first FIN should accept that, and close the subflow on its side as well. If not, the subflow will stay half closed, and would even continue to be used until the end of the MPTCP connection or a reset from the network. The issue has not been seen before, probably because the in-kernel path-manager always sends a RM_ADDR before closing the subflow. Upon the reception of this RM_ADDR, the other peer will initiate the closure on its side as well. On the other hand, if the RM_ADDR is lost, or if the path-manager of the other peer only closes the subflow without sending a RM_ADDR, the subflow would switch to TCP_CLOSE_WAIT, but that's it, leaving the subflow half-closed. So now, when the subflow switches to the TCP_CLOSE_WAIT state, and if the MPTCP connection has not been closed before with a DATA_FIN, the kernel owning the subflow schedules its worker to initiate the closure on its side as well. This issue can be easily reproduced with packetdrill, as visible in [1], by creating an additional subflow, injecting a FIN+ACK before sending the DATA_FIN, and expecting a FIN+ACK in return. Fixes: 40947e13997a ("mptcp: schedule worker when subflow is closed") Cc: stable@vger.kernel.org Link: https://github.com/multipath-tcp/packetdrill/pull/154 [1] Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20240826-net-mptcp-close-extra-sf-fin-v1-1-905199fe1172@kernel.org Signed-off-by: Jakub Kicinski [ No conflicts but 'sk' is not available in __mptcp_close_subflow in this version. It would require b6985b9b8295 ("mptcp: use the workqueue to destroy unaccepted sockets") which has not been backported to this version. It is easier to get 'sk' by casting 'msk' into a 'struct sock'. ] Signed-off-by: Matthieu Baerts (NGI0) Signed-off-by: Greg Kroah-Hartman --- net/mptcp/protocol.c | 5 ++++- net/mptcp/subflow.c | 8 ++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2361,8 +2361,11 @@ static void __mptcp_close_subflow(struct list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node) { struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + int ssk_state = inet_sk_state_load(ssk); - if (inet_sk_state_load(ssk) != TCP_CLOSE) + if (ssk_state != TCP_CLOSE && + (ssk_state != TCP_CLOSE_WAIT || + inet_sk_state_load((struct sock *)ssk) != TCP_ESTABLISHED)) continue; /* 'subflow_data_ready' will re-sched once rx queue is empty */ --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1131,12 +1131,16 @@ out: /* sched mptcp worker to remove the subflow if no more data is pending */ static void subflow_sched_work_if_closed(struct mptcp_sock *msk, struct sock *ssk) { - if (likely(ssk->sk_state != TCP_CLOSE)) + struct sock *sk = (struct sock *)msk; + + if (likely(ssk->sk_state != TCP_CLOSE && + (ssk->sk_state != TCP_CLOSE_WAIT || + inet_sk_state_load(sk) != TCP_ESTABLISHED))) return; if (skb_queue_empty(&ssk->sk_receive_queue) && !test_and_set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags)) - mptcp_schedule_work((struct sock *)msk); + mptcp_schedule_work(sk); } static bool subflow_can_fallback(struct mptcp_subflow_context *subflow)