From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F4148CDB474 for ; Mon, 23 Oct 2023 11:03:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233084AbjJWLDM (ORCPT ); Mon, 23 Oct 2023 07:03:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233090AbjJWLDL (ORCPT ); Mon, 23 Oct 2023 07:03:11 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEFB1D7A for ; Mon, 23 Oct 2023 04:03:09 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F942C433C9; Mon, 23 Oct 2023 11:03:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1698058989; bh=DeIuB3oVa7hzQgEmZwQy6/E/wWsrn5i98jMxaTSvjzw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=x9TpXw9jryEJDlVF8f+KJ1Nxg9pvZLnoG3UTwf0vb/XX0W0bvGgsLcLwYc0jd3rJW TDnTfC79BktvgH38b1wqLWWxERz7E3Gsl0+dF/EX6IlmVm1SwZ/uicEt+OgQg4fAIb 9AmcWqRPaUiUnUslyHUCKURsDikHhhMScBysOso4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Christoph Paasch , Mat Martineau , Paolo Abeni , Jakub Kicinski Subject: [PATCH 6.5 026/241] tcp: check mptcp-level constraints for backlog coalescing Date: Mon, 23 Oct 2023 12:53:32 +0200 Message-ID: <20231023104834.566266902@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231023104833.832874523@linuxfoundation.org> References: <20231023104833.832874523@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 6.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paolo Abeni commit 6db8a37dfc541e059851652cfd4f0bb13b8ff6af upstream. The MPTCP protocol can acquire the subflow-level socket lock and cause the tcp backlog usage. When inserting new skbs into the backlog, the stack will try to coalesce them. Currently, we have no check in place to ensure that such coalescing will respect the MPTCP-level DSS, and that may cause data stream corruption, as reported by Christoph. Address the issue by adding the relevant admission check for coalescing in tcp_add_backlog(). Note the issue is not easy to reproduce, as the MPTCP protocol tries hard to avoid acquiring the subflow-level socket lock. Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420 Reviewed-by: Mat Martineau Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-2-17ecb002e41d@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp_ipv4.c | 1 + 1 file changed, 1 insertion(+) --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1869,6 +1869,7 @@ bool tcp_add_backlog(struct sock *sk, st #ifdef CONFIG_TLS_DEVICE tail->decrypted != skb->decrypted || #endif + !mptcp_skb_can_collapse(tail, skb) || thtail->doff != th->doff || memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th))) goto no_coalesce;