From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Paolo Abeni <pabeni@redhat.com>,
"Matthieu Baerts (NGI0)" <matttbe@kernel.org>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.15 75/82] mptcp: handle consistently DSS corruption
Date: Mon, 21 Oct 2024 12:25:56 +0200 [thread overview]
Message-ID: <20241021102250.183045919@linuxfoundation.org> (raw)
In-Reply-To: <20241021102247.209765070@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit e32d262c89e2b22cb0640223f953b548617ed8a6 upstream.
Bugged peer implementation can send corrupted DSS options, consistently
hitting a few warning in the data path. Use DEBUG_NET assertions, to
avoid the splat on some builds and handle consistently the error, dumping
related MIBs and performing fallback and/or reset according to the
subflow type.
Fixes: 6771bfd9ee24 ("mptcp: update mptcp ack sequence from work queue")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-1-c6fb8e93e551@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in mib.[ch], because commit 104125b82e5c ("mptcp: add mib
for infinite map sending") is linked to a new feature, not available
in this version. Resolving the conflicts is easy, simply adding the
new lines declaring the new "DSS corruptions" MIB entries.
Also removed in protocol.c and subflow.c all DEBUG_NET_WARN_ON_ONCE
because they are not defined in this version: enough with the MIB
counters that have been added in this commit. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/mib.c | 2 ++
net/mptcp/mib.h | 2 ++
net/mptcp/protocol.c | 20 +++++++++++++++++---
net/mptcp/subflow.c | 2 +-
4 files changed, 22 insertions(+), 4 deletions(-)
--- a/net/mptcp/mib.c
+++ b/net/mptcp/mib.c
@@ -26,6 +26,8 @@ static const struct snmp_mib mptcp_snmp_
SNMP_MIB_ITEM("MPJoinAckRx", MPTCP_MIB_JOINACKRX),
SNMP_MIB_ITEM("MPJoinAckHMacFailure", MPTCP_MIB_JOINACKMAC),
SNMP_MIB_ITEM("DSSNotMatching", MPTCP_MIB_DSSNOMATCH),
+ SNMP_MIB_ITEM("DSSCorruptionFallback", MPTCP_MIB_DSSCORRUPTIONFALLBACK),
+ SNMP_MIB_ITEM("DSSCorruptionReset", MPTCP_MIB_DSSCORRUPTIONRESET),
SNMP_MIB_ITEM("InfiniteMapRx", MPTCP_MIB_INFINITEMAPRX),
SNMP_MIB_ITEM("DSSNoMatchTCP", MPTCP_MIB_DSSTCPMISMATCH),
SNMP_MIB_ITEM("DataCsumErr", MPTCP_MIB_DATACSUMERR),
--- a/net/mptcp/mib.h
+++ b/net/mptcp/mib.h
@@ -19,6 +19,8 @@ enum linux_mptcp_mib_field {
MPTCP_MIB_JOINACKRX, /* Received an ACK + MP_JOIN */
MPTCP_MIB_JOINACKMAC, /* HMAC was wrong on ACK + MP_JOIN */
MPTCP_MIB_DSSNOMATCH, /* Received a new mapping that did not match the previous one */
+ MPTCP_MIB_DSSCORRUPTIONFALLBACK,/* DSS corruption detected, fallback */
+ MPTCP_MIB_DSSCORRUPTIONRESET, /* DSS corruption detected, MPJ subflow reset */
MPTCP_MIB_INFINITEMAPRX, /* Received an infinite mapping */
MPTCP_MIB_DSSTCPMISMATCH, /* DSS-mapping did not map with TCP's sequence numbers */
MPTCP_MIB_DATACSUMERR, /* The data checksum fail */
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -554,6 +554,18 @@ static bool mptcp_check_data_fin(struct
return ret;
}
+static void mptcp_dss_corruption(struct mptcp_sock *msk, struct sock *ssk)
+{
+ if (READ_ONCE(msk->allow_infinite_fallback)) {
+ MPTCP_INC_STATS(sock_net(ssk),
+ MPTCP_MIB_DSSCORRUPTIONFALLBACK);
+ mptcp_do_fallback(ssk);
+ } else {
+ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DSSCORRUPTIONRESET);
+ mptcp_subflow_reset(ssk);
+ }
+}
+
static bool __mptcp_move_skbs_from_subflow(struct mptcp_sock *msk,
struct sock *ssk,
unsigned int *bytes)
@@ -626,10 +638,12 @@ static bool __mptcp_move_skbs_from_subfl
moved += len;
seq += len;
- if (WARN_ON_ONCE(map_remaining < len))
- break;
+ if (unlikely(map_remaining < len))
+ mptcp_dss_corruption(msk, ssk);
} else {
- WARN_ON_ONCE(!fin);
+ if (unlikely(!fin))
+ mptcp_dss_corruption(msk, ssk);
+
sk_eat_skb(ssk, skb);
done = true;
}
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -847,7 +847,7 @@ static bool skb_is_fully_mapped(struct s
unsigned int skb_consumed;
skb_consumed = tcp_sk(ssk)->copied_seq - TCP_SKB_CB(skb)->seq;
- if (WARN_ON_ONCE(skb_consumed >= skb->len))
+ if (unlikely(skb_consumed >= skb->len))
return true;
return skb->len - skb_consumed <= subflow->map_data_len -
next prev parent reply other threads:[~2024-10-21 10:48 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-21 10:24 [PATCH 5.15 00/82] 5.15.169-rc1 review Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 01/82] ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 02/82] udf: New directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 03/82] udf: Convert udf_expand_dir_adinicb() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 04/82] udf: Move udf_expand_dir_adinicb() to its callsite Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 05/82] udf: Implement searching for directory entry using new iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 06/82] udf: Provide function to mark entry as deleted using new directory " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 07/82] udf: Convert udf_rename() to " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 08/82] udf: Convert udf_readdir() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 09/82] udf: Convert udf_lookup() to use new directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 10/82] udf: Convert udf_get_parent() to " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 11/82] udf: Convert empty_dir() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 12/82] udf: Convert udf_rmdir() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 13/82] udf: Convert udf_unlink() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 14/82] udf: Implement adding of dir entries using new " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 15/82] udf: Convert udf_add_nondir() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 16/82] udf: Convert udf_mkdir() to new directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 17/82] udf: Convert udf_link() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 18/82] udf: Remove old " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 19/82] udf: Handle error when expanding directory Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 20/82] udf: Dont return bh from udf_expand_dir_adinicb() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 21/82] udf: Fix bogus checksum computation in udf_rename() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 22/82] net: enetc: remove xdp_drops statistic from enetc_xdp_drop() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 23/82] net: enetc: add missing static descriptor and inline keyword Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 24/82] posix-clock: Fix missing timespec64 check in pc_clock_settime() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 25/82] arm64: probes: Remove broken LDR (literal) uprobe support Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 26/82] arm64: probes: Fix simulate_ldr*_literal() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 27/82] net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 28/82] irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 29/82] fat: fix uninitialized variable Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 30/82] mm/swapfile: skip HugeTLB pages for unuse_vma Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 31/82] secretmem: disable memfd_secret() if arch cannot set direct map Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 32/82] wifi: mac80211: fix potential key use-after-free Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 33/82] dm-crypt, dm-verity: disable tasklets Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 34/82] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 35/82] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 36/82] io_uring/sqpoll: do not allow pinning outside of cpuset Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 37/82] io_uring/sqpoll: retain test for whether the CPU is valid Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 38/82] io_uring/sqpoll: do not put cpumask on stack Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 39/82] iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 40/82] s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 41/82] KVM: s390: Change virtual to physical address access in diag 0x258 handler Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 42/82] x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 43/82] x86/cpufeatures: Add a IBPB_NO_RET BUG flag Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 44/82] x86/entry: Have entry_ibpb() invalidate return predictions Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 45/82] x86/bugs: Skip RSB fill at VMEXIT Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 46/82] x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 47/82] blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 48/82] io_uring/sqpoll: close race on waiting for sqring entries Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 49/82] drm/radeon: Fix encoder->possible_clones Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 50/82] drm/vmwgfx: Handle surface check failure correctly Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 51/82] iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 52/82] iio: dac: ltc1660: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 53/82] iio: dac: stm32-dac-core: add missing select REGMAP_MMIO " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 54/82] iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 55/82] iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 56/82] iio: light: veml6030: fix ALS sensor resolution Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 57/82] iio: light: veml6030: fix IIO device retrieval from embedded device Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 58/82] iio: light: opt3001: add missing full-scale range value Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 59/82] iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 60/82] iio: adc: ti-ads124s08: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 61/82] Bluetooth: Remove debugfs directory on module init failure Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 62/82] Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 63/82] xhci: Fix incorrect stream context type macro Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 64/82] xhci: Mitigate failed set dequeue pointer commands Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 65/82] USB: serial: option: add support for Quectel EG916Q-GL Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 66/82] USB: serial: option: add Telit FN920C04 MBIM compositions Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 67/82] parport: Proper fix for array out-of-bounds access Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 68/82] x86/resctrl: Annotate get_mem_config() functions as __init Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 69/82] x86/apic: Always explicitly disarm TSC-deadline timer Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 70/82] x86/entry_32: Do not clobber user EFLAGS.ZF Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 71/82] x86/entry_32: Clear CPU buffers after register restore in NMI return Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 72/82] pinctrl: ocelot: fix system hang on level based interrupts Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 73/82] irqchip/gic-v4: Dont allow a VMOVP on a dying VPE Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 74/82] mptcp: track and update contiguous data status Greg Kroah-Hartman
2024-10-21 10:25 ` Greg Kroah-Hartman [this message]
2024-10-21 10:25 ` [PATCH 5.15 76/82] tcp: fix mptcp DSS corruption due to large pmtu xmit Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 77/82] mptcp: fallback when MPTCP opts are dropped after 1st data Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 78/82] mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Greg Kroah-Hartman
2024-10-21 10:26 ` [PATCH 5.15 79/82] mptcp: prevent MPC handshake on port-based signal endpoints Greg Kroah-Hartman
2024-10-21 10:26 ` [PATCH 5.15 80/82] nilfs2: propagate directory read errors from nilfs_find_entry() Greg Kroah-Hartman
2024-10-21 10:26 ` [PATCH 5.15 81/82] powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() Greg Kroah-Hartman
2024-10-21 10:26 ` [PATCH 5.15 82/82] ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Greg Kroah-Hartman
2024-10-21 18:05 ` [PATCH 5.15 00/82] 5.15.169-rc1 review Florian Fainelli
2024-10-21 18:06 ` SeongJae Park
2024-10-21 19:25 ` Naresh Kamboju
2024-10-21 20:01 ` Harshit Mogalapalli
2024-10-21 22:41 ` Shuah Khan
2024-10-22 13:00 ` Mark Brown
2024-10-22 17:56 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241021102250.183045919@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=matttbe@kernel.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox