[net,1/2] mptcp: more strict state checking for acks

Message ID	5566ba1c4409a652440d84ff49b99e58ca998a0e.1610471474.git.pabeni@redhat.com (mailing list archive)
State	Accepted
Commit	20bc80b6f582ad1151c52ca09ab66b472768c9c8
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Paolo Abeni <pabeni@redhat.com> To: netdev@vger.kernel.org Cc: mptcp@lists.01.org, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org> Subject: [PATCH net 1/2] mptcp: more strict state checking for acks Date: Tue, 12 Jan 2021 18:25:23 +0100 Message-Id: <5566ba1c4409a652440d84ff49b99e58ca998a0e.1610471474.git.pabeni@redhat.com> In-Reply-To: <cover.1610471474.git.pabeni@redhat.com> References: <cover.1610471474.git.pabeni@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	mptcp: a couple of fixes \| expand [net,0/2] mptcp: a couple of fixes [net,1/2] mptcp: more strict state checking for acks [net,2/2] mptcp: better msk-level shutdown.

Message ID

5566ba1c4409a652440d84ff49b99e58ca998a0e.1610471474.git.pabeni@redhat.com (mailing list archive)

State

Accepted

Commit

20bc80b6f582ad1151c52ca09ab66b472768c9c8

Delegated to:

Netdev Maintainers

Headers

show

Return-Path: <netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-16.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6B257C433E0
	for <netdev@archiver.kernel.org>; Tue, 12 Jan 2021 17:27:36 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 24C312311D
	for <netdev@archiver.kernel.org>; Tue, 12 Jan 2021 17:27:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390631AbhALR1V (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Tue, 12 Jan 2021 12:27:21 -0500
Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:40107 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1732976AbhALR1U (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 12 Jan 2021 12:27:20 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1610472354;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=bM2jLbqRCqyDDkvsxvJousKKruXgvxyqSZAVuwhgf6Y=;
        b=fAGb1RiItgZlkAejTa33nrNU2l+FCTyl4KJm2O3L8q60AglVtl40bc4Uj5pBrni0jZ3e7/
        ncUPn3Yfbyv3ms+9tKOSYnmd8+80agvyohcjSVZVSbgFriQDRLEqxmXS/zgUr9pjjJ5Vz2
        MsaRf0EK3lxRBoH2C21CYkXiVqXKoJ4=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-410-Ob3GbzCLMg6DmTZwsfVIZw-1; Tue, 12 Jan 2021 12:25:50 -0500
X-MC-Unique: Ob3GbzCLMg6DmTZwsfVIZw-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 060388026A8;
        Tue, 12 Jan 2021 17:25:49 +0000 (UTC)
Received: from gerbillo.redhat.com (ovpn-115-120.ams2.redhat.com
 [10.36.115.120])
        by smtp.corp.redhat.com (Postfix) with ESMTP id D169E1975E;
        Tue, 12 Jan 2021 17:25:47 +0000 (UTC)
From: Paolo Abeni <pabeni@redhat.com>
To: netdev@vger.kernel.org
Cc: mptcp@lists.01.org, "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH net 1/2] mptcp: more strict state checking for acks
Date: Tue, 12 Jan 2021 18:25:23 +0100
Message-Id: 
 <5566ba1c4409a652440d84ff49b99e58ca998a0e.1610471474.git.pabeni@redhat.com>
In-Reply-To: <cover.1610471474.git.pabeni@redhat.com>
References: <cover.1610471474.git.pabeni@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

Series

mptcp: a couple of fixes | expand

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Clearly marked for net
netdev/subject_prefix	success	Link
netdev/cc_maintainers	warning	2 maintainers not CCed: matthieu.baerts@tessares.net mathew.j.martineau@linux.intel.com
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 2 this patch: 2
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	success	Link
netdev/checkpatch	warning	WARNING: line length of 92 exceeds 80 columns
netdev/build_allmodconfig_warn	success	Errors and warnings before: 2 this patch: 2
netdev/header_inline	success	Link
netdev/stable	success	Stable not CCed

Context

Check

Description

netdev/cover_letter

success

Link

netdev/fixes_present

success

Link

netdev/patch_count

success

Link

netdev/tree_selection

success

Clearly marked for net

netdev/subject_prefix

success

Link

netdev/cc_maintainers

warning

2 maintainers not CCed: matthieu.baerts@tessares.net mathew.j.martineau@linux.intel.com

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Link

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 2 this patch: 2

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/verify_fixes

success

Link

netdev/checkpatch

warning

WARNING: line length of 92 exceeds 80 columns

netdev/build_allmodconfig_warn

success

Errors and warnings before: 2 this patch: 2

netdev/header_inline

success

Link

netdev/stable

success

Stable not CCed

Commit Message

Paolo Abeni Jan. 12, 2021, 5:25 p.m. UTC

Syzkaller found a way to trigger division by zero
in mptcp_subflow_cleanup_rbuf().

The current checks implemented into tcp_can_send_ack()
are too week, let's be more accurate.

Reported-by: Christoph Paasch <cpaasch@apple.com>
Fixes: ea4ca586b16f ("mptcp: refine MPTCP-level ack scheduling")
Fixes: fd8976790a6c ("mptcp: be careful on MPTCP-level ack.")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/mptcp/protocol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Mat Martineau Jan. 12, 2021, 9:37 p.m. UTC | #1

On Tue, 12 Jan 2021, Paolo Abeni wrote:

> Syzkaller found a way to trigger division by zero
> in mptcp_subflow_cleanup_rbuf().
>
> The current checks implemented into tcp_can_send_ack()
> are too week, let's be more accurate.
>
> Reported-by: Christoph Paasch <cpaasch@apple.com>
> Fixes: ea4ca586b16f ("mptcp: refine MPTCP-level ack scheduling")
> Fixes: fd8976790a6c ("mptcp: be careful on MPTCP-level ack.")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> net/mptcp/protocol.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>

Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>

--
Mat Martineau
Intel

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 6628d8d74203..2ff8c7caf74f 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -427,7 +427,7 @@  static bool mptcp_subflow_active(struct mptcp_subflow_context *subflow)
 static bool tcp_can_send_ack(const struct sock *ssk)
 {
 	return !((1 << inet_sk_state_load(ssk)) &
-	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE));
+	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE | TCPF_LISTEN));
 }
 
 static void mptcp_send_ack(struct mptcp_sock *msk)