From patchwork Wed Oct 18 18:23:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mat Martineau X-Patchwork-Id: 13427716 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED75F4123A; Wed, 18 Oct 2023 18:24:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hGXSAj+h" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 46FE9C4339A; Wed, 18 Oct 2023 18:24:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1697653443; bh=wgF2DRUgasKE34DdDKzqsvEchHtBI9vBd4zl65+aas4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=hGXSAj+hDhRJ2xW5fbYQtHKdrdPH2NJpj+IKM280SZr8gaG3SMx1BW5XnELvZhu3r RRrGvZAU/+j+FnCNqYVgAJJXGm5nUv/Dc2GIaRjSMKtOcTgARHYcXL8IIUMfzy8TS8 utjSM40Nm4A2KBnno6frI6VGGgH+4nskbyUUEDEq/DsQ1WhhGKIuuG+eR6UH43ZI0G fwyMLPiDIigXkzMGm2n4nPcL86KxGwWdE4QPWE79yEjNwnu5wJKj6+L7QyaqX2lyoQ OjtlmADwbXa4ZXK7StjClbds33++twH1u9COGidRGDhn2+Q1iQHtUuP0O50z4FfvkA rzURdCZgx/8UQ== From: Mat Martineau Date: Wed, 18 Oct 2023 11:23:53 -0700 Subject: [PATCH net 2/5] tcp: check mptcp-level constraints for backlog coalescing Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20231018-send-net-20231018-v1-2-17ecb002e41d@kernel.org> References: <20231018-send-net-20231018-v1-0-17ecb002e41d@kernel.org> In-Reply-To: <20231018-send-net-20231018-v1-0-17ecb002e41d@kernel.org> To: Matthieu Baerts , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , David Ahern , Davide Caratti , Christoph Paasch , Florian Westphal Cc: netdev@vger.kernel.org, mptcp@lists.linux.dev, Mat Martineau , stable@vger.kernel.org X-Mailer: b4 0.12.3 X-Patchwork-Delegate: kuba@kernel.org From: Paolo Abeni The MPTCP protocol can acquire the subflow-level socket lock and cause the tcp backlog usage. When inserting new skbs into the backlog, the stack will try to coalesce them. Currently, we have no check in place to ensure that such coalescing will respect the MPTCP-level DSS, and that may cause data stream corruption, as reported by Christoph. Address the issue by adding the relevant admission check for coalescing in tcp_add_backlog(). Note the issue is not easy to reproduce, as the MPTCP protocol tries hard to avoid acquiring the subflow-level socket lock. Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420 Reviewed-by: Mat Martineau Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau --- net/ipv4/tcp_ipv4.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 27140e5cdc06..4167e8a48b60 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1869,6 +1869,7 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, #ifdef CONFIG_TLS_DEVICE tail->decrypted != skb->decrypted || #endif + !mptcp_skb_can_collapse(tail, skb) || thtail->doff != th->doff || memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th))) goto no_coalesce;