[v3,net] tcp: Defer ts_recent changes until req is owned

Message ID	20250224090047.50748-1-wanghai38@huawei.com (mailing list archive)
State	New
Delegated to:	Netdev Maintainers
Headers	show Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3AC30EEB5; Mon, 24 Feb 2025 09:03:13 +0000 (UTC) From: Wang Hai <wanghai38@huawei.com> To: <kerneljasonxing@gmail.com>, <edumazet@google.com>, <ncardwell@google.com>, <kuniyu@amazon.com>, <davem@davemloft.net>, <dsahern@kernel.org>, <kuba@kernel.org>, <pabeni@redhat.com>, <horms@kernel.org>, <zhangchangzhong@huawei.com>, <liujian56@huawei.com>, <yuehaibing@huawei.com> CC: <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org> Subject: [PATCH v3 net] tcp: Defer ts_recent changes until req is owned Date: Mon, 24 Feb 2025 17:00:47 +0800 Message-ID: <20250224090047.50748-1-wanghai38@huawei.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain
Series	[v3,net] tcp: Defer ts_recent changes until req is owned \| expand [v3,net] tcp: Defer ts_recent changes until req is owned

Message ID

20250224090047.50748-1-wanghai38@huawei.com (mailing list archive)

State

New

Delegated to:

Netdev Maintainers

Headers

From: Wang Hai <wanghai38@huawei.com>
To: <kerneljasonxing@gmail.com>, <edumazet@google.com>,
	<ncardwell@google.com>, <kuniyu@amazon.com>, <davem@davemloft.net>,
	<dsahern@kernel.org>, <kuba@kernel.org>, <pabeni@redhat.com>,
	<horms@kernel.org>, <zhangchangzhong@huawei.com>, <liujian56@huawei.com>,
	<yuehaibing@huawei.com>
CC: <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: [PATCH v3 net] tcp: Defer ts_recent changes until req is owned
Date: Mon, 24 Feb 2025 17:00:47 +0800
Message-ID: <20250224090047.50748-1-wanghai38@huawei.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain

Series

[v3,net] tcp: Defer ts_recent changes until req is owned | expand

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 8 of 8 maintainers
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 22 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	fail	net-next-2025-02-24--12-00 (tests: 895)

Context

Check

Description

netdev/series_format

success

Single patches do not need cover letters

netdev/tree_selection

success

Clearly marked for net

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

success

CCed 8 of 8 maintainers

netdev/build_clang

success

Errors and warnings before: 0 this patch: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 22 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

fail

net-next-2025-02-24--12-00 (tests: 895)

Commit Message

Wang Hai Feb. 24, 2025, 9 a.m. UTC

Recently a bug was discovered where the server had entered TCP_ESTABLISHED
state, but the upper layers were not notified.

The same 5-tuple packet may be processed by different CPUSs, so two
CPUs may receive different ack packets at the same time when the
state is TCP_NEW_SYN_RECV.

In that case, req->ts_recent in tcp_check_req may be changed concurrently,
which will probably cause the newsk's ts_recent to be incorrectly large.
So that tcp_validate_incoming will fail. At this point, newsk will not be
able to enter the TCP_ESTABLISHED.

cpu1                                    cpu2
tcp_check_req
                                        tcp_check_req
 req->ts_recent = rcv_tsval = t1
                                         req->ts_recent = rcv_tsval = t2

 syn_recv_sock
  tcp_sk(child)->rx_opt.ts_recent = req->ts_recent = t2 // t1 < t2
tcp_child_process
 tcp_rcv_state_process
  tcp_validate_incoming
   tcp_paws_check
    if ((s32)(rx_opt->ts_recent - rx_opt->rcv_tsval) <= paws_win)
        // t2 - t1 > paws_win, failed
                                        tcp_v4_do_rcv
                                         tcp_rcv_state_process
                                         // TCP_ESTABLISHED

The cpu2's skb or a newly received skb will call tcp_v4_do_rcv to get
the newsk into the TCP_ESTABLISHED state, but at this point it is no
longer possible to notify the upper layer application. A notification
mechanism could be added here, but the fix is more complex, so the
current fix is used.

In tcp_check_req, req->ts_recent is used to assign a value to
tcp_sk(child)->rx_opt.ts_recent, so removing the change in req->ts_recent
and changing tcp_sk(child)->rx_opt.ts_recent directly after owning the
req fixes this bug.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
---
v2->v3: changed code format and commit msg.
 net/ipv4/tcp_minisocks.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

Comments

Eric Dumazet Feb. 24, 2025, 9:22 a.m. UTC | #1

On Mon, Feb 24, 2025 at 10:03 AM Wang Hai <wanghai38@huawei.com> wrote:
>
> Recently a bug was discovered where the server had entered TCP_ESTABLISHED
> state, but the upper layers were not notified.
>
> The same 5-tuple packet may be processed by different CPUSs, so two
> CPUs may receive different ack packets at the same time when the
> state is TCP_NEW_SYN_RECV.
>
> In that case, req->ts_recent in tcp_check_req may be changed concurrently,
> which will probably cause the newsk's ts_recent to be incorrectly large.
> So that tcp_validate_incoming will fail. At this point, newsk will not be
> able to enter the TCP_ESTABLISHED.
>
> cpu1                                    cpu2
> tcp_check_req
>                                         tcp_check_req
>  req->ts_recent = rcv_tsval = t1
>                                          req->ts_recent = rcv_tsval = t2
>
>  syn_recv_sock
>   tcp_sk(child)->rx_opt.ts_recent = req->ts_recent = t2 // t1 < t2
> tcp_child_process
>  tcp_rcv_state_process
>   tcp_validate_incoming
>    tcp_paws_check
>     if ((s32)(rx_opt->ts_recent - rx_opt->rcv_tsval) <= paws_win)
>         // t2 - t1 > paws_win, failed
>                                         tcp_v4_do_rcv
>                                          tcp_rcv_state_process
>                                          // TCP_ESTABLISHED
>
> The cpu2's skb or a newly received skb will call tcp_v4_do_rcv to get
> the newsk into the TCP_ESTABLISHED state, but at this point it is no
> longer possible to notify the upper layer application. A notification
> mechanism could be added here, but the fix is more complex, so the
> current fix is used.
>
> In tcp_check_req, req->ts_recent is used to assign a value to
> tcp_sk(child)->rx_opt.ts_recent, so removing the change in req->ts_recent
> and changing tcp_sk(child)->rx_opt.ts_recent directly after owning the
> req fixes this bug.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Wang Hai <wanghai38@huawei.com>
> Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks for the fix !

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index b089b08e9617..dfdb7a4608a8 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -815,12 +815,6 @@  struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
 
 	/* In sequence, PAWS is OK. */
 
-	/* TODO: We probably should defer ts_recent change once
-	 * we take ownership of @req.
-	 */
-	if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt))
-		WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval);
-
 	if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) {
 		/* Truncate SYN, it is out of window starting
 		   at tcp_rsk(req)->rcv_isn + 1. */
@@ -869,6 +863,10 @@  struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
 	if (!child)
 		goto listen_overflow;
 
+	if (own_req && tmp_opt.saw_tstamp &&
+	    !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt))
+		tcp_sk(child)->rx_opt.ts_recent = tmp_opt.rcv_tsval;
+
 	if (own_req && rsk_drop_req(req)) {
 		reqsk_queue_removed(&inet_csk(req->rsk_listener)->icsk_accept_queue, req);
 		inet_csk_reqsk_queue_drop_and_put(req->rsk_listener, req);

[v3,net] tcp: Defer ts_recent changes until req is owned

Checks

Commit Message

Comments

Patch