[{"id":3683494,"web_url":"http://patchwork.ozlabs.org/comment/3683494/","msgid":"<20260428140642.GT900403@horms.kernel.org>","list_archive_url":null,"date":"2026-04-28T14:06:42","subject":"Re: [PATCH net v2 0/2] sctp: fix a vtag verification failure caused\n by stale INITs","submitter":{"id":82748,"url":"http://patchwork.ozlabs.org/api/people/82748/","name":"Simon Horman","email":"horms@kernel.org"},"content":"On Sun, Apr 26, 2026 at 10:46:39AM -0400, Xin Long wrote:\n> Similar to Scenario B in commit 8e56b063c865 ( netfilter: handle the\n> connecting collision properly in nf_conntrack_proto_sctp\"):\n> \n> Scenario B: INIT_ACK is delayed until the peer completes its own handshake\n> \n> 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]\n> 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]\n> 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]\n> 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]\n> 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]\n> 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] *\n> \n> There is another case:\n> \n> Scenario F: INIT is delayed until the peer completes its own handshake\n> \n> 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]\n> (OVS upcall)\n> 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]\n> 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]\n> 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]\n> 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]\n> 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]\n> (delayed)\n> 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] *\n> \n> In this case, the delayed INIT (e.g. due to OVS upcall) is recorded by\n> conntrack, which prevents vtag verification from dropping the unexpected\n> INIT-ACK in nf_conntrack_sctp_packet():\n> \n> vtag = ct->proto.sctp.vtag[!dir];\n> if (!ct->proto.sctp.init[!dir] && vtag && vtag != ih->init_tag)\n> goto out_unlock;\n> \n> This happens because ct->proto.sctp.init[!dir] is set by the delayed INIT,\n> even though it is stale.\n> \n> Fix this in two parts:\n> \n> - In netfilter: Do not record INITs whose init_tag matches the peer vtag,\n> as they carry no new handshake state in the 1st patch.\n> \n> - In SCTP: Prevent endpoints from responding to such INITs with INIT-ACK,\n> ensuring correctness even when middleboxes lack the netfilter fix in\n> the 2nd patch.\n> \n> A follow-up selftest for this scenario will be posted in a separate patch\n> by Yi Chen.\n\nHi Xin,\n\nFTR: There is an AI generated review of this patchset available on\nsashiko.dev. I have looked over this and I do not believe the feedback\nthere should block progress of this patchset.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=h3coAnL6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12254-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"h3coAnL6\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4j2J1XtMz1xrS\n\tfor ; Wed, 29 Apr 2026 00:08:08 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id A8401302C34C\n\tfor ; Tue, 28 Apr 2026 14:06:57 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D400743E4BE;\n\tTue, 28 Apr 2026 14:06:49 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D0D843E489;\n\tTue, 28 Apr 2026 14:06:49 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 02431C2BCAF;\n\tTue, 28 Apr 2026 14:06:45 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777385209; cv=none;\n b=m38rfhK1vQhfE1KB+T0HVlhxytvghPwNo8hoSVOeu2vseomJy3koW0kUH/WEOB1Ni/N9qWBRZk42O0tY/4R0RreZy0C00jM2xpEcQBhPTrZ2OwcWsnVngv1lIgFJxKW+aGwGP6Xw3yfMVkjo3U0tsVm4UY1L5OY8cos4vzdA9G4=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777385209; c=relaxed/simple;\n\tbh=MpYhIos3QpHd5ZcbWIvroPNEGS+XcMgFqE/2NWB8hdQ=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=ajOEfEJluMEFGRArGiDfZa2G6GtMP73R9/cnFSUicwSHQ5emUNb4fPq2QtjLYscxTzYqWxXrhqjmWd+3tvJoCqCcxfxQQRFIJOSZQQNW705LoMwCByugEAWyYgaMqOZrAHyWn199QqLUtrMyT3HO2m55P1q2tFtLP9gGprFcbCU=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=h3coAnL6; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1777385209;\n\tbh=MpYhIos3QpHd5ZcbWIvroPNEGS+XcMgFqE/2NWB8hdQ=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=h3coAnL6W7rY0i9VOTXWvINjr/QhnH/y7s7vifxvPC9UI/fBCNTTK20YYDXwmrOiP\n\t w0tLPdHhR9yOKvO2F+6BW6nSAghCC6Quvz71joY+6wPurV0SB/q4MjPGOwWd44PoAw\n\t iN2KgLB5zVM3x2msKOXt/n1/r/lvvtw+JbKK4CHaxFJEWptm5dsw7dKwxy6BxCvEZ6\n\t q7DwqgSMaia5es0cRID69Mz1AOCKdUDerz82e4tDAXYlx0qneJn2QsWt/+Nt2byDcv\n\t Q5vBiAnC876ouq/ej19YoOY7PclEf2omu0QMFfZQRlEZugXPJqx6VqocWhwymrNMQ6\n\t tqJOicddsMaOA==","Date":"Tue, 28 Apr 2026 15:06:42 +0100","From":"Simon Horman ","To":"Xin Long ","Cc":"network dev , netfilter-devel@vger.kernel.org,\n\tlinux-sctp@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,\n\tEric Dumazet , Paolo Abeni ,\n\tPablo Neira Ayuso ,\n\tFlorian Westphal , Phil Sutter ,\n\tMarcelo Ricardo Leitner ,\n\tYi Chen ","Subject":"Re: [PATCH net v2 0/2] sctp: fix a vtag verification failure caused\n by stale INITs","Message-ID":"<20260428140642.GT900403@horms.kernel.org>","References":"","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":""}},{"id":3683703,"web_url":"http://patchwork.ozlabs.org/comment/3683703/","msgid":"","list_archive_url":null,"date":"2026-04-28T20:15:40","subject":"Re: [PATCH net v2 0/2] sctp: fix a vtag verification failure caused\n by stale INITs","submitter":{"id":61073,"url":"http://patchwork.ozlabs.org/api/people/61073/","name":"Xin Long","email":"lucien.xin@gmail.com"},"content":"On Tue, Apr 28, 2026 at 10:06 AM Simon Horman wrote:\n>\n> On Sun, Apr 26, 2026 at 10:46:39AM -0400, Xin Long wrote:\n> > Similar to Scenario B in commit 8e56b063c865 ( netfilter: handle the\n> > connecting collision properly in nf_conntrack_proto_sctp\"):\n> >\n> > Scenario B: INIT_ACK is delayed until the peer completes its own handshake\n> >\n> > 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]\n> > 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]\n> > 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]\n> > 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]\n> > 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]\n> > 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] *\n> >\n> > There is another case:\n> >\n> > Scenario F: INIT is delayed until the peer completes its own handshake\n> >\n> > 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]\n> > (OVS upcall)\n> > 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]\n> > 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]\n> > 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]\n> > 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]\n> > 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]\n> > (delayed)\n> > 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] *\n> >\n> > In this case, the delayed INIT (e.g. due to OVS upcall) is recorded by\n> > conntrack, which prevents vtag verification from dropping the unexpected\n> > INIT-ACK in nf_conntrack_sctp_packet():\n> >\n> > vtag = ct->proto.sctp.vtag[!dir];\n> > if (!ct->proto.sctp.init[!dir] && vtag && vtag != ih->init_tag)\n> > goto out_unlock;\n> >\n> > This happens because ct->proto.sctp.init[!dir] is set by the delayed INIT,\n> > even though it is stale.\n> >\n> > Fix this in two parts:\n> >\n> > - In netfilter: Do not record INITs whose init_tag matches the peer vtag,\n> > as they carry no new handshake state in the 1st patch.\n> >\n> > - In SCTP: Prevent endpoints from responding to such INITs with INIT-ACK,\n> > ensuring correctness even when middleboxes lack the netfilter fix in\n> > the 2nd patch.\n> >\n> > A follow-up selftest for this scenario will be posted in a separate patch\n> > by Yi Chen.\n>\n> Hi Xin,\n>\n> FTR: There is an AI generated review of this patchset available on\n> sashiko.dev. I have looked over this and I do not believe the feedback\n> there should block progress of this patchset.\nRight, the feedback is false in practice::\n\n- \"No response\" is not a clean signal\n (could be loss, firewall, rate limiting, etc.).\n- Even guessing this init_tag does not let attackers hijack the association\n (they still lack the correct verification tag and state).\n\nThanks.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=KlhTZCEL;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12273-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"KlhTZCEL\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=209.85.210.180","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4sDY5lkrz1xvV\n\tfor ; Wed, 29 Apr 2026 06:17:33 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 7C08030AF9CB\n\tfor ; Tue, 28 Apr 2026 20:15:56 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 33DA53148DD;\n\tTue, 28 Apr 2026 20:15:55 +0000 (UTC)","from mail-pf1-f180.google.com (mail-pf1-f180.google.com\n [209.85.210.180])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C4D125FA05\n\tfor ; Tue, 28 Apr 2026 20:15:53 +0000 (UTC)","by mail-pf1-f180.google.com with SMTP id\n d2e1a72fcca58-82f9fdfc965so4822745b3a.1\n for ;\n Tue, 28 Apr 2026 13:15:53 -0700 (PDT)"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777407354; cv=pass;\n b=afULjdDVFbWztcKSKHMEsFNgALPBLi2QeluQQtkA/4LhLFyrUMa/SuewkH0WesYndsUwLdgl4WZmq7ogd3FeK4NRqvzGdVUj9eSMGDVhWKPsQRaFv1dNQf9Ab5MSbAfr/Nt1wehCTeg1Uusp3sSHav7AS3nBx65kvvsVNxFVegU=","i=1; a=rsa-sha256; t=1777407353; cv=none;\n d=google.com; s=arc-20240605;\n b=igBXgRMatx4MYrVwNxfDT1GOSX1gbdvwYWIr9mF4LYgU5faU8xz0ftUQQlIewrLyY6\n Csv3WRYck+o5FGa2l3+QkXFUu7qhM4tlzXs5/+tdbJVYagVyf9ae83t7rK28gcGKGHzu\n +ter1LGewNaYYd4ql4Tz7I5gCBlpzfGBQISu00BHgNTawdg9pHaRDW6/RzBXBW6vyCGx\n 82QsPTpB6k2nGF2bDfikFDH6uEzL1cD/cTG55conIJv4RBnGYORimNUTWVLNdWbYMu1o\n FtiP/pE1US1ZouUSl0DNHgvj6dtRIIggVPa3zjSOwL8Zmv0bwcWoMYgYHYBSSPxUB9Vb\n nSag=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777407354; c=relaxed/simple;\n\tbh=jubsY6PGHnTXGhA5KKyDi/LWS9PbjTsPha5xbgCuu/I=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=CcjcT6rr2t5oltJf5MBanZGTM+8puySF1Nora7X8u/Jt6IlU2oMecEHGCajrIDWl16RJjGWVhlmyayMnLa9Snh90On0TdmWUHRiRtgBHypMzMkj+wz7iRIK7Yk8oeKqMtRm8Bz+XHiPuaHBNNYAfHB2i7GFIkSTiXeECFlvCvok=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:dkim-signature;\n bh=uQV+ZUo0kltumkkS/38YnBQvpZ5Ru0K+aNTeRpdyz74=;\n fh=/qhlLF6Ita+oB42LPl2GTS5UkBhHCTiZ8SE+c0x9POg=;\n b=SovVt7WMxA7bnMCWEUitsLQlmt0qK4w6/zihYgjwQihf9dOqNb5sii39YfOOjy2ufY\n xDm4XxFNKHGSTOf/VnlvzSKVuy/66ImM5d6vsI1CXyNkfVnMYgL4UKGaGOrP3aViQd5t\n kRlWT18z3QxqaoRAw3cRRb96GhT3q3P8Nyl3UikG7q19VbBFfrMcNBsI6LQG+0H1wbmd\n sN5Y4OwokfPgU8A6ncIf9KY6k/Lt0KXxlpIawNDMqbC/T3ooRfT50Th9XEN8OdUSmCdh\n PIoDiUrzUCEl6iNtiEvNBeElOPEgDclYAhwQDhd8FoF4rF21FzmY5MFI/vnqkByBkZa0\n BWGQ==;\n darn=vger.kernel.org"],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=KlhTZCEL; arc=pass smtp.client-ip=209.85.210.180","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777407353; x=1778012153;\n darn=vger.kernel.org;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:from:to:cc:subject:date\n :message-id:reply-to;\n bh=uQV+ZUo0kltumkkS/38YnBQvpZ5Ru0K+aNTeRpdyz74=;\n b=KlhTZCELSkeBlc2IBRjM/spYNSJcZEx+XzogZUf8EXFJF3JgePK7hmDvz5NuTFJiJv\n 0BK3ai6GXs6Ba5FV/d4g1cdK/BL6ls/W71AfgslX1RqhbkmZGwqATBsS3wGqmGeH6nb/\n xNU61DVSE4tbJYhfIKjDVbPYfQHKGcxwSbWUEqeSX2GlYVe7n1TWGmwLyTSdTy2lzZnj\n VNdG2g0+RgBVVsWPCECBHC8P2dK1ajWkNZH/0ZwWaclyCSZEiTKU6Gl1JhiyMvC/Ti3k\n KiEHqJicHui4HFNs3+FoX2afrvltIR+2kaN7IlVkx5wnlKskFTKJ6aVIH+p0ujd5d0bl\n zUXg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777407353; x=1778012153;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=uQV+ZUo0kltumkkS/38YnBQvpZ5Ru0K+aNTeRpdyz74=;\n b=KyM9oVo16lI3B4ajcCxNY9Q7lMuG55XD65U3XylprZ6qCMyEZ1AX9Ff408iQAw0pOz\n UIcmfpSmGj+RATas8ii35NN8OFAJaQT1VBu0ZsZbeoN3xUy/+UOV9Wmu6d2h88g9kFYE\n r/mDFmukzXJLVfo7vTbrjAQNIYl3Dd8QYPr4GVUKVSSYyAG+KZTadw9v+1cCDD97dG0S\n u4eFvTLYZlhXVRK2G4hFbpixCelGXXQVjKd0IAM3SEzpqOIkplWdTw/ybYzVetLK0MOO\n pC8vTlESzesl0t7JII0QuTf0dKTWdrKDsqlOGOCwkCQbivsX6HCFcpQ7g9OcVa6AhG9q\n U06A==","X-Forwarded-Encrypted":"i=1;\n AFNElJ+19sddNGxjBLtbBYJQBT8y5eETIrSzksHGh+Eg1tx8xY1wZmsxWM8uAv52Qxze4mZ2BsW/tvnyaLmIFV11zDU=@vger.kernel.org","X-Gm-Message-State":"AOJu0YxJ1OQXwW6K5iVSvMaNE7wfr7UUh19LUp4Bb31Xb+PEQgiocnPI\n\teErS/0ZFNabFwAfpF8+NIp6rRMD6nLc4C6LYaEQrUNKGZdxhEil/VPK9Eaapdzn7jmBB15kGnMB\n\t0zLcGP65CjulbNK+ym85pv39xcwuQuzE=","X-Gm-Gg":"AeBDieuzA4/uR9m6yMJuNxODFvXr72bx2A6fkGplkfU6OBZtoavx393UO5X3mUUDmuv\n\tHe7Bt00oanwp1Ol2R8mS+kS4H194w3eOOAVenC14t8xRdJvcJdRBvY3bTBqhPb2rqHqBQnlgFR9\n\tTbfdcRwIdyTOtwvEffgWt7BvglfOTctvE3QZBmez/EcdKoVZwv2fF0xdV+thTmN+oXYobyAJmtI\n\t5eorFvc7UY5JCaCuGVbnDM3u2ConcnY6G3fBmhXPraxXtyDOCsA53jfuZl8Io2PYeyz4SV81zjT\n\tsQowRSF904apztrytnFjT9Z8EroF6c15ryHm/8jOUkXXyez/THQieYBxMfg/P1R9Ky7ljvLCGKY\n\tY2HU31D8uFadqYgwHX8+0tIxJLCaK0vdl5oE2n9AYN5yKuxFs9g==","X-Received":"by 2002:a05:6a00:f9a:b0:82c:2155:5b6d with SMTP id\n d2e1a72fcca58-834ddabdb7dmr4872052b3a.12.1777407352913; Tue, 28 Apr 2026\n 13:15:52 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","References":"\n <20260428140642.GT900403@horms.kernel.org>","In-Reply-To":"<20260428140642.GT900403@horms.kernel.org>","From":"Xin Long ","Date":"Tue, 28 Apr 2026 16:15:40 -0400","X-Gm-Features":"AVHnY4Kx985VXS0AEmk_DrhzVNCcnQW-CWSjNlk5dYUnFRn6jZWfAV-j5B80K0Q","Message-ID":"\n ","Subject":"Re: [PATCH net v2 0/2] sctp: fix a vtag verification failure caused\n by stale INITs","To":"Simon Horman ","Cc":"network dev , netfilter-devel@vger.kernel.org,\n\tlinux-sctp@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,\n\tEric Dumazet , Paolo Abeni ,\n\tPablo Neira Ayuso , Florian Westphal ,\n Phil Sutter ,\n\tMarcelo Ricardo Leitner ,\n Yi Chen ","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}},{"id":3683768,"web_url":"http://patchwork.ozlabs.org/comment/3683768/","msgid":"<177742623604.1288483.6985872404359862871.git-patchwork-notify@kernel.org>","list_archive_url":null,"date":"2026-04-29T01:30:36","subject":"Re: [PATCH net v2 0/2] sctp: fix a vtag verification failure caused\n by\n stale INITs","submitter":{"id":80291,"url":"http://patchwork.ozlabs.org/api/people/80291/","name":null,"email":"patchwork-bot+netdevbpf@kernel.org"},"content":"Hello:\n\nThis series was applied to netdev/net.git (main)\nby Jakub Kicinski :\n\nOn Sun, 26 Apr 2026 10:46:39 -0400 you wrote:\n> Similar to Scenario B in commit 8e56b063c865 ( netfilter: handle the\n> connecting collision properly in nf_conntrack_proto_sctp\"):\n> \n> Scenario B: INIT_ACK is delayed until the peer completes its own handshake\n> \n> 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]\n> 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]\n> 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]\n> 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]\n> 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]\n> 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] *\n> \n> [...]\n\nHere is the summary with links:\n - [net,v2,1/2] netfilter: skip recording stale or retransmitted INIT\n https://git.kernel.org/netdev/net/c/576a5d2bad48\n - [net,v2,2/2] sctp: discard stale INIT after handshake completion\n https://git.kernel.org/netdev/net/c/8a92cb475ca9\n\nYou are awesome, thank you!","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=GkhxHw5h;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12278-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"GkhxHw5h\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g50FY0zcDz1yHX\n\tfor ; Wed, 29 Apr 2026 11:33:53 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 4AB313088541\n\tfor ; Wed, 29 Apr 2026 01:31:21 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id E6894248896;\n\tWed, 29 Apr 2026 01:31:20 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DD461632E7;\n\tWed, 29 Apr 2026 01:31:20 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 108EEC2BCB7;\n\tWed, 29 Apr 2026 01:31:20 +0000 (UTC)","from [10.30.226.235] (localhost [IPv6:::1])\n\tby aws-us-west-2-korg-oddjob-rhel9-1.codeaurora.org (Postfix) with ESMTP id\n 7CCFE39302C2;\n\tWed, 29 Apr 2026 01:30:37 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777426280; cv=none;\n b=ljABqxkxqltVu7c6OAFwEUwW03TCSk2MfArzbHexz5kuYdbCJog4A4NEpFymLCurDXqzrhTn4XsBP037xLh0sCOGj9Y/8zZTtSSOy/4X20zN1IwhwRIlmlRxrD9bQmde6X1JOVTdw8p4dg9auQtgggTNtnQ6SC1//k/By564i/c=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777426280; c=relaxed/simple;\n\tbh=h89ZhOK/2rQgO5t9c/4hJ80hHOJV3qTYWpj9r/xokQE=;\n\th=Content-Type:MIME-Version:Subject:From:Message-Id:Date:References:\n\t In-Reply-To:To:Cc;\n b=pK3tO8EkXKgRT97jekvtwUJYBqKiSLX/DctW/kQILzhf4gxSFXDvV+gMx9/HuAa2MNmVtjaoZPgxkFsXS9LbA50PeiZovQG+4l0wnih3TsOTDDn9Udujp1MS18iRtf27qM5XkRRCMkL7AUEXfSkslmU1Qh9ljDqqqtxLMNPT+3U=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=GkhxHw5h; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1777426280;\n\tbh=h89ZhOK/2rQgO5t9c/4hJ80hHOJV3qTYWpj9r/xokQE=;\n\th=Subject:From:Date:References:In-Reply-To:To:Cc:From;\n\tb=GkhxHw5hSueH+mFTZ5ORmH6pLrNTPAjf9pwATZQT0rWZSpnVL8AHiyPI1vGmYXb3U\n\t 7LQkdXNRA4QtBSdX9SqjibsC7PvEYoQ9r3ZqzqcKX2Txb3BgHkKAsxjSfKB/0VcNch\n\t RggFqhkXq3CUya+yIh0lYC+UX7G5E6CZ1SiCsLU+I6Dt4O7ZWXsxlcOpa0q1JqdJCL\n\t rBtRiqCa19RNFcTus5h+oXGKTQyZyZORBfEiOifKHUnIsaCTtI/XLEr8nkHBgrxdCn\n\t v2rwp0E8tHKoUC2kUARzh2aru6DuwYdqyZU4oZMnQwe05fXgbIG79VFnb2yJ7JM6/N\n\t 2rQ7CaC+KVwdg==","Content-Type":"text/plain; charset=\"utf-8\"","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"Re: [PATCH net v2 0/2] sctp: fix a vtag verification failure caused\n by\n stale INITs","From":"patchwork-bot+netdevbpf@kernel.org","Message-Id":"\n <177742623604.1288483.6985872404359862871.git-patchwork-notify@kernel.org>","Date":"Wed, 29 Apr 2026 01:30:36 +0000","References":"","In-Reply-To":"","To":"Xin Long ","Cc":"netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,\n linux-sctp@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,\n edumazet@google.com, pabeni@redhat.com, horms@kernel.org,\n pablo@netfilter.org, fw@strlen.de, phil@nwl.cc, marcelo.leitner@gmail.com,\n yiche.cy@gmail.com"}}]