From patchwork Tue Sep 19 17:05:57 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 815687
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="a+92e4P2"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3xxTmC59pBz9sMN
	for <patchwork-incoming@ozlabs.org>;
	Wed, 20 Sep 2017 03:06:03 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751353AbdISRGB (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 19 Sep 2017 13:06:01 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:33087 "EHLO
	mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751283AbdISRF7 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 19 Sep 2017 13:05:59 -0400
Received: by mail-pg0-f66.google.com with SMTP id i130so136216pgc.0
	for <netdev@vger.kernel.org>; Tue, 19 Sep 2017 10:05:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=s2lU7B072Upx7bda/DyLCfZA6KIv1xR4iQdHsEmKIHE=;
	b=a+92e4P22d61ykxtIa3si3XRI1Bq8tDt3pu+DF0hEjALweJRIOF5zZu+czXkDLypQ9
	GUc8XVm1VGXgYFOcXGi1iCiSrBuCKnRBumDOwcU7P8agBVNn3w2ebWt+4EPqjP/nMp3X
	Rn4nKoen1TMdfEN0VN9nmUBIbGM5/hvwYm8bTCNBnNI22URYbagnVQEEIkdtqXJ/rwzT
	QPMItVMV8q2NwWJIq1/r8NwEaT4358cC/371grqGilEx2lhWu7x5Byd8L3d0f712OZST
	+fm0eh9GngEASr3zbomO2xIAWePTRdRlzqC0yTDLTm3ZyOs60Ki9AlhFusyRz/dQK4s1
	TeLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=s2lU7B072Upx7bda/DyLCfZA6KIv1xR4iQdHsEmKIHE=;
	b=e/yDAAxdZzIHhINup/eCuges+fmBBZ4bH4mG+GtEcXxG83O27uaMer9mQ0fZh8R1dn
	y0hmew3sIKoU6egV+nUDrX/fkTNb23/YYUwozCQW10e4Fp/ErODnOWwTIM2b5b83sJzn
	MjQelkHyjeDK/Jt1yRDV+MaGkzBEZQm6vF4wLKSfeBR9PvDC3svwroB4Sjtg09NQ4iUO
	okHon/R5TsYA3N4n1T5AtP5aIvEkHNxk5EhPLe0i+TE3+ExcOBCQkOzgjEZHCTwf5XqZ
	W3eLeQqARPZb6uzzhwqAaRpgDGeU8llTAjpf26ZuN/ZnJlEYiee5L++IwMfP3JnB9tk5
	PGDA==
X-Gm-Message-State: AHPjjUi9vdzS3ySrbpQzpVzAD38ciU5M9FUZ7yQnYB59jSsIucFhuX2C
	aorlqGvb/V2qm3tZlFTBqxI=
X-Google-Smtp-Source: 
 AOwi7QCzGmIyQ2t3aclkSLrbVlFtwddCEhEJrD3kjXy0HL0VwvHcK2ccxDs8mnjuUvJpf7w+Kq2LDA==
X-Received: by 10.98.102.82 with SMTP id a79mr1937623pfc.109.1505840759369;
	Tue, 19 Sep 2017 10:05:59 -0700 (PDT)
Received: from ?IPv6:2620:15c:2c1:100:b4a0:c01:eb5b:1cfe?
	([2620:15c:2c1:100:b4a0:c01:eb5b:1cfe])
	by smtp.googlemail.com with ESMTPSA id
	j68sm4831032pfa.93.2017.09.19.10.05.58
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 19 Sep 2017 10:05:58 -0700 (PDT)
Message-ID: <1505840757.29839.77.camel@edumazet-glaptop3.roam.corp.google.com>
Subject: [PATCH net] tcp: fastopen: fix on syn-data transmit failure
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: Yuchung Cheng <ycheng@google.com>, Neal Cardwell <ncardwell@google.com>,
	netdev <netdev@vger.kernel.org>
Date: Tue, 19 Sep 2017 10:05:57 -0700
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

Our recent change exposed a bug in TCP Fastopen Client that syzkaller
found right away [1]

When we prepare skb with SYN+DATA, we attempt to transmit it,
and we update socket state as if the transmit was a success.

In socket RTX queue we have two skbs, one with the SYN alone,
and a second one containing the DATA.

When (malicious) ACK comes in, we now complain that second one had no
skb_mstamp.

The proper fix is to make sure that if the transmit failed, we do not
pretend we sent the DATA skb, and make it our send_head.

When 3WHS completes, we can now send the DATA right away, without having
to wait for a timeout.

[1]
WARNING: CPU: 0 PID: 100189 at net/ipv4/tcp_input.c:3117 tcp_clean_rtx_queue+0x2057/0x2ab0 net/ipv4/tcp_input.c:3117()

 WARN_ON_ONCE(last_ackt == 0);

Modules linked in:
CPU: 0 PID: 100189 Comm: syz-executor1 Not tainted 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff8800b35cb1d8 ffffffff81cad00d 0000000000000000
 ffffffff828a4347 ffff88009f86c080 ffffffff8316eb20 0000000000000d7f
 ffff8800b35cb220 ffffffff812c33c2 ffff8800baad2440 00000009d46575c0
Call Trace:
 [<ffffffff81cad00d>] __dump_stack 
 [<ffffffff81cad00d>] dump_stack+0xc1/0x124 
 [<ffffffff812c33c2>] warn_slowpath_common+0xe2/0x150 
 [<ffffffff812c361e>] warn_slowpath_null+0x2e/0x40 
 [<ffffffff828a4347>] tcp_clean_rtx_queue+0x2057/0x2ab0 n
 [<ffffffff828ae6fd>] tcp_ack+0x151d/0x3930 
 [<ffffffff828baa09>] tcp_rcv_state_process+0x1c69/0x4fd0 
 [<ffffffff828efb7f>] tcp_v4_do_rcv+0x54f/0x7c0 
 [<ffffffff8258aacb>] sk_backlog_rcv 
 [<ffffffff8258aacb>] __release_sock+0x12b/0x3a0 
 [<ffffffff8258ad9e>] release_sock+0x5e/0x1c0 
 [<ffffffff8294a785>] inet_wait_for_connect 
 [<ffffffff8294a785>] __inet_stream_connect+0x545/0xc50 
 [<ffffffff82886f08>] tcp_sendmsg_fastopen 
 [<ffffffff82886f08>] tcp_sendmsg+0x2298/0x35a0 
 [<ffffffff82952515>] inet_sendmsg+0xe5/0x520 
 [<ffffffff8257152f>] sock_sendmsg_nosec 
 [<ffffffff8257152f>] sock_sendmsg+0xcf/0x110 

Fixes: 8c72c65b426b ("tcp: update skb->skb_mstamp more carefully")
Fixes: 783237e8daf1 ("net-tcp: Fast Open client - sending SYN-data")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
---
 net/ipv4/tcp_output.c |    9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 517d737059d18d8821b65dcdf54d9bb3448784c2..0bc9e46a53696578eb6e911f2f75e6b34c80894f 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3389,6 +3389,10 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
 		goto done;
 	}
 
+	/* data was not sent, this is our new send_head */
+	sk->sk_send_head = syn_data;
+	tp->packets_out -= tcp_skb_pcount(syn_data);
+
 fallback:
 	/* Send a regular SYN with Fast Open cookie request option */
 	if (fo->cookie.len > 0)
@@ -3441,6 +3445,11 @@ int tcp_connect(struct sock *sk)
 	 */
 	tp->snd_nxt = tp->write_seq;
 	tp->pushed_seq = tp->write_seq;
+	buff = tcp_send_head(sk);
+	if (unlikely(buff)) {
+		tp->snd_nxt	= TCP_SKB_CB(buff)->seq;
+		tp->pushed_seq	= TCP_SKB_CB(buff)->seq;
+	}
 	TCP_INC_STATS(sock_net(sk), TCP_MIB_ACTIVEOPENS);
 
 	/* Timer for repeating the SYN until an answer. */