[net-next,2/9] mptcp: avoid data corruption on reinsert

Message ID	1d3e1691c58583b91a96a847e90d09a58431eb80.1594401165.git.pabeni@redhat.com
State	Accepted, archived
Delegated to:	Matthieu Baerts
Headers	show Return-Path: <mptcp-bounces@lists.01.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=207.211.31.81; helo=us-smtp-delivery-1.mimecast.com; envelope-from=pabeni@redhat.com; receiver=<UNKNOWN> From: Paolo Abeni <pabeni@redhat.com> To: mptcp@lists.01.org Date: Fri, 10 Jul 2020 19:22:11 +0200 Message-Id: <1d3e1691c58583b91a96a847e90d09a58431eb80.1594401165.git.pabeni@redhat.com> In-Reply-To: <cover.1594401165.git.pabeni@redhat.com> References: <cover.1594401165.git.pabeni@redhat.com> MIME-Version: 1.0 Message-ID-Hash: 3WZZLIFOY34AFVKSQLBOPXOKU7N7RKQM Precedence: list Subject: [MPTCP] [PATCH net-next 2/9] mptcp: avoid data corruption on reinsert Archived-At: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/3WZZLIFOY34AFVKSQLBOPXOKU7N7RKQM/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	mptcp: cope better with mp_join storm \| expand [net-next,0/9] mptcp: cope better with mp_join storm [net-next,1/9] subflow: always init 'rel_write_seq' [net-next,2/9] mptcp: avoid data corruption on reinsert [net-next,3/9] mptcp: mark as fallback even early ones [net-next,4/9] mptcp: zero token hash at creation time. [net-next,5/9] mptcp: make msk established at remote key reception time [net-next,6/9] mptcp: cleanup subflow_finish_connect() [net-next,7/9] subflow: explicitly check for plain tcp rsk [net-next,8/9] subflow: use rsk_ops->send_reset() [net-next,9/9] subflow: introduce and use mptcp_can_accept_new_subflow()

Message ID

1d3e1691c58583b91a96a847e90d09a58431eb80.1594401165.git.pabeni@redhat.com

State

Accepted, archived

Delegated to:

Matthieu Baerts

Headers

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=207.211.31.81;
 helo=us-smtp-delivery-1.mimecast.com; envelope-from=pabeni@redhat.com;
 receiver=<UNKNOWN> 
From: Paolo Abeni <pabeni@redhat.com>
To: mptcp@lists.01.org
Date: Fri, 10 Jul 2020 19:22:11 +0200
Message-Id: 
 <1d3e1691c58583b91a96a847e90d09a58431eb80.1594401165.git.pabeni@redhat.com>
In-Reply-To: <cover.1594401165.git.pabeni@redhat.com>
References: <cover.1594401165.git.pabeni@redhat.com>
MIME-Version: 1.0
Message-ID-Hash: 3WZZLIFOY34AFVKSQLBOPXOKU7N7RKQM
Precedence: list
Subject: [MPTCP] [PATCH net-next 2/9] mptcp: avoid data corruption on reinsert
Archived-At: 
 <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/3WZZLIFOY34AFVKSQLBOPXOKU7N7RKQM/>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

mptcp: cope better with mp_join storm | expand

Commit Message

Paolo Abeni July 10, 2020, 5:22 p.m. UTC

When updating a partially acked data fragment, we
actually corrupt it. This is irrelevant till we send
data on a single subflow, as retransmitted data, if
any are discarded by the peer as duplicate, but it
will cause data corruption as soon as we will start
creating non backup subflows.

Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/mptcp/protocol.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 02eb37a3122b..2986637fc39e 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -460,15 +460,20 @@  static void mptcp_clean_una(struct sock *sk)
 
 	dfrag = mptcp_rtx_head(sk);
 	if (dfrag && after64(snd_una, dfrag->data_seq)) {
-		u64 delta = dfrag->data_seq + dfrag->data_len - snd_una;
+		u64 delta = snd_una - dfrag->data_seq;
+
+		if (WARN_ON_ONCE(delta > dfrag->data_len))
+			goto out;
 
 		dfrag->data_seq += delta;
+		dfrag->offset += delta;
 		dfrag->data_len -= delta;
 
 		dfrag_uncharge(sk, delta);
 		cleaned = true;
 	}
 
+out:
 	if (cleaned) {
 		sk_mem_reclaim_partial(sk);

[net-next,2/9] mptcp: avoid data corruption on reinsert

Commit Message

Patch