[mptcp-net,1/2] mptcp: more strict state checking for acks

Message ID	3a0b48a0fa62632115c30267700936028c898388.1608628900.git.pabeni@redhat.com
State	Accepted, archived
Commit	0b6dd0e5543ad8183a1e229ce2cb4d9c0cbadb63
Delegated to:	Matthieu Baerts
Headers	show Return-Path: <mptcp-bounces@lists.01.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=216.205.24.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=pabeni@redhat.com; receiver=<UNKNOWN> From: Paolo Abeni <pabeni@redhat.com> To: mptcp@lists.01.org Cc: Christoph Paasch <cpaasch@apple.com> Date: Tue, 22 Dec 2020 10:26:50 +0100 Message-Id: <3a0b48a0fa62632115c30267700936028c898388.1608628900.git.pabeni@redhat.com> In-Reply-To: <cover.1608628900.git.pabeni@redhat.com> References: <cover.1608628900.git.pabeni@redhat.com> MIME-Version: 1.0 Message-ID-Hash: 4YP6I43L34CPVGTNIFLNGODMDV7LV2TJ Precedence: list Subject: [MPTCP] [mptcp-net 1/2] mptcp: more strict state checking for acks Archived-At: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/4YP6I43L34CPVGTNIFLNGODMDV7LV2TJ/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	mptcp: fix for issue/121 \| expand [mptcp-net,0/2] mptcp: fix for issue/121 [mptcp-net,1/2] mptcp: more strict state checking for acks [mptcp-net,2/2] mptcp: better msk-level shutdown.

Message ID

3a0b48a0fa62632115c30267700936028c898388.1608628900.git.pabeni@redhat.com

State

Accepted, archived

Commit

0b6dd0e5543ad8183a1e229ce2cb4d9c0cbadb63

Delegated to:

Matthieu Baerts

Headers

show

Return-Path: <mptcp-bounces@lists.01.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.01.org (client-ip=198.145.21.10;
 helo=ml01.01.org; envelope-from=mptcp-bounces@lists.01.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=SU4BzNll;
	dkim-atps=neutral
Received: from ml01.01.org (ml01.01.org [198.145.21.10])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4D0WFd1rJXz9sVk
	for <incoming@patchwork.ozlabs.org>; Tue, 22 Dec 2020 20:27:16 +1100 (AEDT)
Received: from ml01.vlan13.01.org (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id EDBCC100EBB8C;
	Tue, 22 Dec 2020 01:27:13 -0800 (PST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=216.205.24.124;
 helo=us-smtp-delivery-124.mimecast.com; envelope-from=pabeni@redhat.com;
 receiver=<UNKNOWN> 
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by ml01.01.org (Postfix) with ESMTPS id 60848100EBB7D
	for <mptcp@lists.01.org>; Tue, 22 Dec 2020 01:27:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1608629230;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=AiqXb5kJIqSSAUpf3se0p7GT50Sk/ER60RET7RNG7Qo=;
	b=SU4BzNllfcqGRD136mCE7Ye7svgpuLimYuCvoi5UABRMftaGAnuMAf+4D54TqcgmySbnPa
	qZ3OZihXfIcOMudouHvGP+Nhg7YR5ZRRrhdll5hNfWCac4pHEB2zBmBWf2CC/ymfzcPEOB
	UnfwNE7M25PSq1JjRT+EyCVC+FgMoNI=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-123-EFcy-zUmN4Wb9hlS5YJHVw-1; Tue, 22 Dec 2020 04:27:08 -0500
X-MC-Unique: EFcy-zUmN4Wb9hlS5YJHVw-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0C330801AC0;
	Tue, 22 Dec 2020 09:27:07 +0000 (UTC)
Received: from gerbillo.redhat.com (ovpn-113-211.ams2.redhat.com
 [10.36.113.211])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 455816B909;
	Tue, 22 Dec 2020 09:27:05 +0000 (UTC)
From: Paolo Abeni <pabeni@redhat.com>
To: mptcp@lists.01.org
Cc: Christoph Paasch <cpaasch@apple.com>
Date: Tue, 22 Dec 2020 10:26:50 +0100
Message-Id: 
 <3a0b48a0fa62632115c30267700936028c898388.1608628900.git.pabeni@redhat.com>
In-Reply-To: <cover.1608628900.git.pabeni@redhat.com>
References: <cover.1608628900.git.pabeni@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pabeni@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Message-ID-Hash: 4YP6I43L34CPVGTNIFLNGODMDV7LV2TJ
X-Message-ID-Hash: 4YP6I43L34CPVGTNIFLNGODMDV7LV2TJ
X-MailFrom: pabeni@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.1.1
Precedence: list
Subject: [MPTCP] [mptcp-net 1/2] mptcp: more strict state checking for acks
List-Id: Discussions regarding MPTCP upstreaming <mptcp.lists.01.org>
Archived-At: 
 <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/4YP6I43L34CPVGTNIFLNGODMDV7LV2TJ/>
List-Archive: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/>
List-Help: <mailto:mptcp-request@lists.01.org?subject=help>
List-Post: <mailto:mptcp@lists.01.org>
List-Subscribe: <mailto:mptcp-join@lists.01.org>
List-Unsubscribe: <mailto:mptcp-leave@lists.01.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

mptcp: fix for issue/121 | expand

Commit Message

Paolo Abeni Dec. 22, 2020, 9:26 a.m. UTC

Syzkaller found a way to trigger division by zero
in mptcp_subflow_cleanup_rbuf().

The current checks implemented into tcp_can_send_ack()
are too week, let's be more accurate.

Reported-by: Christoph Paasch <cpaasch@apple.com>
Fixes: ea4ca586b16f ("mptcp: refine MPTCP-level ack scheduling")
Fixes: fd8976790a6c ("mptcp: be careful on MPTCP-level ack.")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/mptcp/protocol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Mat Martineau Jan. 6, 2021, 12:14 a.m. UTC | #1

On Tue, 22 Dec 2020, Paolo Abeni wrote:

> Syzkaller found a way to trigger division by zero
> in mptcp_subflow_cleanup_rbuf().
>
> The current checks implemented into tcp_can_send_ack()
> are too week, let's be more accurate.
>
> Reported-by: Christoph Paasch <cpaasch@apple.com>
> Fixes: ea4ca586b16f ("mptcp: refine MPTCP-level ack scheduling")
> Fixes: fd8976790a6c ("mptcp: be careful on MPTCP-level ack.")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> net/mptcp/protocol.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
> index d3e28f1c2313..7cdee23580bf 100644
> --- a/net/mptcp/protocol.c
> +++ b/net/mptcp/protocol.c
> @@ -427,7 +427,7 @@ static bool mptcp_subflow_active(struct mptcp_subflow_context *subflow)
> static bool tcp_can_send_ack(const struct sock *ssk)
> {
> 	return !((1 << inet_sk_state_load(ssk)) &
> -	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE));
> +	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE | TCPF_LISTEN));
> }
>
> static void mptcp_send_ack(struct mptcp_sock *msk)
> -- 
> 2.26.2

Looks good to me, thanks Paolo.

Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>

--
Mat Martineau
Intel

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index d3e28f1c2313..7cdee23580bf 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -427,7 +427,7 @@  static bool mptcp_subflow_active(struct mptcp_subflow_context *subflow)
 static bool tcp_can_send_ack(const struct sock *ssk)
 {
 	return !((1 << inet_sk_state_load(ssk)) &
-	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE));
+	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE | TCPF_LISTEN));
 }
 
 static void mptcp_send_ack(struct mptcp_sock *msk)

[mptcp-net,1/2] mptcp: more strict state checking for acks

Commit Message

Comments

Patch