Skip to content

Commit

Permalink
mptcp: fix duplicate data handling
Browse files Browse the repository at this point in the history
Source: Kernel.org
MR: 160524
Type: Integration
Disposition: Backport from git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable linux-5.10.y
ChangeID: e93fa44f07149843b39f1ea63d72ec1253783df6
Description:

commit 68cc924 upstream.

When a subflow receives and discards duplicate data, the mptcp
stack assumes that the consumed offset inside the current skb is
zero.

With multiple subflows receiving data simultaneously such assertion
does not held true. As a result the subflow-level copied_seq will
be incorrectly increased and later on the same subflow will observe
a bad mapping, leading to subflow reset.

Address the issue taking into account the skb consumed offset in
mptcp_subflow_discard_data().

Fixes: 04e4cd4 ("mptcp: cleanup mptcp_subflow_discard_data()")
Cc: [email protected]
Link: multipath-tcp/mptcp_net-next#501
Signed-off-by: Paolo Abeni <[email protected]>
Reviewed-by: Mat Martineau <[email protected]>
Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Armin Kuster <[email protected]>
  • Loading branch information
Paolo Abeni authored and mvakuster committed Aug 20, 2024
1 parent 43f6270 commit c3c90f6
Showing 1 changed file with 12 additions and 4 deletions.
16 changes: 12 additions & 4 deletions net/mptcp/subflow.c
Original file line number Diff line number Diff line change
Expand Up @@ -863,14 +863,22 @@ static void mptcp_subflow_discard_data(struct sock *ssk, struct sk_buff *skb,
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN;
u32 incr;
struct tcp_sock *tp = tcp_sk(ssk);
u32 offset, incr, avail_len;

incr = limit >= skb->len ? skb->len + fin : limit;
offset = tp->copied_seq - TCP_SKB_CB(skb)->seq;
if (WARN_ON_ONCE(offset > skb->len))
goto out;

avail_len = skb->len - offset;
incr = limit >= avail_len ? avail_len + fin : limit;

pr_debug("discarding=%d len=%d seq=%d", incr, skb->len,
subflow->map_subflow_seq);
pr_debug("discarding=%d len=%d offset=%d seq=%d", incr, skb->len,
offset, subflow->map_subflow_seq);
MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DUPDATA);
tcp_sk(ssk)->copied_seq += incr;

out:
if (!before(tcp_sk(ssk)->copied_seq, TCP_SKB_CB(skb)->end_seq))
sk_eat_skb(ssk, skb);
if (mptcp_subflow_get_map_offset(subflow) >= subflow->map_data_len)
Expand Down

0 comments on commit c3c90f6

Please sign in to comment.