Commit 216c3687 authored Jul 31, 2024 by Paolo Abeni Committed by ZhangPeng Aug 12, 2024

mptcp: fix duplicate data handling

stable inclusion
from stable-v6.6.45
commit bf39cfc0236f2e237b73859719fe600eee7a2067
bugzilla: https://gitee.com/openeuler/kernel/issues/IAJEIR

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bf39cfc0236f2e237b73859719fe600eee7a2067

--------------------------------

commit 68cc924729ffcfe90d0383177192030a9aeb2ee4 upstream.

When a subflow receives and discards duplicate data, the mptcp
stack assumes that the consumed offset inside the current skb is
zero.

With multiple subflows receiving data simultaneously such assertion
does not held true. As a result the subflow-level copied_seq will
be incorrectly increased and later on the same subflow will observe
a bad mapping, leading to subflow reset.

Address the issue taking into account the skb consumed offset in
mptcp_subflow_discard_data().

Fixes: 04e4cd4f ("mptcp: cleanup mptcp_subflow_discard_data()")
Cc: stable@vger.kernel.org
Link: https://github.com/multipath-tcp/mptcp_net-next/issues/501


Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>

parent b662fd06

net/mptcp/subflow.c

+12 −4

Original line number	Diff line number	Diff line
		@@ -1200,14 +1200,22 @@ static void mptcp_subflow_discard_data(struct sock ssk, struct sk_buff skb,
		{
		struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
		bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN;
		u32 incr;
		struct tcp_sock *tp = tcp_sk(ssk);
		u32 offset, incr, avail_len;

		incr = limit >= skb->len ? skb->len + fin : limit;
		offset = tp->copied_seq - TCP_SKB_CB(skb)->seq;
		if (WARN_ON_ONCE(offset > skb->len))
		goto out;

		avail_len = skb->len - offset;
		incr = limit >= avail_len ? avail_len + fin : limit;

		pr_debug("discarding=%d len=%d seq=%d", incr, skb->len,
		subflow->map_subflow_seq);
		pr_debug("discarding=%d len=%d offset=%d seq=%d", incr, skb->len,
		offset, subflow->map_subflow_seq);
		MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DUPDATA);
		tcp_sk(ssk)->copied_seq += incr;

		out:
		if (!before(tcp_sk(ssk)->copied_seq, TCP_SKB_CB(skb)->end_seq))
		sk_eat_skb(ssk, skb);
		if (mptcp_subflow_get_map_offset(subflow) >= subflow->map_data_len)