| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a0a2b87119a06c5ffaa51427a0964a05534fe6f1@linux.dev> Date: Wed, 15 Oct 2025 14:16:31 +0000 From: "Jiayuan Chen" <jiayuan.chen@...ux.dev> To: "Matthieu Baerts" <matttbe@...nel.org> Cc: "Mat Martineau" <martineau@...nel.org>, "Geliang Tang" <geliang@...nel.org>, "David S. Miller" <davem@...emloft.net>, "Eric Dumazet" <edumazet@...gle.com>, "Jakub Kicinski" <kuba@...nel.org>, "Paolo Abeni" <pabeni@...hat.com>, "Simon Horman" <horms@...nel.org>, "Davide Caratti" <dcaratti@...hat.com>, netdev@...r.kernel.org, mptcp@...ts.linux.dev, linux-kernel@...r.kernel.org Subject: Re: [PATCH net-next v1] mptcp: fix incorrect IPv4/IPv6 check October 14, 2025 at 23:27, "Matthieu Baerts" <matttbe@...nel.org mailto:matttbe@...nel.org?to=%22Matthieu%20Baerts%22%20%3Cmatttbe%40kernel.org%3E > wrote: > > Hi Jiayuan, > > Thank you for sharing this patch! > > On 14/10/2025 14:26, Jiayuan Chen wrote: > > > > > When MPTCP falls back to normal TCP, it needs to reset proto_ops. However, > > for sockmap and TLS, they have their own custom proto_ops, so simply > > checking sk->sk_prot is insufficient. > > > > For example, an IPv6 request might incorrectly follow the IPv4 code path, > > leading to kernel panic. > > > Did you experiment issues, or is it a supposition? If yes, do you have > traces containing such panics (or just a WARN()?), and ideally the > userspace code that was leading to this? > Thank you, Matthieu, for your suggestions. I spent some time revisiting the MPTCP logic. Now I need to describe how sockmap/skmsg works to explain its conflict with MPTCP: 1. skmsg works by replacing sk_data_ready, recvmsg, sendmsg operations and implementing fast socket-level forwarding logic 2. Users can obtain file descriptors through userspace socket()/accept() interfaces, then call BPF syscall to perform these replacements. 3. Users can also use the bpf_sock_hash_update helper (in sockops programs) to replace handlers when TCP connections enter ESTABLISHED state (BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB or BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB) For MPTCP to work with sockmap, I believe we need to address the following points (please correct me if I have any conceptual misunderstandings about MPTCP): 1. From client perspective: When a user connects to a server via socket(), the kernel creates one master sk and at least two subflow sk's. Since the master sk doesn't participate in the three-way handshake, in the sockops flow we can only access the subflow sk's. In this case, we need to replace the handlers of mptcp_subflow_ctx(sk)->conn rather than the subflow sk itself. 2. From server perspective: In BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB, the sk is the MP_CAPABLE subflow sk, so similar to the client perspective, we need to replace the handlers of mptcp_subflow_ctx(sk)->conn. If the above description is correct, then my current patch is incorrect. I should focus on handling the sockmap handler replacement flow properly instead. Of course, this would require comprehensive selftests to validate. Returning to the initial issue, the panic occurred on kernel 6.1, but when I tested with the latest upstream test environment, it only triggered a WARN(). I suspect there have been significant changes in MPTCP during this period.
Powered by blists - more mailing lists