| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <14b565a1-0c2a-420d-ab2a-dc8a46dbf33c@kernel.org> Date: Thu, 23 Oct 2025 16:10:01 +0200 From: Matthieu Baerts <matttbe@...nel.org> To: Jiayuan Chen <jiayuan.chen@...ux.dev>, mptcp@...ts.linux.dev Cc: John Fastabend <john.fastabend@...il.com>, Jakub Sitnicki <jakub@...udflare.com>, Eric Dumazet <edumazet@...gle.com>, Kuniyuki Iwashima <kuniyu@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Willem de Bruijn <willemb@...gle.com>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>, Mat Martineau <martineau@...nel.org>, Geliang Tang <geliang@...nel.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, Shuah Khan <shuah@...nel.org>, Florian Westphal <fw@...len.de>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, bpf@...r.kernel.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH net v3 0/3] mptcp: Fix conflicts between MPTCP and sockmap Hi Jiayuan, Thank you for the v3. Sorry, I didn't have the opportunity to react on the v2. On 23/10/2025 14:54, Jiayuan Chen wrote: > Overall, we encountered a warning [1] that can be triggered by running the > selftest I provided. > > MPTCP creates subflows for data transmission between two endpoints. > However, BPF can use sockops to perform additional operations when TCP > completes the three-way handshake. The issue arose because we used sockmap > in sockops, which replaces sk->sk_prot and some handlers. Do you know at what stage the sk->sk_prot is modified with sockmap? When switching to TCP_ESTABLISHED? Is it before or after having set "tcp_sk(sk)->is_mptcp = 0" (in subflow_ulp_fallback(), coming from subflow_syn_recv_sock() I suppose)? If MPTCP is still being used (sk_is_tcp(sk) && sk_is_mptcp(sk)), I guess sockmap should never touch the in-kernel TCP subflows: they will likely only carry a part of the data. Instead, sockmap should act on the MPTCP sockets, not the in-kernel TCP subflows. There is one particular case to take into consideration: an MPTCP connection can fallback to "plain" TCP before being used by the userspace. Typically, that's when an MPTCP listening socket receives a "plain" TCP request (without MPTCP): a "plain" TCP socket will then be created, and exposed to the userspace. In this case, sk_is_mptcp(sk) will return false. I guess that's the case you are trying to handle, right? (It might help BPF reviewers to mention that in the commit message(s).) I would then say that sk->sk_prot->psock_update_sk_prot should not point to tcp_bpf_update_proto() when MPTCP is being used (or this callback should take the MPTCP case into account, but I guess no). In case of fallback before the accept() stage, the socket can then be used as a "plain" TCP one. I guess when tcp_bpf_update_proto() will be called, sk_prot is pointing to tcp(v6)_prot, not the MPTCP subflow override one, right? > Since subflows > also have their own specialized handlers, this creates a conflict and leads > to traffic failure. Therefore, we need to reject operations targeting > subflows. Would it not work to set sk_prot->psock_update_sk_prot to NULL for the v4 and v6 subflows (in mptcp_subflow_init()) for the moment while sockmap is not supported with MPTCP? This might save you some checks in sock_map.c, no? > This patchset simply prevents the combination of subflows and sockmap > without changing any functionality. In your case, you have an MPTCP listening socket, but you receive a TCP request, right? The "sockmap update" is done when switching to TCP_ESTABLISHED, when !sk_is_mptcp(sk), but that's before mptcp_stream_accept(). That's why sk->sk_prot has been modified, but it is fine to look at sk_family, and return inet(6)_stream_ops, right? A more important question: what will typically happen in your case if you receive an MPTCP request and sockmap is then not supported? Will the connection be rejected or stay in a strange state because the userspace will not expect that? In these cases, would it not be better to disallow sockmap usage while the MPTCP support is not available? The userspace would then get an error from the beginning that the protocol is not supported, and should then not create an MPTCP socket in this case for the moment, no? I can understand that the switch from TCP to MPTCP was probably done globally, and this transition should be as seamless as possible, but it should not cause a regression with MPTCP requests. An alternative could be to force a fallback to TCP when sockmap is used, even when an MPTCP request is received, but not sure if it is practical to do, and might be strange from the user point of view. > A complete integration of MPTCP and sockmap would require more effort, for > example, we would need to retrieve the parent socket from subflows in > sockmap and implement handlers like read_skb. > > If maintainers don't object, we can further improve this in subsequent > work. That would be great to add MPTCP support in sockmap! As mentioned above, this should be done on the MPTCP socket. I guess the TCP "in-kernel" subflows should not be modified. > [1] truncated warning: > [ 18.234652] ------------[ cut here ]------------ > [ 18.234664] WARNING: CPU: 1 PID: 388 at net/mptcp/protocol.c:68 mptcp_stream_accept+0x34c/0x380 > [ 18.234726] Modules linked in: > [ 18.234755] RIP: 0010:mptcp_stream_accept+0x34c/0x380 > [ 18.234762] RSP: 0018:ffffc90000cf3cf8 EFLAGS: 00010202 > [ 18.234800] PKRU: 55555554 > [ 18.234806] Call Trace: > [ 18.234810] <TASK> > [ 18.234837] do_accept+0xeb/0x190 > [ 18.234861] ? __x64_sys_pselect6+0x61/0x80 > [ 18.234898] ? _raw_spin_unlock+0x12/0x30 > [ 18.234915] ? alloc_fd+0x11e/0x190 > [ 18.234925] __sys_accept4+0x8c/0x100 > [ 18.234930] __x64_sys_accept+0x1f/0x30 > [ 18.234933] x64_sys_call+0x202f/0x20f0 > [ 18.234966] do_syscall_64+0x72/0x9a0 > [ 18.234979] ? switch_fpu_return+0x60/0xf0 > [ 18.234993] ? irqentry_exit_to_user_mode+0xdb/0x1e0 > [ 18.235002] ? irqentry_exit+0x3f/0x50 > [ 18.235005] ? clear_bhb_loop+0x50/0xa0 > [ 18.235022] ? clear_bhb_loop+0x50/0xa0 > [ 18.235025] ? clear_bhb_loop+0x50/0xa0 > [ 18.235028] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 18.235066] </TASK> > [ 18.235109] ---[ end trace 0000000000000000 ]--- Please next time use the ./scripts/decode_stacktrace.sh if possible. (and strip the timestamps if it is not giving useful info) Just to be sure: is it the warning you get on top of net or net-next? Or an older version? (Always useful to mention the base) > --- > v2: https://lore.kernel.org/bpf/20251020060503.325369-1-jiayuan.chen@linux.dev/T/#t > Some advice suggested by Jakub Sitnicki > > v1: https://lore.kernel.org/mptcp/a0a2b87119a06c5ffaa51427a0964a05534fe6f1@linux.dev/T/#t > Some advice from Matthieu Baerts. (It usually helps reviewers to add more details in the notes/changelog for the individual patch) > Jiayuan Chen (3): > net,mptcp: fix proto fallback detection with BPF sockmap (detail: you can use the "mptcp:" prefix, no need to add "net,") > bpf,sockmap: disallow MPTCP sockets from sockmap > selftests/bpf: Add mptcp test with sockmap > > net/core/sock_map.c | 27 ++++ > net/mptcp/protocol.c | 9 +- > .../testing/selftests/bpf/prog_tests/mptcp.c | 150 ++++++++++++++++++ > .../selftests/bpf/progs/mptcp_sockmap.c | 43 +++++ > 4 files changed, 227 insertions(+), 2 deletions(-) > create mode 100644 tools/testing/selftests/bpf/progs/mptcp_sockmap.c > Cheers, Matt -- Sponsored by the NGI0 Core fund.
Powered by blists - more mailing lists