lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Dec 2020 12:06:57 +0100 From: Eric Dumazet <edumazet@...gle.com> To: Jakub Kicinski <kuba@...nel.org> Cc: Cambda Zhu <cambda@...ux.alibaba.com>, netdev <netdev@...r.kernel.org>, Dust Li <dust.li@...ux.alibaba.com>, Tony Lu <tonylu@...ux.alibaba.com> Subject: Re: [PATCH net-next] net: Limit logical shift left of TCP probe0 timeout On Tue, Dec 15, 2020 at 3:08 AM Jakub Kicinski <kuba@...nel.org> wrote: > > On Sun, 13 Dec 2020 21:59:45 +0800 Cambda Zhu wrote: > > > On Dec 13, 2020, at 06:32, Jakub Kicinski <kuba@...nel.org> wrote: > > > On Tue, 8 Dec 2020 17:19:10 +0800 Cambda Zhu wrote: > > >> For each TCP zero window probe, the icsk_backoff is increased by one and > > >> its max value is tcp_retries2. If tcp_retries2 is greater than 63, the > > >> probe0 timeout shift may exceed its max bits. On x86_64/ARMv8/MIPS, the > > >> shift count would be masked to range 0 to 63. And on ARMv7 the result is > > >> zero. If the shift count is masked, only several probes will be sent > > >> with timeout shorter than TCP_RTO_MAX. But if the timeout is zero, it > > >> needs tcp_retries2 times probes to end this false timeout. Besides, > > >> bitwise shift greater than or equal to the width is an undefined > > >> behavior. > > > > > > If icsk_backoff can reach 64, can it not also reach 256 and wrap? > > > > If tcp_retries2 is set greater than 255, it can be wrapped. But for TCP probe0, > > it seems to be not a serious problem. The timeout will be icsk_rto and backoff > > again. And considering icsk_backoff is 8 bits, not only it may always be lesser > > than tcp_retries2, but also may always be lesser than tcp_orphan_retries. And > > the icsk_probes_out is 8 bits too. So if the max_probes is greater than 255, > > the connection won’t abort even if it’s an orphan sock in some cases. > > > > We can change the type of icsk_backoff/icsk_probes_out to fix these problems. > > But I think maybe the retries greater than 255 have no sense indeed and the RFC > > only requires the timeout(R2) greater than 100s at least. Could it be better to > > limit the min/max ranges of their sysctls? > > All right, I think the patch is good as is, applied for 5.11, thank you! It looks like we can remove the (u64) casts then. Also if we _really_ care about icsk_backoff approaching 63, we also need to change inet_csk_rto_backoff() ? Was your patch based on a real world use, or some fuzzer UBSAN report ? diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h index 7338b3865a2a3d278dc27c0167bba1b966bbda9f..a2a145e3b062c0230935c293fc1900df095937d4 100644 --- a/include/net/inet_connection_sock.h +++ b/include/net/inet_connection_sock.h @@ -242,9 +242,10 @@ static inline unsigned long inet_csk_rto_backoff(const struct inet_connection_sock *icsk, unsigned long max_when) { - u64 when = (u64)icsk->icsk_rto << icsk->icsk_backoff; + u8 backoff = min_t(u8, 32U, icsk->icsk_backoff); + u64 when = (u64)icsk->icsk_rto << backoff; - return (unsigned long)min_t(u64, when, max_when); + return (unsigned long)min_t(u64, when, max_when); } struct sock *inet_csk_accept(struct sock *sk, int flags, int *err, bool kern); diff --git a/include/net/tcp.h b/include/net/tcp.h index 78d13c88720fda50e3f1880ac741cea1985ef3e9..fc6e4d40fd94a717d24ebd8aef7f7930a4551fe9 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1328,9 +1328,8 @@ static inline unsigned long tcp_probe0_when(const struct sock *sk, { u8 backoff = min_t(u8, ilog2(TCP_RTO_MAX / TCP_RTO_MIN) + 1, inet_csk(sk)->icsk_backoff); - u64 when = (u64)tcp_probe0_base(sk) << backoff; - return (unsigned long)min_t(u64, when, max_when); + return min(tcp_probe0_base(sk) << backoff, max_when); } static inline void tcp_check_probe_timer(struct sock *sk)
Powered by blists - more mailing lists