lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 17 Jun 2022 18:05:06 +0800
From:   menglong8.dong@...il.com
To:     edumazet@...gle.com
Cc:     rostedt@...dmis.org, mingo@...hat.com, davem@...emloft.net,
        yoshfuji@...ux-ipv6.org, dsahern@...nel.org, kuba@...nel.org,
        pabeni@...hat.com, imagedong@...cent.com, kafai@...com,
        talalahmad@...gle.com, keescook@...omium.org,
        dongli.zhang@...cle.com, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org
Subject: [PATCH net-next v4 0/8] net: tcp: add skb drop reasons to tcp state change

From: Menglong Dong <imagedong@...cent.com>

In this series patches, skb drop reasons are add to code path of TCP
state change, which we have not done before. It is hard to pass these
reasons from the function to its caller, where skb is dropped. In order
to do this, we have to make some functions return skb drop reasons, or
pass the pointer of 'reason' to these function as an new function
argument.

=============================
In order to get skb drop reasons during tcp connect requesting code path,
we have to pass the pointer of the 'reason' as a new function argument of
conn_request() in 'struct inet_connection_sock_af_ops'. As the return
value of conn_request() can be positive or negative or 0, it's not
flexible to make it return drop reasons. This work is done in the 7th
patch, and functions that used as conn_request() is also modified:

  dccp_v4_conn_request()
  dccp_v6_conn_request()
  tcp_v4_conn_request()
  tcp_v6_conn_request()
  subflow_v4_conn_request()
  subflow_v6_conn_request()

As our target is TCP, dccp and mptcp are not handled more.

=============================
In the 6th patch, skb drop reasons are add to
tcp_timewait_state_process() by adding a function argument to it. In the
origin code, all skb are dropped for tw socket. In order to make less
noise, use consume_skb() for the 'good' skb. This can be checked by the
caller of tcp_timewait_state_process() from the value of drop reason.
If the drop reason is SKB_NOT_DROPPED_YET, it means this skb should not
be dropped.

=============================
In the 7th patch, skb drop reasons are add to the route_req() in struct
tcp_request_sock_ops. Following functions are involved:

  tcp_v4_route_req()
  tcp_v6_route_req()
  subflow_v4_route_req()
  subflow_v6_route_req()

In this series patches, following new drop reasons are added:

- SOCKET_DESTROYED
- LISTENOVERFLOWS
- TCP_REQQFULLDROP
- TIMEWAIT
- LSM

Changes since v3:
- Eric says what I did to tcp_rcv_state_process() is too invasive, so I
  removed that part (for now).
- As Eric suggested, make kfree_skb_reason(skb, SKB_NOT_DROPPED) the same
  as consume_skb(skb), which make code simplier. This is used in
  5th and 6th patch.

Changes since v2:
- move drop reasons to standalone header in another series

Changes since v1:
6/9 - fix the compile errors of dccp and mptcp (kernel test robot)
7/9 - skb is not freed on TCP_TW_ACK and 'ret' is not initizalized, fix
      it (Eric Dumazet)

Menglong Dong (8):
  net: skb: use SKB_NOT_DROPPED in kfree_skb_reason() as consume_skb()
  net: skb: introduce __skb_queue_purge_reason()
  net: sock: introduce sk_stream_kill_queues_reason()
  net: inet: add skb drop reason to inet_csk_destroy_sock()
  net: tcp: add skb drop reasons to tcp connect requesting
  net: tcp: add skb drop reasons to tcp tw code path
  net: tcp: add skb drop reasons to route_req()
  net: tcp: use LINUX_MIB_TCPABORTONLINGER in tcp_rcv_state_process()

 include/linux/skbuff.h             | 12 ++++++++---
 include/net/dropreason.h           | 23 +++++++++++++++++++++
 include/net/inet_connection_sock.h |  3 ++-
 include/net/sock.h                 |  8 +++++++-
 include/net/tcp.h                  | 19 +++++++++--------
 net/core/skbuff.c                  | 11 ++++++++--
 net/core/stream.c                  |  7 ++++---
 net/dccp/dccp.h                    |  3 ++-
 net/dccp/input.c                   |  3 ++-
 net/dccp/ipv4.c                    |  3 ++-
 net/dccp/ipv6.c                    |  5 +++--
 net/ipv4/inet_connection_sock.c    |  2 +-
 net/ipv4/tcp_input.c               | 26 ++++++++++++++---------
 net/ipv4/tcp_ipv4.c                | 31 ++++++++++++++++++++--------
 net/ipv4/tcp_minisocks.c           | 23 +++++++++++++++++----
 net/ipv6/tcp_ipv6.c                | 33 ++++++++++++++++++++++--------
 net/mptcp/subflow.c                | 18 +++++++++-------
 17 files changed, 168 insertions(+), 62 deletions(-)

-- 
2.36.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ