Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4901156rdh; Wed, 29 Nov 2023 14:12:38 -0800 (PST) X-Google-Smtp-Source: AGHT+IEMEZmeZrF0qMqVdJGDxesS5bKh4rZ03TVEriD8izw0Du9H6W02XPPejJM6OKQCYkAeTlq2 X-Received: by 2002:a17:90a:1a10:b0:285:93ee:a591 with SMTP id 16-20020a17090a1a1000b0028593eea591mr21573009pjk.43.1701295958519; Wed, 29 Nov 2023 14:12:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701295958; cv=none; d=google.com; s=arc-20160816; b=KjcDoXk3L5kL3A6sogy1MpZbPnDMJby4YhFz8mP/dEmgg3yHeCB9T0aONm9LQRuCsT STWv7rW1qfH9JJ0ynQRwpdniWLFQkN3bS+utVJuj8Yr6n6GYcy0UP7LqQwM2qiBy+Kff xQf1OletU1W/t0sGWghmY59W5WwIm/xlU/ADCFNCMZtLXBQu0C1Mzn/HonRZdin22lwm +5ZrL25UCnk0U5xqGX6C3VhdsqitHdYABEwFeHQ1ERw9nOcCnbkhTwNYwEDJTYMjZdp4 FMl2MC4xCSHJANoHQbHW8RoCHXRtL/QIW3TeTrz0Nw4gPeI8kr/BK+MHcc+eyxjdd/To Sn/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=QsfiiCh2t+d8frhzsf+fjDEcC/TtScnOnSIQNlDuEFI=; fh=Qn3RmwYI3aXYf717wpS9yyAY1XUEV59UzlCwvai9e84=; b=il2MlyxfHDmnGHGcLagzylLPl2mfzmsCmB8YqXwX5s8K7fsGZbO5PG6e0GvufOD8Qh e/oVNxwb22nI4vUb7tpy6wmF0GvokiRuCT8edxG7MG4vYIgd0fGqdk5SgCAOzfbYMTnC hGnw1k/H9Ddq4J0ACtCxwAMutuhaVT36MZdkosoDM/LQZnNHf26RFVVgSoll5IL4yfV6 dqp6TcrSw/GAMa1QemlHt/VfmOHL4JqppTDoIC+9o+pZkM67JW825idUH4xFDUolNe75 2GnnQaUgudy+0o+d7Grmglpc7crDOYcMWTcYgOzOE5fMgK5wwTRURFNS5PGoYq+QcE3Y ogtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=Vbu2ZQ+C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Return-Path: Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id f6-20020a17090ac28600b002858d558cd7si2138823pjt.82.2023.11.29.14.12.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 14:12:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=Vbu2ZQ+C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 6EC1E81F3641; Wed, 29 Nov 2023 14:12:35 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229959AbjK2WMS (ORCPT + 99 others); Wed, 29 Nov 2023 17:12:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229611AbjK2WMQ (ORCPT ); Wed, 29 Nov 2023 17:12:16 -0500 Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 372DBB2 for ; Wed, 29 Nov 2023 14:12:22 -0800 (PST) Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-40b4744d603so2065795e9.2 for ; Wed, 29 Nov 2023 14:12:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1701295940; x=1701900740; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=QsfiiCh2t+d8frhzsf+fjDEcC/TtScnOnSIQNlDuEFI=; b=Vbu2ZQ+CUo4c4tHkKXzCJC6yiiKbQe3fCMgf1Ek0Ah8FR74C3lqzi8/USu+zgVII+w 8hzbQYnjeKxnJxcBUz6nWafs/hMF3i2TbP2sIXq1xgHZ8X1iudRbWtsP7HtmVlZyoUpI Xcd8/HNqSby/Xg75SQGFpplcgry/kH8XPAASV4Z0CvOuUFG8hV5uPTjAtSURKcxJvcKg Xscm14PI2oHUf2iA2cN1IeW2iuy0DUTC/PtF1iWzxDzVHvrFOcoK0b8Y0sXJQuDOQ08n X1O1Cem9bTQAokPxfcXYje0fGnkX20BO+DjJg39hLYep75agark500uG2ZAjvjELhaNz CjJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701295940; x=1701900740; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QsfiiCh2t+d8frhzsf+fjDEcC/TtScnOnSIQNlDuEFI=; b=DPZFzwjQn5n+nhBreR8lTq86fo1NW3da9U5xjibRdqD0QEjtx/HM05nEXmoPBuDrQO T1cOcGCssLgZajinjwRKpTG88y0I85qzzYLjIf5kUFDwB1PB22l3gRrSTlLp9RCZhgh9 f11mwvBuQfZHJxkxs1IigRS2JObjK1j/hMIM2EdZ51Pb/26v4Tuo/R0HqrWppodrbte8 wlMKphHlosbxGt/jeNc/G66ahe2VTYAMbs56IQUoRWwayZlC7Uoho9jIDMoW7bzBvsXy jk6u22Y2cleIk05vnPQiksVmGQ1vyfmM6mKzJKx+VoWXSw8Db4F01SzhdlYpc8Zasqmc 7Sbw== X-Gm-Message-State: AOJu0Yz3qIPNLBcs+tigwejiFvm3GxUmS8AO402nJah867rsOXqkfwmc aGII0rsm1Oq7PHDJMsAeXMZNBqhQp2WcMn1Ip7g= X-Received: by 2002:a5d:4d42:0:b0:333:1cc8:4182 with SMTP id a2-20020a5d4d42000000b003331cc84182mr1224453wru.64.1701295940589; Wed, 29 Nov 2023 14:12:20 -0800 (PST) Received: from [10.83.37.178] ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id t10-20020adff60a000000b003316db2d48dsm5614477wrp.34.2023.11.29.14.12.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Nov 2023 14:12:20 -0800 (PST) Message-ID: Date: Wed, 29 Nov 2023 22:12:13 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v4 6/7] net/tcp: Store SNEs + SEQs on ao_info Content-Language: en-US To: Eric Dumazet Cc: David Ahern , Paolo Abeni , Jakub Kicinski , "David S. Miller" , linux-kernel@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org References: <20231129165721.337302-1-dima@arista.com> <20231129165721.337302-7-dima@arista.com> <137ab4f7-80af-4e00-a5bb-b1d4f4c75a67@arista.com> From: Dmitry Safonov In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 29 Nov 2023 14:12:35 -0800 (PST) On 11/29/23 21:01, Eric Dumazet wrote: > On Wed, Nov 29, 2023 at 8:58 PM Dmitry Safonov wrote: >> On 11/29/23 18:34, Eric Dumazet wrote: [..] >>> You have not commented on where these are read without the socket lock held ? >> >> Sorry for missing this, the SNEs are used with this helper >> tcp_ao_compute_sne(), so these places are (in square brackets AFAICS, >> there is a chance that I miss something obvious from your message): >> >> - tcp_v4_send_reset() => tcp_ao_prepare_reset() [rcu_read_lock()] >> - __tcp_transmit_skb() => tcp_ao_transmit_skb() [TX softirq] >> - tcp_v4_rcv() => tcp_inbound_ao_hash() [RX softirq] > > All these should/must have the socket lock held ! > > Or reading tcp_sk(sk)->rcv_nxt would be racy anyway (note the lack of > READ_ONCE() on it) For fairness, post this patch rcv_next is not read anymore (SNEs are updated in parallel). > I think you need more work to make sure this is done correctly. Sure. > ie tcp_inbound_hash() should be called from tcp_v4_do_rcv() after the > bh_lock_sock_nested() and sock_owned_by_user() checks. But than my concern would be that any incoming segment will cause contention for the time of signature verification. That potentially may create DoS. If this patch is ugly enough to be not acceptable, would bh_lock_sock_nested() around reading SNEs + rcv_nxt/snd_una sound better? Let me add some information, that is lacking in patch message, but may be critical to avoid misunderstanding: Note that the code doesn't need precise SEQ numbers, but it needs a consistent SNE+SEQ pair to detect the moment of SEQ number rolling over. So, that tcp_ao_compute_sne() will be able to use decremented SNE for a delayed/retransmitted segment and to use incremented SNE for a new segment post-rollover. So, technically, it just needs a correct SNE. Which is computed based on what was "cached" SEQ for that "cached" SNE and what is the SEQ from the skb. As tcp window size is smaller than 2 GB, the valid segment to be verified or signed won't be far away from this consistent number, that is to be used by tcp_ao_compute_sne(). Technically, if the SNE+SEQ "cached" pair is inconsistent (which unlikely but may happen _prior_ to this patch): i.e. SNE from pre-rollover and SEQ is post-rollover, tcp_ao_compute_sne() will incorrectly increment/decrement the SNE that is used for signing/verification of the TCP segment. In result the segment will fail verification and will be retransmitted again. As it's unlikely race that may happen on SEQ rollover (once in 4GB) and TCP-AO connection won't break, but survives after the retransmission, I don't think it was noticed on testing. Thanks, Dmitry