superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net/ipv4
History
Eric Dumazet 1bbf0ced1d tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction 
Blamed commit moved the TIME_WAIT-derived ISN from the skb control
block to a per-CPU variable, assuming the value would always be consumed
by tcp_conn_request() for the same packet that wrote it. That assumption
is violated by multiple drop paths between the producer
(__this_cpu_write(tcp_tw_isn, isn) in tcp_v{4,6}_rcv()) and the consumer
(tcp_conn_request()):

 - min_ttl / min_hopcount check
 - xfrm policy check
 - tcp_inbound_hash() MD5/AO mismatch
 - tcp_filter() eBPF/SO_ATTACH_FILTER drop
 - th->syn && th->fin discard in tcp_rcv_state_process() TCP_LISTEN
 - psp_sk_rx_policy_check() in tcp_v{4,6}_do_rcv()
 - tcp_checksum_complete() in tcp_v{4,6}_do_rcv()
 - tcp_v{4,6}_cookie_check() returning NULL

When a packet is dropped on any of these paths, tcp_tw_isn is left set.

The next SYN processed on the same CPU then consumes the non zero value in
tcp_conn_request(), receiving a potentially predictable ISN.

This patch moves back tcp_tw_isn to skb->cb[], getting rid of the per-cpu
variable.

Note that tcp_v{4,6}_fill_cb() do not set it.

Very litle impact on overall code size/complexity:

$ scripts/bloat-o-meter -t vmlinux.old vmlinux.new
add/remove: 0/0 grow/shrink: 2/1 up/down: 8/-15 (-7)
Function                                     old     new   delta
tcp_v6_rcv                                  3038    3042      +4
tcp_v4_rcv                                  3035    3039      +4
tcp_conn_request                            2938    2923     -15
Total: Before=24436060, After=24436053, chg -0.00%

Fixes: 41eecbd712 ("tcp: replace TCP_SKB_CB(skb)->tcp_tw_isn with a per-cpu field")
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260519084611.2485277-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-05-20 19:14:06 -07:00
..
netfilter netfilter: x_tables: close dangling table module init race 2026-05-08 01:30:17 +02:00
Kconfig ipv6: convert CONFIG_IPV6 to built-in only and clean up Kconfigs 2026-03-29 11:21:22 -07:00
Makefile ipv4: Retire UDP-Lite. 2026-03-13 18:57:44 -07:00
af_inet.c tcp: update window_clamp when SO_RCVBUF is set 2026-04-13 15:32:35 +02:00
ah4.c xfrm: ah: account for ESN high bits in async callbacks 2026-04-20 09:28:34 +02:00
arp.c net: remove ax25 and amateur radio (hamradio) subsystem 2026-04-23 10:24:02 -07:00
bpf_tcp_ca.c bpf: Reject TCP_NODELAY in bpf-tcp-cc 2026-04-22 12:58:57 -07:00
cipso_ipv4.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
datagram.c net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
devinet.c ipv4: validate IPV4_DEVCONF attributes properly 2026-03-14 09:52:30 -07:00
esp4.c xfrm: esp: avoid in-place decrypt on shared skb frags 2026-05-05 06:38:30 +02:00
esp4_offload.c xfrm: Fix inner mode lookup in tunnel mode GSO segmentation 2025-12-04 09:54:53 +01:00
fib_frontend.c ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
fib_lookup.h ipv4: fib: Annotate access to struct fib_alias.fa_state. 2026-01-28 19:33:07 -08:00
fib_notifier.c
fib_rules.c ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
fib_semantics.c ipv4: drop ipv6_stub usage and use direct function calls 2026-03-29 11:21:23 -07:00
fib_trie.c ipv4: fib: Annotate access to struct fib_alias.fa_state. 2026-01-28 19:33:07 -08:00
fou_bpf.c
fou_core.c fou: Remove IPPROTO_UDPLITE check in gue_err() and gue6_err(). 2026-03-17 16:10:59 -07:00
fou_nl.c fou: Don't allow 0 for FOU_ATTR_IPPROTO. 2026-01-17 16:00:24 -08:00
fou_nl.h tools: ynl-gen: add regeneration comment 2025-11-25 19:20:42 -08:00
gre_demux.c gre: Count GRE packet drops 2026-04-12 12:33:33 -07:00
gre_offload.c
icmp.c ipv4: icmp: reject broadcast/multicast routes 2026-05-20 19:00:02 -07:00
igmp.c ipv4: igmp: annotate data-races in igmp_heard_query() 2026-05-01 17:11:42 -07:00
igmp_internal.h netlink: support dumping IPv4 multicast addresses 2025-02-11 11:26:53 +01:00
inet_connection_sock.c tcp: Fix imbalanced icsk_accept_queue count. 2026-05-08 14:54:51 -07:00
inet_diag.c inet_diag: report delayed ack timer information 2026-03-06 16:32:26 -08:00
inet_fragment.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
inet_hashtables.c net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros 2026-03-29 11:21:22 -07:00
inet_timewait_sock.c inet: Avoid ehash lookup race in inet_twsk_hashdance_schedule() 2025-10-17 16:08:43 -07:00
inetpeer.c inetpeer: add a missing read_seqretry() in inet_getpeer() 2026-05-06 17:44:13 -07:00
ip_forward.c
ip_fragment.c inet: frags: flush pending skbs in fqdir_pre_exit() 2025-12-10 01:15:27 -08:00
ip_gre.c gre: Count GRE packet drops 2026-04-12 12:33:33 -07:00
ip_input.c tcp: move tcp_v4_early_demux() to net/ipv4/ip_input.c 2026-03-09 18:50:24 -07:00
ip_options.c net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers 2025-08-19 17:54:35 -07:00
ip_output.c xfrm: esp: avoid in-place decrypt on shared skb frags 2026-05-05 06:38:30 +02:00
ip_sockglue.c net: remove addr_len argument of recvmsg() handlers 2026-03-02 18:17:17 -08:00
ip_tunnel.c ipv4: ip_tunnel: spread netdev_lockdep_set_classes() 2026-01-08 18:02:35 -08:00
ip_tunnel_core.c net: Add net_cookie to Dead loop messages 2026-04-12 09:05:02 -07:00
ip_vti.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
ipcomp.c xfrm: delete x->tunnel as we delete x 2025-07-08 13:28:27 +02:00
ipconfig.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ipip.c netfilter: flowtable: Add IPIP rx sw acceleration 2025-11-28 00:00:38 +00:00
ipmr.c ipmr: Call ipmr_fib_lookup() under RCU. 2026-05-07 08:38:37 -07:00
ipmr_base.c ipmr: Free mr_table after RCU grace period. 2026-04-27 18:46:17 -07:00
metrics.c net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros 2026-03-29 11:21:22 -07:00
netfilter.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
netlink.c
nexthop.c nexthop: fix IPv6 route referencing IPv4 nexthop 2026-04-16 13:48:30 +02:00
ping.c Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
proc.c udp: Remove UDP-Lite SNMP stats. 2026-03-13 18:57:44 -07:00
protocol.c
raw.c ipv4: raw: reject IP_HDRINCL packets with ihl < 5 2026-05-15 15:55:02 -07:00
raw_diag.c inet_diag: change inet_diag_bc_sk() first argument 2025-08-29 19:29:24 -07:00
route.c ipv4: use WARN_ON_ONCE() in ip_rt_bug() 2026-05-20 19:00:36 -07:00
syncookies.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-14 12:04:00 -07:00
sysctl_net_ipv4.c inet: add ip_local_port_step_width sysctl to improve port usage distribution 2026-03-10 18:59:39 -07:00
tcp.c tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction 2026-05-20 19:14:06 -07:00
tcp_ao.c tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key(). 2026-05-11 17:50:15 -07:00
tcp_bbr.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_bic.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_bpf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-05 12:11:05 -08:00
tcp_cdg.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_cong.c tcp: ECT_1_NEGOTIATION and NEEDS_ACCECN identifiers 2026-02-03 15:13:24 +01:00
tcp_cubic.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_dctcp.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_dctcp.h net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
tcp_diag.c inet_diag: report delayed ack timer information 2026-03-06 16:32:26 -08:00
tcp_fastopen.c net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros 2026-03-29 11:21:22 -07:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction 2026-05-20 19:14:06 -07:00
tcp_ipv4.c tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction 2026-05-20 19:14:06 -07:00
tcp_lp.c net: tcp_lp: fix kernel-doc warnings and update outdated reference links 2025-10-28 17:52:44 -07:00
tcp_metrics.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_minisocks.c tcp: tcp_child_process() related UAF 2026-05-06 18:11:33 -07:00
tcp_nv.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_offload.c gro: flushing when CWR is set negatively affects AccECN 2026-02-03 15:13:24 +01:00
tcp_output.c tcp: annotate data-races around tp->bytes_retrans 2026-04-18 11:10:13 -07:00
tcp_plb.c tcp: annotate data-races around tp->plb_rehash 2026-04-18 11:10:14 -07:00
tcp_recovery.c tcp: move tcp_rack_advance() to tcp_input.c 2026-01-28 19:31:51 -08:00
tcp_scalable.c
tcp_sigpool.c compiler-context-analysis: Change __cond_acquires to take return value 2026-01-05 16:43:29 +01:00
tcp_timer.c tcp: make probe0 timer handle expired user timeout 2026-04-27 19:16:07 -07:00
tcp_ulp.c
tcp_vegas.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_vegas.h tcp: add cwnd_event_tx_start to tcp_congestion_ops 2026-03-24 21:00:38 -07:00
tcp_veno.c tcp: add cwnd_event_tx_start to tcp_congestion_ops 2026-03-24 21:00:38 -07:00
tcp_westwood.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tcp_yeah.c tcp: annotate data-races around tp->snd_ssthresh 2026-04-18 11:10:12 -07:00
tunnel4.c
udp.c Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
udp_bpf.c ipv4: Retire UDP-Lite. 2026-03-13 18:57:44 -07:00
udp_diag.c udp: Don't pass udptable to IPv4 socket lookup functions. 2026-03-13 18:57:46 -07:00
udp_offload.c udp: Fix UDP length on last GSO_PARTIAL segment 2026-05-20 15:03:47 -07:00
udp_tunnel_core.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
udp_tunnel_nic.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
udp_tunnel_stub.c
xfrm4_input.c xfrm: hold dev ref until after transport_finish NF_HOOK 2026-04-07 10:12:40 +02:00
xfrm4_output.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
xfrm4_policy.c ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c