android_kernel_oneplus_msm8998/net/ipv4
Eric Dumazet 87d96d1ba2 tcp: better validation of received ack sequences
[ Upstream commit d0e1a1b5a833b625c93d3d49847609350ebd79db ]

Paul Fiterau Brostean reported :

<quote>
Linux TCP stack we analyze exhibits behavior that seems odd to me.
The scenario is as follows (all packets have empty payloads, no window
scaling, rcv/snd window size should not be a factor):

       TEST HARNESS (CLIENT)                        LINUX SERVER

   1.  -                                          LISTEN (server listen,
then accepts)

   2.  - --> <SEQ=100><CTL=SYN>               --> SYN-RECEIVED

   3.  - <-- <SEQ=300><ACK=101><CTL=SYN,ACK>  <-- SYN-RECEIVED

   4.  - --> <SEQ=101><ACK=301><CTL=ACK>      --> ESTABLISHED

   5.  - <-- <SEQ=301><ACK=101><CTL=FIN,ACK>  <-- FIN WAIT-1 (server
opts to close the data connection calling "close" on the connection
socket)

   6.  - --> <SEQ=101><ACK=99999><CTL=FIN,ACK> --> CLOSING (client sends
FIN,ACK with not yet sent acknowledgement number)

   7.  - <-- <SEQ=302><ACK=102><CTL=ACK>      <-- CLOSING (ACK is 102
instead of 101, why?)

... (silence from CLIENT)

   8.  - <-- <SEQ=301><ACK=102><CTL=FIN,ACK>  <-- CLOSING
(retransmission, again ACK is 102)

Now, note that packet 6 while having the expected sequence number,
acknowledges something that wasn't sent by the server. So I would
expect
the packet to maybe prompt an ACK response from the server, and then be
ignored. Yet it is not ignored and actually leads to an increase of the
acknowledgement number in the server's retransmission of the FIN,ACK
packet. The explanation I found is that the FIN  in packet 6 was
processed, despite the acknowledgement number being unacceptable.
Further experiments indeed show that the server processes this FIN,
transitioning to CLOSING, then on receiving an ACK for the FIN it had
send in packet 5, the server (or better said connection) transitions
from CLOSING to TIME_WAIT (as signaled by netstat).

</quote>

Indeed, tcp_rcv_state_process() calls tcp_ack() but
does not exploit the @acceptable status but for TCP_SYN_RECV
state.

What we want here is to send a challenge ACK, if not in TCP_SYN_RECV
state. TCP_FIN_WAIT1 state is not the only state we should fix.

Add a FLAG_NO_CHALLENGE_ACK so that tcp_rcv_state_process()
can choose to send a challenge ACK and discard the packet instead
of wrongly change socket state.

With help from Neal Cardwell.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Paul Fiterau Brostean <p.fiterau-brostean@science.ru.nl>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-04-13 19:50:11 +02:00
..
netfilter netfilter: nf_nat_h323: fix logical-not-parentheses warning 2018-04-08 11:51:57 +02:00
af_inet.c net: ping: do not abuse udp_poll() 2017-06-14 13:16:19 +02:00
ah4.c IPsec: do not ignore crypto err in ah4 input 2017-11-15 17:13:10 +01:00
arp.c arp: honour gratuitous ARP _replies_ 2018-04-13 19:50:07 +02:00
cipso_ipv4.c tcp/dccp: fix ireq->opt races 2017-11-18 11:11:06 +01:00
datagram.c net: Set sk_txhash from a random number 2015-07-29 22:44:04 -07:00
devinet.c ipv4: igmp: guard against silly MTU values 2018-01-02 20:33:24 +01:00
esp4.c esp4: Fix integrity verification when ESN are used 2016-12-10 19:07:26 +01:00
fib_frontend.c ipv4: Fix use-after-free when flushing FIB tables 2018-01-02 20:33:26 +01:00
fib_lookup.h ipv4: consider TOS in fib_select_default 2015-07-24 22:46:11 -07:00
fib_rules.c net: ipv6: use common fib_default_rule_pref 2015-09-09 14:19:50 -07:00
fib_semantics.c fib_semantics: Don't match route with mismatching tclassid 2018-03-11 16:19:45 +01:00
fib_trie.c net: Improve handling of failures on link and route dumps 2017-06-07 12:05:58 +02:00
fou.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
gre_demux.c gre: Remove support for sharing GRE protocol hook. 2015-08-10 14:03:54 -07:00
gre_offload.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
icmp.c Revert "ipv4/icmp: redirect messages can use the ingress daddr as source" 2015-10-14 06:01:07 -07:00
igmp.c net: igmp: add a missing rcu locking section 2018-02-16 20:09:37 +01:00
inet_connection_sock.c tcp/dccp: fix other lockdep splats accessing ireq_opt 2017-11-18 11:11:07 +01:00
inet_diag.c tcp/dccp: install syn_recv requests into ehash table 2015-10-03 04:32:41 -07:00
inet_fragment.c net: Fix hlist corruptions in inet_evict_bucket() 2018-03-31 18:12:33 +02:00
inet_hashtables.c tcp/dccp: fix hashdance race for passive sessions 2015-10-23 05:42:21 -07:00
inet_lro.c
inet_timewait_sock.c tcp/dccp: fix timewait races in timer handling 2015-09-21 16:32:29 -07:00
inetpeer.c net: Add helper function to compare inetpeer addresses 2015-08-28 13:32:36 -07:00
ip_forward.c net: Pass net into dst_output and remove dst_output_okfn 2015-10-08 04:26:54 -07:00
ip_fragment.c inet: frag: release spinlock before calling icmp_send() 2017-12-25 14:22:11 +01:00
ip_gre.c vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices 2016-06-24 10:18:18 -07:00
ip_input.c ipv4: Pass struct net into ip_defrag and ip_check_defrag 2015-10-12 19:44:16 -07:00
ip_options.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
ip_output.c net: account for current skb length when deciding about UFO 2017-08-12 19:29:09 -07:00
ip_sockglue.c net: Only honor ifindex in IP_PKTINFO if non-0 2018-03-31 18:12:33 +02:00
ip_tunnel.c ip_tunnel: fix preempt warning in ip tunnel creation/updating 2018-02-28 10:17:22 +01:00
ip_tunnel_core.c tunnels: Remove encapsulation offloads on decap. 2016-10-31 04:13:59 -06:00
ip_vti.c vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit 2017-10-21 17:09:02 +02:00
ipcomp.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
ipconfig.c ipv4: ipconfig: avoid unused ic_proto_used symbol 2018-02-25 11:03:47 +01:00
ipip.c ipip: only increase err_count for some certain type icmp in ipip_err 2017-11-18 11:11:06 +01:00
ipmr.c ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route 2016-11-15 07:46:37 +01:00
Kconfig ip_tunnel: replace dst_cache with generic implementation 2018-02-28 10:17:21 +01:00
Makefile tcp: track the packet timings in RACK 2015-10-21 07:00:48 -07:00
netfilter.c netfilter: use skb_to_full_sk in ip_route_me_harder 2018-03-18 11:17:51 +01:00
ping.c ping: implement proper locking 2017-04-30 05:49:29 +02:00
proc.c net: track success and failure of TCP PMTU probing 2015-07-21 22:36:33 -07:00
protocol.c net: Export inet_offloads and inet6_offloads 2014-09-19 17:15:31 -04:00
raw.c net: ipv4: fix for a race condition in raw_sendmsg 2018-01-02 20:33:25 +01:00
route.c net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 2018-03-11 16:19:46 +01:00
syncookies.c tcp/dccp: fix ireq->opt races 2017-11-18 11:11:06 +01:00
sysctl_net_ipv4.c ipv4: use the right lock for ping_group_range 2016-11-15 07:46:38 +01:00
tcp.c tcp: release sk_frag.page in tcp_disconnect 2018-02-16 20:09:38 +01:00
tcp_bic.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_cdg.c tcp: do not slow start when cwnd equals ssthresh 2015-07-09 14:22:52 -07:00
tcp_cong.c tcp: disallow cwnd undo when switching congestion control 2017-06-14 13:16:19 +02:00
tcp_cubic.c tcp_cubic: do not set epoch_start in the future 2015-09-17 22:35:07 -07:00
tcp_dctcp.c dctcp: avoid bogus doubling of cwnd after loss 2016-11-21 10:06:39 +01:00
tcp_diag.c tcp: ensure proper barriers in lockless contexts 2015-11-15 18:36:38 -05:00
tcp_fastopen.c tcp: initialize max window for a new fastopen socket 2017-02-04 09:45:09 +01:00
tcp_highspeed.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_htcp.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_hybla.c tcp: do not slow start when cwnd equals ssthresh 2015-07-09 14:22:52 -07:00
tcp_illinois.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_input.c tcp: better validation of received ack sequences 2018-04-13 19:50:11 +02:00
tcp_ipv4.c tcp md5sig: Use skb's saddr when replying to an incoming segment 2018-01-02 20:33:25 +01:00
tcp_lp.c tcp: fix wraparound issue in tcp_lp 2017-05-14 13:32:58 +02:00
tcp_memcontrol.c memcg: cleanup static keys decrement 2015-02-12 18:54:10 -08:00
tcp_metrics.c tcp: convert cached rtt from usec to jiffies when feeding initial rto 2016-04-20 15:41:56 +09:00
tcp_minisocks.c tcp: do not inherit fastopen_req from parent 2017-05-14 13:32:58 +02:00
tcp_offload.c tcp: reserve tcp_skb_mss() to tcp stack 2015-06-11 16:33:10 -07:00
tcp_output.c tcp: do not mangle skb->cb[] in tcp_make_synack() 2017-11-24 08:32:23 +01:00
tcp_probe.c
tcp_recovery.c tcp: use RACK to detect losses 2015-10-21 07:00:53 -07:00
tcp_scalable.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_timer.c net: tcp: close sock if net namespace is exiting 2018-01-31 12:06:14 +01:00
tcp_vegas.c tcp: fix under-evaluated ssthresh in TCP Vegas 2017-12-25 14:22:15 +01:00
tcp_vegas.h tcp: prepare CC get_info() access from getsockopt() 2015-04-29 17:10:38 -04:00
tcp_veno.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_westwood.c tcp_westwood: fix tcp_westwood_info() 2015-05-05 19:50:09 -04:00
tcp_yeah.c tcp: cwnd does not increase in TCP YeAH 2016-09-30 10:18:34 +02:00
tunnel4.c
udp.c udplite: fix partial checksum initialization 2018-03-11 16:19:46 +01:00
udp_diag.c sock_diag: specify info_size per inet protocol 2015-06-15 19:49:22 -07:00
udp_impl.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
udp_offload.c net: avoid skb_warn_bad_offload false positives on UFO 2017-08-12 19:29:08 -07:00
udp_tunnel.c tunnel: Clear IPCB(skb)->opt before dst_link_failure called 2016-04-20 15:41:56 +09:00
udplite.c
xfrm4_input.c netfilter: Pass net into okfn 2015-09-17 17:18:37 -07:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c ipv4: hash net ptr into fragmentation bucket selection 2015-03-25 14:07:04 -04:00
xfrm4_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
xfrm4_policy.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2015-12-22 16:26:31 -05:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c