mptcp: Avoid ever-increasing count of orphan sockets

We have observed an ever-increasing count of orphan sockets on busy servers. These are MPTCP-connections that ran out of MPTCP subflows. What happens then is that when we try to retransmit the DATA_FIN, we fail in mptcp_retransmit_skb. In that case, retrans_stamp won't be set and remains 0. If that happens, the check in retransmits_timed_out() may always return false, depending on whether tcp_time_stamp(tcp_sk(sk)) is > 2^31 or not. Meaning, we never call tcp_write_err() on that MPTCP-socket and thus it will hang around forever. tcp_retransmit_skb handles that by always setting retrans_stamp - regardless of whether the retransmission succeeded or not. We should do the same. Fixes: Zero-day bug Signed-off-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> (cherry picked from commit 3a4382f) Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> (cherry picked from commit 95803d8) Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
multipath-tcp · Jul 15, 2022 · 54147de · 54147de
1 parent c53b72e
commit 54147de
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/net/mptcp/mptcp_output.c b/net/mptcp/mptcp_output.c
@@ -1563,7 +1563,9 @@ int mptcp_retransmit_skb(struct sock *meta_sk, struct sk_buff *skb)
 	 */
 	if (refcount_read(&meta_sk->sk_wmem_alloc) >
 	    min(meta_sk->sk_wmem_queued + (meta_sk->sk_wmem_queued >> 2), meta_sk->sk_sndbuf)) {
-		return -EAGAIN;
+		err = -EAGAIN;
+
+		goto failed;
 	}
 
 	/* We need to make sure that the retransmitted segment can be sent on a
@@ -1626,6 +1628,12 @@ int mptcp_retransmit_skb(struct sock *meta_sk, struct sk_buff *skb)
 
 failed:
 	NET_INC_STATS(sock_net(meta_sk), LINUX_MIB_TCPRETRANSFAIL);
+	/* Save stamp of the first attempted retransmit. */
+	if (!meta_tp->retrans_stamp) {
+		tcp_mstamp_refresh(meta_tp);
+		meta_tp->retrans_stamp = tcp_time_stamp(meta_tp);
+	}
+
 	return err;
 }