BUG: MPTCP 0.92 SYN flood on server side

[virus-atl]

This bug find in MPTCP 0.92 with kernels 4.4.70, 4.4.83, 4.9 Old releases all ok.

Problem: In kernel log TCP: request_sock_MPTCP: Possible SYN flooding on port XXXX. Sending cookies. Check SNMP counters.

After this message MPTCP drop all SYN packets to this port. To play this bug, you need to open and close 120-160 subflows per port. After this port block all SYN from any IP adddress. We truing this with different system paramets, 100% reproduction.

System: Debian jessie iptables without any rules sysctl and tcpdump in attach.

attachment.zip

[cpaasch]

@virus-atl, can you give the below diff a shot:

diff --git a/net/mptcp/mptcp_ctrl.c b/net/mptcp/mptcp_ctrl.c
index 03103d50e348..4254c8fd1140 100644
--- a/net/mptcp/mptcp_ctrl.c
+++ b/net/mptcp/mptcp_ctrl.c
@@ -2129,6 +2129,7 @@ struct sock *mptcp_check_req_child(struct sock *meta_sk,
         * are attached immediately to the mpcb.
         */
        inet_csk_reqsk_queue_drop(meta_sk, req);
+       reqsk_queue_removed(&inet_csk(meta_sk)->icsk_accept_queue, req);

        /* The refcnt is initialized to 2, because regular TCP will put him
         * in the socket's listener queue. However, we do not have a listener-queue.
@@ -2144,6 +2145,7 @@ struct sock *mptcp_check_req_child(struct sock *meta_sk,

        /* Drop this request - sock creation failed. */
        inet_csk_reqsk_queue_drop(meta_sk, req);
+       reqsk_queue_removed(&inet_csk(meta_sk)->icsk_accept_queue, req);
        inet_csk_prepare_forced_close(child);
        tcp_done(child);
        return meta_sk;

This seems to fix it for me. Thanks!

[virus-atl]

Test this patch. In the first approximation, everything is fine.

[cpaasch]

Thanks, I will submit the patch to mptcp-dev.

[matttbe]

Closing: fix now in mptcp_trunk, mptcp_v0.93 and mptcp_v0.92.

Please re-open it if the referenced commit does not fix this issue!