tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.

When we process segments with TCP AO, we don't check it in
tcp_parse_options().  Thus, opt_rx->saw_unknown is set to 1,
which unconditionally triggers the BPF TCP option parser.

Let's avoid the unnecessary BPF invocation.

Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Dmitry Safonov <0x7f454c46@gmail.com>
Link: https://patch.msgid.link/20240703033508.6321-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index e67cbeeeb95b4965e4acdade5ed625a42c946afd..77294fd5fd3ec5cde446d21236d2ff426b928a83 100644 (file)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4223,6 +4223,13 @@ void tcp_parse_options(const struct net *net,
                                 * checked (see tcp_v{4,6}_rcv()).
                                 */
                                break;
+#endif
+#ifdef CONFIG_TCP_AO
+                       case TCPOPT_AO:
+                               /* TCP AO has already been checked
+                                * (see tcp_inbound_ao_hash()).
+                                */
+                               break;
 #endif
                        case TCPOPT_FASTOPEN:
                                tcp_parse_fastopen_option(