From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Neal Cardwell <ncardwell@google.com>,
Eric Dumazet <edumazet@google.com>,
Yuchung Cheng <ycheng@google.com>, Kevin Yang <yyd@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 12/96] tcp: fix incorrect undo caused by DSACK of TLP retransmit
Date: Tue, 16 Jul 2024 17:31:23 +0200 [thread overview]
Message-ID: <20240716152746.989940024@linuxfoundation.org> (raw)
In-Reply-To: <20240716152746.516194097@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neal Cardwell <ncardwell@google.com>
[ Upstream commit 0ec986ed7bab6801faed1440e8839dcc710331ff ]
Loss recovery undo_retrans bookkeeping had a long-standing bug where a
DSACK from a spurious TLP retransmit packet could cause an erroneous
undo of a fast recovery or RTO recovery that repaired a single
really-lost packet (in a sequence range outside that of the TLP
retransmit). Basically, because the loss recovery state machine didn't
account for the fact that it sent a TLP retransmit, the DSACK for the
TLP retransmit could erroneously be implicitly be interpreted as
corresponding to the normal fast recovery or RTO recovery retransmit
that plugged a real hole, thus resulting in an improper undo.
For example, consider the following buggy scenario where there is a
real packet loss but the congestion control response is improperly
undone because of this bug:
+ send packets P1, P2, P3, P4
+ P1 is really lost
+ send TLP retransmit of P4
+ receive SACK for original P2, P3, P4
+ enter fast recovery, fast-retransmit P1, increment undo_retrans to 1
+ receive DSACK for TLP P4, decrement undo_retrans to 0, undo (bug!)
+ receive cumulative ACK for P1-P4 (fast retransmit plugged real hole)
The fix: when we initialize undo machinery in tcp_init_undo(), if
there is a TLP retransmit in flight, then increment tp->undo_retrans
so that we make sure that we receive a DSACK corresponding to the TLP
retransmit, as well as DSACKs for all later normal retransmits, before
triggering a loss recovery undo. Note that we also have to move the
line that clears tp->tlp_high_seq for RTO recovery, so that upon RTO
we remember the tp->tlp_high_seq value until tcp_init_undo() and clear
it only afterward.
Also note that the bug dates back to the original 2013 TLP
implementation, commit 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)").
However, this patch will only compile and work correctly with kernels
that have tp->tlp_retrans, which was added only in v5.8 in 2020 in
commit 76be93fc0702 ("tcp: allow at most one TLP probe per flight").
So we associate this fix with that later commit.
Fixes: 76be93fc0702 ("tcp: allow at most one TLP probe per flight")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Kevin Yang <yyd@google.com>
Link: https://patch.msgid.link/20240703171246.1739561-1-ncardwell.sw@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 11 ++++++++++-
net/ipv4/tcp_timer.c | 2 --
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 317cb90d77102..359ffda9b736b 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2101,8 +2101,16 @@ void tcp_clear_retrans(struct tcp_sock *tp)
static inline void tcp_init_undo(struct tcp_sock *tp)
{
tp->undo_marker = tp->snd_una;
+
/* Retransmission still in flight may cause DSACKs later. */
- tp->undo_retrans = tp->retrans_out ? : -1;
+ /* First, account for regular retransmits in flight: */
+ tp->undo_retrans = tp->retrans_out;
+ /* Next, account for TLP retransmits in flight: */
+ if (tp->tlp_high_seq && tp->tlp_retrans)
+ tp->undo_retrans++;
+ /* Finally, avoid 0, because undo_retrans==0 means "can undo now": */
+ if (!tp->undo_retrans)
+ tp->undo_retrans = -1;
}
static bool tcp_is_rack(const struct sock *sk)
@@ -2181,6 +2189,7 @@ void tcp_enter_loss(struct sock *sk)
tcp_set_ca_state(sk, TCP_CA_Loss);
tp->high_seq = tp->snd_nxt;
+ tp->tlp_high_seq = 0;
tcp_ecn_queue_cwr(tp);
/* F-RTO RFC5682 sec 3.1 step 1: retransmit SND.UNA if no previous
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 44b49f7d1a9e6..f36492331ef0b 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -496,8 +496,6 @@ void tcp_retransmit_timer(struct sock *sk)
if (WARN_ON_ONCE(!skb))
return;
- tp->tlp_high_seq = 0;
-
if (!tp->snd_wnd && !sock_flag(sk, SOCK_DEAD) &&
!((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))) {
/* Receiver dastardly shrinks window. Our retransmits
--
2.43.0
next prev parent reply other threads:[~2024-07-16 15:54 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 15:31 [PATCH 6.1 00/96] 6.1.100-rc1 review Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 01/96] mm: prevent derefencing NULL ptr in pfn_section_valid() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 02/96] cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 03/96] cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 04/96] cachefiles: stop sending new request when dropping object Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 05/96] cachefiles: cancel all requests for the object that is being dropped Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 06/96] cachefiles: wait for ondemand_object_worker to finish when dropping object Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 07/96] cachefiles: cyclic allocation of msg_id to avoid reuse Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 08/96] cachefiles: add missing lock protection when polling Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 09/96] filelock: fix potential use-after-free in posix_lock_inode Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 10/96] fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 11/96] vfs: dont mod negative dentry count when on shrinker list Greg Kroah-Hartman
2024-07-16 15:31 ` Greg Kroah-Hartman [this message]
2024-07-16 15:31 ` [PATCH 6.1 13/96] net: phy: microchip: lan87xx: reinit PHY after cable test Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 14/96] skmsg: Skip zero length skb in sk_msg_recvmsg Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 15/96] octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 16/96] net: fix rc7s __skb_datagram_iter() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 17/96] i40e: Fix XDP program unloading while removing the driver Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 18/96] net: ethernet: lantiq_etop: fix double free in detach Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 19/96] bpf: Refactor some inode/task/sk storage functions for reuse Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 20/96] bpf: Reduce smap->elem_size Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 21/96] bpf: use bpf_map_kvcalloc in bpf_local_storage Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 22/96] bpf: Remove __bpf_local_storage_map_alloc Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 23/96] bpf: fix order of args in call to bpf_map_kvcalloc Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 24/96] net: ethernet: mtk-star-emac: set mac_managed_pm when probing Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 25/96] ppp: reject claimed-as-LCP but actually malformed packets Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 26/96] ethtool: netlink: do not return SQI value if link is down Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 27/96] udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 28/96] net/sched: Fix UAF when resolving a clash Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 29/96] net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 30/96] s390: Mark psw in __load_psw_mask() as __unitialized Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 31/96] firmware: cs_dsp: Fix overflow checking of wmfw header Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 32/96] firmware: cs_dsp: Return error if block header overflows file Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 33/96] firmware: cs_dsp: Validate payload length before processing block Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 34/96] firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 35/96] firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 36/96] ARM: davinci: Convert comma to semicolon Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 37/96] octeontx2-af: replace cpt slot with lf id on reg write Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 38/96] octeontx2-af: update cpt lf alloc mailbox Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 39/96] octeontx2-af: fix a issue with cpt_lf_alloc mailbox Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 40/96] octeontx2-af: fix detection of IP layer Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 41/96] octeontx2-af: extend RSS supported offload types Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 42/96] octeontx2-af: fix issue with IPv6 ext match for RSS Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 43/96] octeontx2-af: fix issue with IPv4 " Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 44/96] cifs: fix setting SecurityFlags to true Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 45/96] Revert "sched/fair: Make sure to try to detach at least one movable task" Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 46/96] tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 47/96] tcp: avoid too many retransmit packets Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 48/96] net: ks8851: Fix deadlock with the SPI chip variant Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 49/96] net: ks8851: Fix potential TX stall after interface reopen Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 50/96] USB: serial: option: add Telit generic core-dump composition Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 51/96] USB: serial: option: add Telit FN912 rmnet compositions Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 52/96] USB: serial: option: add Fibocom FM350-GL Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 53/96] USB: serial: option: add support for Foxconn T99W651 Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 54/96] USB: serial: option: add Netprisma LCUK54 series modules Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 55/96] USB: serial: option: add Rolling RW350-GL variants Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 56/96] USB: serial: mos7840: fix crash on resume Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 57/96] USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 58/96] usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 59/96] USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 60/96] hpet: Support 32-bit userspace Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 61/96] xhci: always resume roothubs if xHC was reset during resume Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 62/96] ksmbd: discard write access to the directory open Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 63/96] nvmem: rmem: Fix return value of rmem_read() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 64/96] nvmem: meson-efuse: Fix return value of nvmem callbacks Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 65/96] nvmem: core: only change name to fram for current attribute Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 66/96] platform/x86: toshiba_acpi: Fix array out-of-bounds access Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 67/96] ALSA: hda/realtek: add quirk for Clevo V5[46]0TU Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 68/96] ALSA: hda/realtek: Enable Mute LED on HP 250 G7 Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 69/96] ALSA: hda/realtek: Limit mic boost on VAIO PRO PX Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 70/96] Fix userfaultfd_api to return EINVAL as expected Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 71/96] libceph: fix race between delayed_work() and ceph_monc_stop() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 72/96] ACPI: processor_idle: Fix invalid comparison with insertion sort for latency Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 73/96] wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 74/96] wireguard: allowedips: avoid unaligned 64-bit memory accesses Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 75/96] wireguard: queueing: annotate intentional data race in cpu round robin Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 76/96] wireguard: send: annotate intentional data race in checking empty queue Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 77/96] misc: fastrpc: Fix DSP capabilities request Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 78/96] misc: fastrpc: Avoid updating PD type for capability request Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 79/96] misc: fastrpc: Copy the complete capability structure to user Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 80/96] x86/retpoline: Move a NOENDBR annotation to the SRSO dummy return thunk Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 81/96] cifs: use origin fullpath for automounts Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 82/96] cifs: avoid dup prefix path in dfs_get_automount_devname() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 83/96] bpf: Allow reads from uninit stack Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 84/96] nilfs2: fix kernel bug on rename operation of broken directory Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 85/96] sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 86/96] i2c: rcar: bring hardware to known state when probing Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 87/96] i2c: mark HostNotify target address as used Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 88/96] i2c: rcar: reset controller is mandatory for Gen3+ Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 89/96] i2c: rcar: introduce Gen4 devices Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 90/96] i2c: rcar: ensure Gen3+ reset does not disturb local targets Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 91/96] i2c: testunit: avoid re-issued work after read message Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 92/96] i2c: rcar: clear NO_RXDMA flag after resetting Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 93/96] x86/entry/64: Remove obsolete comment on tracing vs. SYSRET Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 94/96] x86/bhi: Avoid warning in #DB handler due to BHI mitigation Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 95/96] kbuild: Make ld-version.sh more robust against version string changes Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 96/96] i2c: rcar: fix error code in probe() Greg Kroah-Hartman
2024-07-16 18:38 ` [PATCH 6.1 00/96] 6.1.100-rc1 review SeongJae Park
2024-07-16 18:42 ` Florian Fainelli
2024-07-16 19:01 ` Pavel Machek
2024-07-16 20:29 ` Naresh Kamboju
2024-07-17 6:24 ` Greg Kroah-Hartman
2024-07-17 15:51 ` Shuah Khan
2024-07-17 16:57 ` Allen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240716152746.989940024@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=ncardwell@google.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=ycheng@google.com \
--cc=yyd@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.