lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 28 Mar 2007 16:24:40 +0300 (EEST)
From:	"Ilpo Järvinen" <>
To:	Patrick McHardy <>,
	David Miller <>
cc:	Linux Netdev List <>
Subject: Re: KERNEL: assertion ((int)tp->sacked_out >= 0) failed at
 net/ipv4/tcp_input.c (2626)

On Wed, 28 Mar 2007, Patrick McHardy wrote:

> I got this warning with the current net-2.6.22 tree:
> KERNEL: assertion ((int)tp->sacked_out >= 0) failed at
> net/ipv4/tcp_input.c (2626)
> Leak s=4294967292 3
> Can't say what exactly triggered it.

It seems I'm being guilty to this one, Dave please apply to net-2.6.22 
(besides this I think the tcp_sync_left_out should be changed but I'll 
prepare a patch for that later). Btw, how should this kind of email with 
some non-patch description+patch be formatted?).

[PATCH] [TCP]: Timedout loop must skip SACKed skbs too while marking

Marking skb with both S and L is invalid, and that could easily
happen in the timedout loop. Later on the tcp_sync_left_out
reduces sacked_out if lost_out + sacked_out > packets_out and
then eventually sacked_out underflows triggering a debug trap in

Signed-off-by: Ilpo Järvinen <>
 net/ipv4/tcp_input.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index d116887..7a59ffe 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1777,7 +1777,8 @@ static void tcp_timedout_mark_forward(st
 		if (skb == tcp_send_head(sk) || !tcp_skb_timedout(sk, skb))
 		/* Could be lost already from a previous timedout check */
-		if (!(TCP_SKB_CB(skb)->sacked & TCPCB_LOST)) {
+		if (!(TCP_SKB_CB(skb)->sacked &
 			TCP_SKB_CB(skb)->sacked |= TCPCB_LOST;
 			tp->lost_out += tcp_skb_pcount(skb);
 			tcp_verify_retransmit_hint(tp, skb);

Powered by blists - more mailing lists