lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 27 Dec 2019 16:49:33 -0800
From:   Eric Dumazet <>
To:     Cambda Zhu <>,
        Eric Dumazet <>
Cc:     David Miller <>,
        Yuchung Cheng <>,
        netdev <>,
        Dust Li <>
Subject: Re: [PATCH] tcp: Fix highest_sack and highest_sack_seq

On 12/27/19 12:52 AM, Cambda Zhu wrote:
> From commit 50895b9de1d3 ("tcp: highest_sack fix"), the logic about
> setting tp->highest_sack to the head of the send queue was removed.
> Of course the logic is error prone, but it is logical. Before we
> remove the pointer to the highest sack skb and use the seq instead,
> we need to set tp->highest_sack to NULL when there is no skb after
> the last sack, and then replace NULL with the real skb when new skb
> inserted into the rtx queue, because the NULL means the highest sack
> seq is tp->snd_nxt. If tp->highest_sack is NULL and new data sent,
> the next ACK with sack option will increase tp->reordering unexpectedly.
> This patch sets tp->highest_sack to the tail of the rtx queue if
> it's NULL and new data is sent. The patch keeps the rule that the
> highest_sack can only be maintained by sack processing, except for
> this only case.
> Fixes: 50895b9de1d3 ("tcp: highest_sack fix")
> Signed-off-by: Cambda Zhu <>
> ---
>  net/ipv4/tcp_output.c | 3 +++
>  1 file changed, 3 insertions(+)
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index 1f7735ca8f22..58c92a7d671c 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -72,6 +72,9 @@ static void tcp_event_new_data_sent(struct sock *sk, struct sk_buff *skb)
>  	__skb_unlink(skb, &sk->sk_write_queue);
>  	tcp_rbtree_insert(&sk->tcp_rtx_queue, skb);
> +	if (tp->highest_sack == NULL)
> +		tp->highest_sack = skb;
> +
>  	tp->packets_out += tcp_skb_pcount(skb);
>  	if (!prior_packets || icsk->icsk_pending == ICSK_TIME_LOSS_PROBE)
>  		tcp_rearm_rto(sk);

This patch seems to keep something in the fast path, even for flows never experiencing

Why would we always painfully maintain tp->highest_sack to the left most skb in the rtx queue ?

Given that tcp_highest_sack_seq() has an explicit check about tp->highest_sack being NULL,
there is something I do not quite understand yet.

Why keeping this piece of code ?

    if (tp->highest_sack == NULL)
            return tp->snd_nxt;

Defensive programming should be replaced by better knowledge.

Can you provide more explanations, or maybe a packetdrill test ?

Maybe some other path (in slow path this time) misses a !tp->highest_sack test.


Powered by blists - more mailing lists