| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Dec 2019 19:28:35 -0800
From: Eric Dumazet <eric.dumazet@...il.com>
To: Cambda Zhu <cambda@...ux.alibaba.com>,
Eric Dumazet <edumazet@...gle.com>
Cc: David Miller <davem@...emloft.net>,
Yuchung Cheng <ycheng@...gle.com>,
netdev <netdev@...r.kernel.org>,
Dust Li <dust.li@...ux.alibaba.com>
Subject: Re: [PATCH] tcp: Fix highest_sack and highest_sack_seq
On 12/27/19 4:49 PM, Eric Dumazet wrote:
>
>
> On 12/27/19 12:52 AM, Cambda Zhu wrote:
>> From commit 50895b9de1d3 ("tcp: highest_sack fix"), the logic about
>> setting tp->highest_sack to the head of the send queue was removed.
>> Of course the logic is error prone, but it is logical. Before we
>> remove the pointer to the highest sack skb and use the seq instead,
>> we need to set tp->highest_sack to NULL when there is no skb after
>> the last sack, and then replace NULL with the real skb when new skb
>> inserted into the rtx queue, because the NULL means the highest sack
>> seq is tp->snd_nxt. If tp->highest_sack is NULL and new data sent,
>> the next ACK with sack option will increase tp->reordering unexpectedly.
>>
>> This patch sets tp->highest_sack to the tail of the rtx queue if
>> it's NULL and new data is sent. The patch keeps the rule that the
>> highest_sack can only be maintained by sack processing, except for
>> this only case.
>>
>> Fixes: 50895b9de1d3 ("tcp: highest_sack fix")
>> Signed-off-by: Cambda Zhu <cambda@...ux.alibaba.com>
>> ---
>> net/ipv4/tcp_output.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
>> index 1f7735ca8f22..58c92a7d671c 100644
>> --- a/net/ipv4/tcp_output.c
>> +++ b/net/ipv4/tcp_output.c
>> @@ -72,6 +72,9 @@ static void tcp_event_new_data_sent(struct sock *sk, struct sk_buff *skb)
>> __skb_unlink(skb, &sk->sk_write_queue);
>> tcp_rbtree_insert(&sk->tcp_rtx_queue, skb);
>>
>> + if (tp->highest_sack == NULL)
>> + tp->highest_sack = skb;
>> +
>> tp->packets_out += tcp_skb_pcount(skb);
>> if (!prior_packets || icsk->icsk_pending == ICSK_TIME_LOSS_PROBE)
>> tcp_rearm_rto(sk);
>>
>
>
> This patch seems to keep something in the fast path, even for flows never experiencing
> sacks.
>
> Why would we always painfully maintain tp->highest_sack to the left most skb in the rtx queue ?
>
> Given that tcp_highest_sack_seq() has an explicit check about tp->highest_sack being NULL,
> there is something I do not quite understand yet.
>
> Why keeping this piece of code ?
>
> if (tp->highest_sack == NULL)
> return tp->snd_nxt;
>
> Defensive programming should be replaced by better knowledge.
>
> Can you provide more explanations, or maybe a packetdrill test ?
>
> Maybe some other path (in slow path this time) misses a !tp->highest_sack test.
>
> Thanks.
>
Or maybe the real bug has been latent for years.
(added in commit 6859d49475d4 "[TCP]: Abstract tp->highest_sack accessing & point to next skb" )
diff --git a/include/net/tcp.h b/include/net/tcp.h
index e460ea7f767ba627972a63a974cae80357808366..32781fb5cf3a7aa1158c98cb87754b59dc922b1f 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1843,12 +1843,9 @@ static inline void tcp_push_pending_frames(struct sock *sk)
*/
static inline u32 tcp_highest_sack_seq(struct tcp_sock *tp)
{
- if (!tp->sacked_out)
+ if (!tp->sacked_out || !tp->highest_sack)
return tp->snd_una;
- if (tp->highest_sack == NULL)
- return tp->snd_nxt;
-
return TCP_SKB_CB(tp->highest_sack)->seq;
}
Powered by blists - more mailing lists