| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260205115532.2195345-1-horms@kernel.org>
Date: Thu, 5 Feb 2026 11:55:32 +0000
From: Simon Horman <horms@...nel.org>
To: lucien.xin@...il.com
Cc: Simon Horman <horms@...nel.org>,
steved@...hat.com,
marcelo.leitner@...il.com,
aahringo@...hat.com,
alibuda@...ux.alibaba.com,
jbaron@...mai.com,
hare@...e.de,
kuba@...nel.org,
tom@...pey.com,
linux-cifs@...r.kernel.org,
daniel@...x.se,
quic@...ts.linux.dev,
jlayton@...nel.org,
tfanelli@...hat.com,
dhowells@...hat.com,
linkinjeon@...nel.org,
hepengtao@...omi.com,
pc@...guebit.com,
kernel-tls-handshake@...ts.linux.dev,
illiliti@...tonmail.com,
xiyou.wangcong@...il.com,
andrew.gospodarek@...adcom.com,
mail@...nericson.me,
edumazet@...gle.com,
pabeni@...hat.com,
matttbe@...nel.org,
netdev@...r.kernel.org,
smfrench@...il.com,
metze@...ba.org,
mbuhl@...nbsd.org,
chuck.lever@...cle.com,
dreibh@...ula.no,
davem@...emloft.net,
sd@...asysnail.net
Subject: Re: [net-next,v9,09/15] quic: add congestion control
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
quic: add congestion control
This patch introduces quic_cong for RTT measurement and congestion control,
implementing a state machine with slow start, congestion avoidance, and
recovery phases using the New Reno algorithm.
> diff --git a/net/quic/cong.c b/net/quic/cong.c
> --- /dev/null
> +++ b/net/quic/cong.c
[ ... ]
> +static int quic_cong_check_persistent_congestion(struct quic_cong *cong, u64 time)
> +{
> + u32 ssthresh;
> +
> + /* rfc9002#section-7.6.1:
> + * (smoothed_rtt + max(4*rttvar, kGranularity) + max_ack_delay) *
> + * kPersistentCongestionThreshold
> + */
> + ssthresh = cong->smoothed_rtt + max(4 * cong->rttvar, QUIC_KGRANULARITY);
> + ssthresh = (ssthresh + cong->max_ack_delay) * QUIC_KPERSISTENT_CONGESTION_THRESHOLD;
> + if (cong->time - time <= ssthresh)
> + return 0;
[ ... ]
> +/* rfc9002#section-5: Estimating the Round-Trip Time */
> +void quic_cong_rtt_update(struct quic_cong *cong, u64 time, u32 ack_delay)
> +{
> + u32 adjusted_rtt, rttvar_sample;
> +
> + /* Ignore RTT sample if ACK delay is suspiciously large. */
> + if (ack_delay > cong->max_ack_delay * 2)
> + return;
> +
> + /* rfc9002#section-5.1: latest_rtt = ack_time - send_time_of_largest_acked */
> + cong->latest_rtt = cong->time - time;
The field cong->time is described as "Cached current timestamp" in struct
quic_cong, but where is it written? The socket struct is zero-initialized,
so cong->time will always be 0.
When computing RTT with a positive packet send timestamp in the time
parameter, does this cause unsigned integer underflow? For example, if the
packet was sent at time 12345, computing 0 - 12345 wraps to a very large
value.
The same issue appears in quic_cong_check_persistent_congestion() where
cong->time - time is compared against ssthresh, and in quic_reno_on_packet_lost()
and quic_reno_on_process_ecn() where recovery_time is set to cong->time.
Powered by blists - more mailing lists