vincenzopalazzo/linux
vincenzopalazzo
/
linux
1
0
Fork 0
Code Issues 7 Pull Requests 2 Packages Projects Releases Wiki Activity
linux/net
History
Yuchung Cheng 8b8a321ff7 tcp: fix zero cwnd in tcp_cwnd_reduction 
Patch 3759824da8 ("tcp: PRR uses CRB mode by default and SS mode
conditionally") introduced a bug that cwnd may become 0 when both
inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
to a div-by-zero if the connection starts another cwnd reduction
phase by setting tp->prior_cwnd to the current cwnd (0) in
tcp_init_cwnd_reduction().

To prevent this we skip PRR operation when nothing is acked or
sacked. Then cwnd must be positive in all cases as long as ssthresh
is positive:

1) The proportional reduction mode
   inflight > ssthresh > 0

2) The reduction bound mode
  a) inflight == ssthresh > 0

  b) inflight < ssthresh
     sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh

Therefore in all cases inflight and sndcnt can not both be 0.
We check invalid tp->prior_cwnd to avoid potential div0 bugs.

In reality this bug is triggered only with a sequence of less common
events.  For example, the connection is terminating an ECN-triggered
cwnd reduction with an inflight 0, then it receives reordered/old
ACKs or DSACKs from prior transmission (which acks nothing). Or the
connection is in fast recovery stage that marks everything lost,
but fails to retransmit due to local issues, then receives data
packets from other end which acks nothing.

Fixes: 3759824da8 ("tcp: PRR uses CRB mode by default and SS mode conditionally")
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2016-01-06 16:39:56 -05:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25
batman-adv
bluetooth
bridge bridge: Only call /sbin/bridge-stp for the initial network namespace 2016-01-05 16:46:17 -05:00
caif
can
ceph
core net: possible use after free in dst_release 2016-01-06 15:00:27 -05:00
dcb
dccp
decnet
dns_resolver
dsa
ethernet
hsr
ieee802154
ipv4 tcp: fix zero cwnd in tcp_cwnd_reduction 2016-01-06 16:39:56 -05:00
ipv6 ipv6: honor ifindex in case we receive ll addresses in router advertisements 2015-12-23 22:03:54 -05:00
ipx
irda
iucv
key
l2tp
l3mdev
lapb
llc
mac80211
mac802154
mpls
netfilter netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key 2015-12-18 14:45:45 +01:00
netlabel
netlink
netrom
nfc
openvswitch openvswitch: Fix template leak in error cases. 2015-12-29 15:27:52 -05:00
packet
phonet
rds
rfkill
rose
rxrpc
sched net: sched: fix missing free per cpu on qstats 2016-01-06 01:40:21 -05:00
sctp sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close 2015-12-30 16:57:16 -05:00
sunrpc
switchdev
tipc
unix af_unix: Fix splice-bind deadlock 2016-01-04 23:22:49 -05:00
vmw_vsock
wimax
wireless
x25
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2015-12-22 16:26:31 -05:00
Kconfig
Makefile
compat.c
socket.c net, socket, socket_wq: fix missing initialization of flags 2015-12-30 16:38:01 -05:00
sysctl_net.c