All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Dumazet <edumazet@google.com>
To: Jaco Kroon <jaco@uls.co.za>
Cc: Neal Cardwell <ncardwell@google.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Netdev <netdev@vger.kernel.org>,
	Yuchung Cheng <ycheng@google.com>
Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections
Date: Wed, 30 Mar 2022 09:19:53 -0700	[thread overview]
Message-ID: <CANn89i+Dqtrm-7oW+D6EY+nVPhRH07GXzDXt93WgzxZ1y9_tJA@mail.gmail.com> (raw)
In-Reply-To: <e0bc0c7f-5e47-ddb7-8e24-ad5fb750e876@uls.co.za>

On Wed, Mar 30, 2022 at 9:04 AM Jaco Kroon <jaco@uls.co.za> wrote:
>
> Hi,
>
> On 2022/03/30 15:56, Neal Cardwell wrote:
> > On Wed, Mar 30, 2022 at 2:22 AM Jaco Kroon <jaco@uls.co.za> wrote:
> >> Hi Eric,
> >>
> >> On 2022/03/30 05:48, Eric Dumazet wrote:
> >>> On Tue, Mar 29, 2022 at 7:58 PM Jaco Kroon <jaco@uls.co.za> wrote:
> >>>
> >>> I do not think this commit is related to the issue you have.
> >>>
> >>> I guess you could try a revert ?
> >>>
> >>> Then, if you think old linux versions were ok, start a bisection ?
> >> That'll be interesting, will see if I can reproduce on a non-production
> >> host.
> >>> Thank you.
> >>>
> >>> (I do not see why a successful TFO would lead to a freeze after ~70 KB
> >>> of data has been sent)
> >> I do actually agree with this in that it makes no sense, but disabling
> >> TFO definitely resolved the issue for us.
> >>
> >> Kind Regards,
> >> Jaco
> > Thanks for the pcap trace! That's a pretty strange trace. I agree with
> > Eric's theory that this looks like one or more bugs in a firewall,
> > middlebox, or netfilter rule. From the trace it looks like the buggy
> > component is sometimes dropping packets and sometimes corrupting them
> > so that the client's TCP stack ignores them.
> The capture was taken on the client.  So the only firewall there is
> iptables, and I redirected all -j DROP statements to a L_DROP chain
> which did a -j LOG prior to -j DROP - didn't pick up any drops here.
> >
> > Interestingly, in that trace the client SYN has a TFO option and
> > cookie, but no data in the SYN.
>
> So this allows the SMTP server which in the conversation speaks first to
> identify itself to respond with data in the SYN (not sure that was
> actually happening but if I recall I did see it send data prior to
> receiving the final ACK on the handshake.
>
> >
> > The last packet that looks sane/normal is the ACK from the SMTP server
> > that looks like:
> >
> > 00:00:00.000010 IP6 2a00:1450:4013:c16::1a.25 >
> > 2c0f:f720:0:3:d6ae:52ff:feb8:f27b.48590: . 6260:6260(0) ack 66263 win
> > 774 <nop,nop,TS val 1206544341 ecr 331189186>
> >
> > That's the first ACK that crosses past 2^16. Maybe that is a
> > coincidence, or maybe not. Perhaps the buggy firewall/middlebox/etc is
>
> I believe it should be because we literally had this on every single
> connection going out to Google's SMTP ... probably 1/100 connections
> managed to deliver an email over the connection.  Then again ... 64KB
> isn't that much ...
>
> When you state sane/normal, do you mean there is fault with the other
> frames that could not be explained by packet loss in one or both of the
> directions?
>
> > confused by the TFO option, corrupts its state, and thereafter behaves
> > incorrectly past the first 64 KBytes of data from the client.
>
> Only firewalls we've got are netfilter based, and these packets all
> passed through the dedicated firewalls at least by the time they reach
> here.  No middleboxes on our end, and if this was Google's side there
> would be crazy noise be heard, not just me.  I think the trigger is
> packet loss between us (as indicated we know they have link congestion
> issues in JHB area, it took us the better part of two weeks to get the
> first line tech on their side to just query the internal teams and
> probably another week to get the response acknowledging this -
> mybroadband.co.za has an article about other local ISPs also complaining).
>
> >
> > In addition to checking for checksum failures, mentioned by Eric, you
> > could look for PAWS failures, something like:
> >
> >   nstat -az | egrep  -i 'TcpInCsumError|PAWS'
>
> TcpInCsumErrors                 0                  0.0
> TcpExtPAWSActive                0                  0.0
> TcpExtPAWSEstab                 90092              0.0
> TcpExtTCPACKSkippedPAWS         81317              0.0
>
> Not sure what these mean, but i should probably investigate, the latter
> two are definitely incrementing.
>
> Appreciate the feedback and for looking at the traces.
>

Your pcap does not show any obvious PAWS issues.

If the host is lightly loaded you could try while the connection is
attempted/frozen

perf record -a -g -e skb:kfree_skb sleep 30
perf script  (or perf report)

  reply	other threads:[~2022-03-30 16:20 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-30  0:56 linux 5.17.1 disregarding ACK values resulting in stalled TCP connections Jaco
2022-03-30  2:01 ` Neal Cardwell
2022-03-30  2:40   ` Eric Dumazet
2022-03-30  2:58   ` Jaco Kroon
2022-03-30  3:48     ` Eric Dumazet
2022-03-30  6:22       ` Jaco Kroon
2022-03-30 13:56         ` Neal Cardwell
2022-03-30 15:00           ` Jaco Kroon
2022-03-30 16:19             ` Eric Dumazet [this message]
2022-03-31 15:41               ` Neal Cardwell
2022-03-31 23:06                 ` Jaco Kroon
2022-04-01  0:10                   ` Eric Dumazet
2022-04-01  0:15                     ` Florian Westphal
2022-04-01 11:54                       ` Jaco Kroon
2022-04-01 12:09                         ` Florian Westphal
2022-04-01  0:33                     ` Jaco Kroon
2022-04-01  0:41                       ` Eric Dumazet
2022-04-01  0:54                         ` Eric Dumazet
2022-04-01 11:36                           ` Jaco Kroon
2022-04-01 13:54                             ` Eric Dumazet
2022-04-01 14:50                   ` Neal Cardwell
2022-04-01 15:39                     ` Neal Cardwell
2022-04-01 15:48                       ` Neal Cardwell
2022-04-02  8:42                       ` Jaco Kroon
2022-04-02 13:20                         ` Eric Dumazet
2022-04-02 22:02                           ` Jaco Kroon
2022-04-02 14:14                         ` Florian Westphal
2022-04-02 15:57                           ` Neal Cardwell
2022-04-02 21:51                           ` Jaco Kroon
2022-04-02 16:29                         ` Neal Cardwell
2022-04-02 16:32                           ` Eric Dumazet
2022-04-02 18:04                             ` Neal Cardwell
2022-04-06 13:58                               ` Florian Westphal
2022-04-06 19:04                                 ` Jozsef Kadlecsik
2022-04-07 10:26                                   ` Florian Westphal
2022-04-07 12:48                                     ` Jozsef Kadlecsik
2022-04-21 21:14                                       ` Eric Dumazet
2022-04-25  9:29                                         ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CANn89i+Dqtrm-7oW+D6EY+nVPhRH07GXzDXt93WgzxZ1y9_tJA@mail.gmail.com \
    --to=edumazet@google.com \
    --cc=jaco@uls.co.za \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ncardwell@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=ycheng@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.