From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DD10C4332F for ; Tue, 16 Nov 2021 01:23:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 280DF60F5A for ; Tue, 16 Nov 2021 01:23:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349579AbhKPB0d (ORCPT ); Mon, 15 Nov 2021 20:26:33 -0500 Received: from mail.kernel.org ([198.145.29.99]:33630 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237927AbhKOTAJ (ORCPT ); Mon, 15 Nov 2021 14:00:09 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id D41C861526; Mon, 15 Nov 2021 18:13:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1637000031; bh=VMnqhBpvb6EqvxYoJOoOQ4x7BJAEhO06O94UOubTOkI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nBRzVW4C+0QupMXWnYNU1aQfE1QjLM0I5svls+la/aDIjO3OyCyscCd2wOHVeVk1W qHSa9+z4G6sVS/VRkBbDlIwhzy5HqTkmSbMPMCRCVOkigEWfzZUPXx1XkcWKn/RB02 6XM4sbtS2qsiuJKl/hbPiUrwVXiOXlr06h1Q3qpM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jon Maxwell , Monir Zouaoui , Simon Stier , Eric Dumazet , "David S. Miller" , Sasha Levin Subject: [PATCH 5.14 513/849] tcp: dont free a FIN sk_buff in tcp_remove_empty_skb() Date: Mon, 15 Nov 2021 17:59:56 +0100 Message-Id: <20211115165437.644228742@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211115165419.961798833@linuxfoundation.org> References: <20211115165419.961798833@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jon Maxwell [ Upstream commit cf12e6f9124629b18a6182deefc0315f0a73a199 ] v1: Implement a more general statement as recommended by Eric Dumazet. The sequence number will be advanced, so this check will fix the FIN case and other cases. A customer reported sockets stuck in the CLOSING state. A Vmcore revealed that the write_queue was not empty as determined by tcp_write_queue_empty() but the sk_buff containing the FIN flag had been freed and the socket was zombied in that state. Corresponding pcaps show no FIN from the Linux kernel on the wire. Some instrumentation was added to the kernel and it was found that there is a timing window where tcp_sendmsg() can run after tcp_send_fin(). tcp_sendmsg() will hit an error, for example: 1269 ▹ if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))↩ 1270 ▹ ▹ goto do_error;↩ tcp_remove_empty_skb() will then free the FIN sk_buff as "skb->len == 0". The TCP socket is now wedged in the FIN-WAIT-1 state because the FIN is never sent. If the other side sends a FIN packet the socket will transition to CLOSING and remain that way until the system is rebooted. Fix this by checking for the FIN flag in the sk_buff and don't free it if that is the case. Testing confirmed that fixed the issue. Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases") Signed-off-by: Jon Maxwell Reported-by: Monir Zouaoui Reported-by: Simon Stier Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/tcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 9c38c22c92fbb..d681404c8bfb0 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -955,7 +955,7 @@ int tcp_send_mss(struct sock *sk, int *size_goal, int flags) */ void tcp_remove_empty_skb(struct sock *sk, struct sk_buff *skb) { - if (skb && !skb->len) { + if (skb && TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq) { tcp_unlink_write_queue(skb, sk); if (tcp_write_queue_empty(sk)) tcp_chrono_stop(sk, TCP_CHRONO_BUSY); -- 2.33.0