NetBSD Problem Report #48283
From yasuoka@iij.ad.jp Mon Oct 7 06:27:09 2013
Return-Path: <yasuoka@iij.ad.jp>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8D2BC720C6
for <gnats-bugs@gnats.NetBSD.org>; Mon, 7 Oct 2013 06:27:09 +0000 (UTC)
Message-Id: <20131007.152708.1229778711060365857.yasuoka@iij.ad.jp>
Date: Mon, 07 Oct 2013 15:27:08 +0900 (JST)
From: YASUOKA Masahiko <yasuoka@iij.ad.jp>
Reply-To: yasuoka@iij.ad.jp
To: gnats-bugs@gnats.NetBSD.org
Subject: Drops FIN + ACK mistakenly
X-Send-Pr-Version: 3.95
>Number: 48283
>Category: kern
>Synopsis: Drops FIN mistakenly
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Oct 07 06:30:00 +0000 2013
>Closed-Date: Fri Jul 25 18:03:45 +0000 2014
>Last-Modified: Fri Jul 25 18:03:45 +0000 2014
>Originator: yasuoka@iij.ad.jp
>Release: NetBSD 5.1.2
>Organization:
Internet Initiative Japan Inc.
>Environment:
System: NetBSD yasuoka-nb.tokyo.iiji.jp 5.1.2 NetBSD 5.1.2 (GENERIC) #0: Thu Feb 2 12:12:28 UTC 2012 builds@b7.netbsd.org:/home/builds/ab/netbsd-5-1-2-RELEASE/amd64/201202021012Z-obj/home/builds/ab/netbsd-5-1-2-RELEASE/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
The TCP stack doesn't initialize the snd_fack field in TCPCB.
The snd_fack is used for "FACK fast recover". This causes
dropping FIN mistakenly like below
19:03:22.685693 IP Windows.54527 > NetBSD.22: S 0:0(0) win 65535 <mss 1460,nop,nop,sackOK>
19:03:22.685717 IP NetBSD.22 > Windows.54527: S 0:0(0) ack 1 win 32768 <mss 33608,sackOK,nop,nop>
19:03:22.685743 IP Windows.54527 > NetBSD.22: . ack 1 win 65535
19:03:22.696118 IP NetBSD.22 > Windows.54527: P 1:58(57) ack 1 win 32768
19:03:22.696201 IP Windows.54527 > NetBSD.22: F 1:1(0) ack 1 win 65535
19:03:22.696219 IP Windows.54527 > NetBSD.22: R 2:2(0) ack 58 win 0
19:03:22.696225 IP NetBSD.22 > Windows.54527: . ack 1 win 32768
19:03:28.701512 IP NetBSD.22 > Windows.54527: P 1:58(57) ack 1 win 32768
Windows was to terminate the TCP connection in wild way. Anyway
NetBSD must receive the FIN from Windows, but it doesn't seem
to receive the FIN.
snd_fack is always initialized by 0. If we receive a ack which
reaches below block and the snd_fack is not modified yet,
tcp_input.c:
2621 else if (tp->t_partialacks < 0 &&
2622 (++tp->t_dupacks == tcprexmtthresh ||
2623 TCP_FACK_FASTRECOV(tp))) {
tcp_var.h:
373 #define TCP_FACK_FASTRECOV(tp) \
374 (TCP_SACK_ENABLED(tp) && \
375 (SEQ_GT(tp->snd_fack, tp->snd_una + tcprexmtthresh * tp->t_segsz)))
Since the snd_una is come from our TCP sequence number initialized
randomly, TCP_FACK_FASTRECOV is mistakenly true in 50%.
In my environment, this problem had caused remaining many half
opened TCP sockets.
>How-To-Repeat:
http://yasuoka.net/~yasuoka/finrst.shar.txt
>Fix:
Index: tcp_input.c
===================================================================
RCS file: /cvs/netbsd/src/sys/netinet/tcp_input.c,v
retrieving revision 1.327
diff -u -p -r1.327 tcp_input.c
--- tcp_input.c 6 Jun 2013 00:03:14 -0000 1.327
+++ tcp_input.c 7 Oct 2013 06:10:28 -0000
@@ -4200,6 +4200,7 @@ syn_cache_get(struct sockaddr *src, stru
tp->last_ack_sent = tp->rcv_nxt;
tp->t_partialacks = -1;
tp->t_dupacks = 0;
+ tp->snd_fack = tp->snd_una;
TCP_STATINC(TCP_STAT_SC_COMPLETED);
s = splsoftnet();
>Release-Note:
>Audit-Trail:
From: Masao Uebayashi <uebayasi@gmail.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/48283: Drops FIN + ACK mistakenly
Date: Wed, 9 Oct 2013 13:10:45 +0900
I could reproduce this problem on HEAD and netbsd-6, and have verified
the provided change fixed the problem.
(A question is, how I can prove that this one line change harms nothing ... ?)
From: YASUOKA Masahiko <yasuoka@iij.ad.jp>
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org
Cc:
Subject: Re: kern/48283: Drops FIN + ACK mistakenly
Date: Wed, 09 Oct 2013 17:46:47 +0900 (JST)
Since actively opened sockets have same problem, they should be fixed
as well.
Index: tcp_seq.h
===================================================================
RCS file: /cvs/netbsd/src/sys/netinet/tcp_seq.h,v
retrieving revision 1.16
diff -u -p -r1.16 tcp_seq.h
--- tcp_seq.h 10 Dec 2005 23:36:23 -0000 1.16
+++ tcp_seq.h 9 Oct 2013 08:18:36 -0000
@@ -58,7 +58,7 @@
#define tcp_sendseqinit(tp) \
(tp)->snd_una = (tp)->snd_nxt = (tp)->snd_max = (tp)->snd_up = \
- (tp)->snd_recover = (tp)->snd_high = (tp)->iss
+ (tp)->snd_recover = (tp)->snd_high = (tp)->snd_fack = (tp)->iss
#define TCP_ISS_RANDOM_MASK 0x00ffffff /* bits of randomness in a TCP ISS */
#define TCP_ISSINCR 0x01000000 /* increment per time and per conn */
From: "Ryo Shimizu" <ryo@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/48283 CVS commit: src/sys/netinet
Date: Fri, 25 Jul 2014 17:53:59 +0000
Module Name: src
Committed By: ryo
Date: Fri Jul 25 17:53:59 UTC 2014
Modified Files:
src/sys/netinet: tcp_seq.h
Log Message:
fix some case of reference to uninitialized tp->snd_fack.
This bug causes dropping FIN mistekenly.
pointed out in PR/48283 by YASUOKA Masahiko, thanks!
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/sys/netinet/tcp_seq.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: ryo@NetBSD.org
State-Changed-When: Fri, 25 Jul 2014 18:03:45 +0000
State-Changed-Why:
fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.