linux/net
Yuchung Cheng 8b8a321ff7 tcp: fix zero cwnd in tcp_cwnd_reduction
Patch 3759824da8 ("tcp: PRR uses CRB mode by default and SS mode
conditionally") introduced a bug that cwnd may become 0 when both
inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
to a div-by-zero if the connection starts another cwnd reduction
phase by setting tp->prior_cwnd to the current cwnd (0) in
tcp_init_cwnd_reduction().

To prevent this we skip PRR operation when nothing is acked or
sacked. Then cwnd must be positive in all cases as long as ssthresh
is positive:

1) The proportional reduction mode
   inflight > ssthresh > 0

2) The reduction bound mode
  a) inflight == ssthresh > 0

  b) inflight < ssthresh
     sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh

Therefore in all cases inflight and sndcnt can not both be 0.
We check invalid tp->prior_cwnd to avoid potential div0 bugs.

In reality this bug is triggered only with a sequence of less common
events.  For example, the connection is terminating an ECN-triggered
cwnd reduction with an inflight 0, then it receives reordered/old
ACKs or DSACKs from prior transmission (which acks nothing). Or the
connection is in fast recovery stage that marks everything lost,
but fails to retransmit due to local issues, then receives data
packets from other end which acks nothing.

Fixes: 3759824da8 ("tcp: PRR uses CRB mode by default and SS mode conditionally")
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-01-06 16:39:56 -05:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25 net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
batman-adv batman-adv: Fix invalid stack access in batadv_dat_select_candidates 2015-12-07 22:40:21 +08:00
bluetooth bluetooth: Validate socket address length in sco_sock_bind(). 2015-12-15 15:39:08 -05:00
bridge bridge: Only call /sbin/bridge-stp for the initial network namespace 2016-01-05 16:46:17 -05:00
caif net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
can
ceph
core net: possible use after free in dst_release 2016-01-06 15:00:27 -05:00
dcb
dccp ipv6: kill sk_dst_lock 2015-12-03 11:32:06 -05:00
decnet net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
dns_resolver
dsa
ethernet
hsr net/hsr: fix a warning message 2015-11-23 14:56:15 -05:00
ieee802154
ipv4 tcp: fix zero cwnd in tcp_cwnd_reduction 2016-01-06 16:39:56 -05:00
ipv6 ipv6: honor ifindex in case we receive ll addresses in router advertisements 2015-12-23 22:03:54 -05:00
ipx
irda net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
iucv net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
key
l2tp ipv6: add complete rcu protection around np->opt 2015-12-02 23:37:16 -05:00
l3mdev
lapb
llc
mac80211 mac80211: handle width changes from opmode notification IE in beacon 2015-12-15 13:16:47 +01:00
mac802154
mpls mpls: make via address optional for multipath routes 2015-12-12 00:43:44 -05:00
netfilter netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key 2015-12-18 14:45:45 +01:00
netlabel
netlink
netrom
nfc net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
openvswitch openvswitch: Fix template leak in error cases. 2015-12-29 15:27:52 -05:00
packet packet: Allow packets with only a header (but no payload) 2015-11-29 22:17:17 -05:00
phonet
rds RDS: fix race condition when sending a message on unbound socket 2015-11-24 17:20:09 -05:00
rfkill rfkill: copy the name into the rfkill struct 2015-12-10 10:37:51 +01:00
rose
rxrpc net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
sched net: sched: fix missing free per cpu on qstats 2016-01-06 01:40:21 -05:00
sctp sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close 2015-12-30 16:57:16 -05:00
sunrpc sched/wait: Fix the signal handling fix 2015-12-13 14:30:59 -08:00
switchdev
tipc tipc: fix error handling of expanding buffer headroom 2015-11-24 11:26:19 -05:00
unix af_unix: Fix splice-bind deadlock 2016-01-04 23:22:49 -05:00
vmw_vsock
wimax
wireless nl80211: Fix potential memory leak in nl80211_connect 2015-12-15 13:11:26 +01:00
x25
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2015-12-22 16:26:31 -05:00
compat.c
Kconfig
Makefile
socket.c net, socket, socket_wq: fix missing initialization of flags 2015-12-30 16:38:01 -05:00
sysctl_net.c