tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tcp: setup timestamp offset when write_seq already set

Found that when randomized tcp offsets are enabled (by default)
TCP client can still start new connections without them. Later,
if server does active close and re-uses sockets in TIME-WAIT
state, new SYN from client can be rejected on PAWS check inside
tcp_timewait_state_process(), because either tw_ts_recent or
rcv_tsval doesn't really have an offset set.

Here is how to reproduce it with LTP netstress tool:
netstress -R 1 &
netstress -H 127.0.0.1 -lr 1000000 -a1

[...]
< S seq 1956977072 win 43690 TS val 295618 ecr 459956970
> . ack 1956911535 win 342 TS val 459967184 ecr 1547117608
< R seq 1956911535 win 0 length 0
+1. < S seq 1956977072 win 43690 TS val 296640 ecr 459956970
> S. seq 657450664 ack 1956977073 win 43690 TS val 459968205 ecr 296640

Fixes: 95a22caee396 ("tcp: randomize tcp timestamp offsets for each connection")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Alexey Kodanev and committed by
David S. Miller 00355fa5 ec7cb62d

+20 -12
+10 -6
net/ipv4/tcp_ipv4.c
··· 145 145 struct flowi4 *fl4; 146 146 struct rtable *rt; 147 147 int err; 148 + u32 seq; 148 149 struct ip_options_rcu *inet_opt; 149 150 struct inet_timewait_death_row *tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row; 150 151 ··· 235 234 sk_setup_caps(sk, &rt->dst); 236 235 rt = NULL; 237 236 238 - if (!tp->write_seq && likely(!tp->repair)) 239 - tp->write_seq = secure_tcp_sequence_number(inet->inet_saddr, 240 - inet->inet_daddr, 241 - inet->inet_sport, 242 - usin->sin_port, 243 - &tp->tsoffset); 237 + if (likely(!tp->repair)) { 238 + seq = secure_tcp_sequence_number(inet->inet_saddr, 239 + inet->inet_daddr, 240 + inet->inet_sport, 241 + usin->sin_port, 242 + &tp->tsoffset); 243 + if (!tp->write_seq) 244 + tp->write_seq = seq; 245 + } 244 246 245 247 inet->inet_id = tp->write_seq ^ jiffies; 246 248
+10 -6
net/ipv6/tcp_ipv6.c
··· 122 122 struct flowi6 fl6; 123 123 struct dst_entry *dst; 124 124 int addr_type; 125 + u32 seq; 125 126 int err; 126 127 struct inet_timewait_death_row *tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row; 127 128 ··· 286 285 287 286 sk_set_txhash(sk); 288 287 289 - if (!tp->write_seq && likely(!tp->repair)) 290 - tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32, 291 - sk->sk_v6_daddr.s6_addr32, 292 - inet->inet_sport, 293 - inet->inet_dport, 294 - &tp->tsoffset); 288 + if (likely(!tp->repair)) { 289 + seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32, 290 + sk->sk_v6_daddr.s6_addr32, 291 + inet->inet_sport, 292 + inet->inet_dport, 293 + &tp->tsoffset); 294 + if (!tp->write_seq) 295 + tp->write_seq = seq; 296 + } 295 297 296 298 if (tcp_fastopen_defer_connect(sk, &err)) 297 299 return err;