Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2223741pxb; Wed, 30 Mar 2022 19:52:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNvkGSFishx29eN5fic1HOpzQDb4KHS65nT8ngbkhWvKHizleQAP1ZpsH8HcT3AC+mSwY7 X-Received: by 2002:a05:6a00:8d4:b0:4f6:6da0:f380 with SMTP id s20-20020a056a0008d400b004f66da0f380mr36849088pfu.34.1648695158802; Wed, 30 Mar 2022 19:52:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648695158; cv=none; d=google.com; s=arc-20160816; b=Ojr6tkf0PcQiCozddqyBsxNKF/KjwMuv22tPsO0SE6vB37dWJxCWB2f8fhR6akv+rB 3Fz6DAuBPEykkHNnlgRAUJGbhbrLK+TpqUEcmoXVX5RBd83ed+sApgXDTUPnUZPnytRb wWktrqdyZBhhQQhg44pjFXAX7Wpywx2SEQuKst82tus4DURqfykon0WsqzEzcx9T3oMN 8z5l2Kq+zqqFFPTpfnyeB/PsIFyx/F2XS2rqSXVLxBZjFQDa5mALqFZKP1hMpWYwL97J JLWx5uAuAAFgqD2EdX4io/PVCbD9ETkybi41AJSZTJxfC54XR9oGMNKEvdXSIrTeD/BS JHwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=9p+YHMoXEn+djDAlzGnVfVmbj4X4YfKf8Wmoz4SPcpc=; b=d1K2ZcMN+A22KSZubLupM/ZSON9EmUggLfaLr46CgFdJziBqgSYx+FcMUC0blEemKc mCx8SVhoJyxH9BUSt8tSLyZndiNj12ao/Msaoi30jmlnh5ywWkl3yqdvOm26eebevLUM Z+CL65hcEogs3s2FDDTSNsBc+GBYASAVQyokZJVdz1vIkGW/uUl0q9k+isc8fqb8QymM 13Ofi/2DelsWqDGfUrNIgNIWHJKD/5SNeYWZrkp5GGy/1boGWyYJmLWiDrvMrr8MkJAL OjgpTyjCDI3amYY7k6bDHweVA2QHOBcfwEsNGQKfN4HRDvQAK4o+jxoVawoGewvR/117 tjRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Peg1mhc2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id e16-20020a637450000000b003816043f13csi21833436pgn.817.2022.03.30.19.52.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 19:52:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Peg1mhc2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E06A36AA42; Wed, 30 Mar 2022 19:38:44 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244332AbiC3QV4 (ORCPT + 99 others); Wed, 30 Mar 2022 12:21:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348739AbiC3QVv (ORCPT ); Wed, 30 Mar 2022 12:21:51 -0400 Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F230D7006E for ; Wed, 30 Mar 2022 09:20:05 -0700 (PDT) Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-2e5e31c34bfso225092327b3.10 for ; Wed, 30 Mar 2022 09:20:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9p+YHMoXEn+djDAlzGnVfVmbj4X4YfKf8Wmoz4SPcpc=; b=Peg1mhc2WUFxEIV29jkkJDS6FeBV6QamEm7Arg1/cxqLNw9sUaPwgYuhCOq9NsRLOR vCdXGzvuUEHr6U+tQ6DrV66RGnkXnMKyiumUCdaLZRAZIPL/tEWvcJh+oVb97xPmQnL/ PoFoz8e0ftaQ0+zaIYqTFiFwFzjRV96x2Df0dzRvz3Dj0TbWZnCGShDoOfg8b7ykX4jU /0VVb/90IHWVXPa2F91J3ZnFQ2VAtMsbEQpQEOQPF7khv35jbKM9Jz8NO9V20QwoHjn+ 3h2iR/jeIr8c1mHR0FDpxpT1+WrOWedtoJRzcUE5vpw1nStrZN4lq7zLNuGr54QTDfJb 2nsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9p+YHMoXEn+djDAlzGnVfVmbj4X4YfKf8Wmoz4SPcpc=; b=LrLhIjFpjoyiahIflo6UicmvxXlIgyuxdbvFEYTpJAybcfB4yWFVMWzPq3dI8KMwqV qo88OK0zvHZ8BXpAvlJUpTXj+p3mHHel7oMUC9j+yJsatIaKOEdEJNd/kFnxOkWGBFeU RrbQbmHRkzAkQqdABij7WJMsMr/qQYP4qc26tUxFkV4juvoKqLniui2jf5xBWR8tSNjX OoUt4gB2Kew/SiEiG+E1DeCDS7G6WUfnxQW+IQT5Y5iXjD/kO4KUApQoWv+TlGvH9Rco 0/b6kjqt/lIifItPa3uNKST//NklkU1UICOjU9ZMEMTOwnyBN685uGBMuRvq9dCnqms+ iPqA== X-Gm-Message-State: AOAM5339ehr7U53pYVxKEiHH24F1yt4/AJJKiV4dKCVx9gTB4an05OkR eoH3qo5DCt6/XLcb3JFYYpDvqVeF/QBH234iICAfOxzV7CZfLA== X-Received: by 2002:a81:4f87:0:b0:2e5:dc8f:b4e with SMTP id d129-20020a814f87000000b002e5dc8f0b4emr372460ywb.467.1648657204857; Wed, 30 Mar 2022 09:20:04 -0700 (PDT) MIME-Version: 1.0 References: <10c1e561-8f01-784f-c4f4-a7c551de0644@uls.co.za> In-Reply-To: From: Eric Dumazet Date: Wed, 30 Mar 2022 09:19:53 -0700 Message-ID: Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections To: Jaco Kroon Cc: Neal Cardwell , LKML , Netdev , Yuchung Cheng Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 30, 2022 at 9:04 AM Jaco Kroon wrote: > > Hi, > > On 2022/03/30 15:56, Neal Cardwell wrote: > > On Wed, Mar 30, 2022 at 2:22 AM Jaco Kroon wrote: > >> Hi Eric, > >> > >> On 2022/03/30 05:48, Eric Dumazet wrote: > >>> On Tue, Mar 29, 2022 at 7:58 PM Jaco Kroon wrote: > >>> > >>> I do not think this commit is related to the issue you have. > >>> > >>> I guess you could try a revert ? > >>> > >>> Then, if you think old linux versions were ok, start a bisection ? > >> That'll be interesting, will see if I can reproduce on a non-production > >> host. > >>> Thank you. > >>> > >>> (I do not see why a successful TFO would lead to a freeze after ~70 KB > >>> of data has been sent) > >> I do actually agree with this in that it makes no sense, but disabling > >> TFO definitely resolved the issue for us. > >> > >> Kind Regards, > >> Jaco > > Thanks for the pcap trace! That's a pretty strange trace. I agree with > > Eric's theory that this looks like one or more bugs in a firewall, > > middlebox, or netfilter rule. From the trace it looks like the buggy > > component is sometimes dropping packets and sometimes corrupting them > > so that the client's TCP stack ignores them. > The capture was taken on the client. So the only firewall there is > iptables, and I redirected all -j DROP statements to a L_DROP chain > which did a -j LOG prior to -j DROP - didn't pick up any drops here. > > > > Interestingly, in that trace the client SYN has a TFO option and > > cookie, but no data in the SYN. > > So this allows the SMTP server which in the conversation speaks first to > identify itself to respond with data in the SYN (not sure that was > actually happening but if I recall I did see it send data prior to > receiving the final ACK on the handshake. > > > > > The last packet that looks sane/normal is the ACK from the SMTP server > > that looks like: > > > > 00:00:00.000010 IP6 2a00:1450:4013:c16::1a.25 > > > 2c0f:f720:0:3:d6ae:52ff:feb8:f27b.48590: . 6260:6260(0) ack 66263 win > > 774 > > > > That's the first ACK that crosses past 2^16. Maybe that is a > > coincidence, or maybe not. Perhaps the buggy firewall/middlebox/etc is > > I believe it should be because we literally had this on every single > connection going out to Google's SMTP ... probably 1/100 connections > managed to deliver an email over the connection. Then again ... 64KB > isn't that much ... > > When you state sane/normal, do you mean there is fault with the other > frames that could not be explained by packet loss in one or both of the > directions? > > > confused by the TFO option, corrupts its state, and thereafter behaves > > incorrectly past the first 64 KBytes of data from the client. > > Only firewalls we've got are netfilter based, and these packets all > passed through the dedicated firewalls at least by the time they reach > here. No middleboxes on our end, and if this was Google's side there > would be crazy noise be heard, not just me. I think the trigger is > packet loss between us (as indicated we know they have link congestion > issues in JHB area, it took us the better part of two weeks to get the > first line tech on their side to just query the internal teams and > probably another week to get the response acknowledging this - > mybroadband.co.za has an article about other local ISPs also complaining). > > > > > In addition to checking for checksum failures, mentioned by Eric, you > > could look for PAWS failures, something like: > > > > nstat -az | egrep -i 'TcpInCsumError|PAWS' > > TcpInCsumErrors 0 0.0 > TcpExtPAWSActive 0 0.0 > TcpExtPAWSEstab 90092 0.0 > TcpExtTCPACKSkippedPAWS 81317 0.0 > > Not sure what these mean, but i should probably investigate, the latter > two are definitely incrementing. > > Appreciate the feedback and for looking at the traces. > Your pcap does not show any obvious PAWS issues. If the host is lightly loaded you could try while the connection is attempted/frozen perf record -a -g -e skb:kfree_skb sleep 30 perf script (or perf report)