Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3355420pxb; Mon, 4 Apr 2022 14:29:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy22pGEoZtrEep6b52/Jl2bZpnX5rUgF7vFzXeXco1bc0Cgp+i9yzMsStdSedcuSjXEfM75 X-Received: by 2002:a17:90b:b18:b0:1ca:a816:621a with SMTP id bf24-20020a17090b0b1800b001caa816621amr313642pjb.36.1649107772064; Mon, 04 Apr 2022 14:29:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649107772; cv=none; d=google.com; s=arc-20160816; b=Dsj0GJ8l92kCrWs1CG1HJdXH00+GapftuqvZSBqrcwOP3cZi7vuXysZqeYfzdEt1ch 3pHEuZzXmjvuS0e+ulfrwmnFvm9YropAaDamPpoLQWLIi4NdcWLDh84EEJxdz8vL8qxf 338NSi6HF2GE7hBM1Cc2XDIuPGPmf2M8yTm67O/dGj6VkXnKrFeAGt8/Ct3qrSw6arGn l1xMliABlRjcA6hJ8+KVVR5lMmrSEqctupnhNjOvSDtcOI8sWHNhKAN9n/bKCxUifLCR RCyMWX87wfFcxOQ+pGQtR319ejjQoM7hR8RLMjLvi82Y67Mp5ax0l6cEae0ju0gG9O+7 408Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=RD/SL3A/PB4aGwlwZcvxfJZV+KuZPOFqFnL5Aicr83A=; b=Oob6eN8o+XtTU8iTWZnXUF8Z2XbXbtFMopqD3ZHE+TERpQ9xX/dRwMS//I1pC3uA1j 1s1elsr6XVf4dHqTlOZ0CqaPx+ladB4NVLBnzH3rsFs5FVqHZ2cllPiqV9JbgSAG0hz1 umnEiNFj9HxoVj0alvNABiMLEYP/M+aiWFs6n5lVa4DJIdpt22ayVa+Mhoq6aUB5xbkk QpuTh1Wk6jSNeYPZr0+TbqAx8ru3tUVcq7vklNnpyEOGGv409QE5lt6WD2X7VKS/wqon UBoMXTvG8fYrwKDnH0dPMQ2eFzT3Xne4raJNnTWp+ixdEiHO0Q4N/uIGJn1FLAWIxrXP YkXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=EpjYyPme; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c1-20020a056a000ac100b004fa3a8e0012si11561912pfl.201.2022.04.04.14.29.18; Mon, 04 Apr 2022 14:29:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=EpjYyPme; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231426AbiDBQbY (ORCPT + 99 others); Sat, 2 Apr 2022 12:31:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1358099AbiDBQbU (ORCPT ); Sat, 2 Apr 2022 12:31:20 -0400 Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3E7ABCA4 for ; Sat, 2 Apr 2022 09:29:27 -0700 (PDT) Received: by mail-qk1-x72a.google.com with SMTP id w141so4444218qkb.6 for ; Sat, 02 Apr 2022 09:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=RD/SL3A/PB4aGwlwZcvxfJZV+KuZPOFqFnL5Aicr83A=; b=EpjYyPmehIo12xnnLZ4Q6ZXMqEnarR4szn/QCyQ3uDWA6cFGtxBie775H9pvpahSAZ qa2bE7oTrxUF0cg/DSrDD6VyCM95/wfbW3cRlPJ2STJ1g2YeWOcQ4v07TXqoqKQiKHep abcVkm/IKpiTI+GDn34ZZpzYaBuoiAOSx6wfYhNmCJT+hgZ0qenHL+Tzgq7tjAxLIASc Zab5/8rDYsF2wRYXLlKTLlZZUyZfSX7cLV7tUNq8xbbUH2HmPM8MgRWN5qtx1ZWRfi4Y pVIZpCicOoINqIKMBwEmRAFdnU/Lk+j40FGbBrXdZkLkr3I4qYCoWGPQxJg6JyZlaO+R uacw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=RD/SL3A/PB4aGwlwZcvxfJZV+KuZPOFqFnL5Aicr83A=; b=KRWChuud/aWEKFOUj973GLru/FCVnyYHM7+Ok5U/bKcMdDc+5wdej1Kj9N9GCpchth r1GK2POPTzTfLJsNtLbjL5w+fiZPq7TBYv5q80JSgu5gls39hRPoKF+DEkS3ytMh3zbf REK37SH8FB+6CX6OQhQf3ukYVoMiycrinxI8QA7v3t8CfBlcYcpAx8qKxYBfDP2weVyN hxxjSy6wnSF127m1rViCPXtjmfrRvpnlIpYyOZuZh9ZTU/4NymZv+6ScRCWjctBFKTEa 99H/rzkX1GE9WgAPeGuqqoEwOKMcElBGZRh0fl+aYTW1V7VDzFV5WZ8tsf2VEVGVkqjb 9mfQ== X-Gm-Message-State: AOAM532dcdrlpoIoaagWN4JeSZpC0O2TZurANzifuWXBXLAiCSgIqyhn l4dynFGEIUjefw+7FIHAKAqmGJh5sz6TeKAyyyleJnTslTXSFg== X-Received: by 2002:a37:bdc4:0:b0:67b:4cce:b058 with SMTP id n187-20020a37bdc4000000b0067b4cceb058mr9639516qkf.395.1648916966668; Sat, 02 Apr 2022 09:29:26 -0700 (PDT) MIME-Version: 1.0 References: <10c1e561-8f01-784f-c4f4-a7c551de0644@uls.co.za> <5f1bbeb2-efe4-0b10-bc76-37eff30ea905@uls.co.za> <429dd56b-8a6c-518f-ccb4-fa5beae30953@uls.co.za> In-Reply-To: <429dd56b-8a6c-518f-ccb4-fa5beae30953@uls.co.za> From: Neal Cardwell Date: Sat, 2 Apr 2022 12:29:10 -0400 Message-ID: Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections To: Jaco Kroon Cc: Florian Westphal , Eric Dumazet , LKML , Netdev , Yuchung Cheng , Wei Wang Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ) On Sat, Apr 2, 2022 at 4:42 AM Jaco Kroon wrote: > > Hi Neal, > > On 2022/04/01 17:39, Neal Cardwell wrote: > > On Tue, Mar 29, 2022 at 9:03 PM Jaco wrote: > > ... > >> Connection setup: > >> > >> 00:56:17.055481 IP6 2c0f:f720:0:3:d6ae:52ff:feb8:f27b.59110 > 2a00:145= 0:400c:c07::1b.25: Flags [S], seq 956633779, win 62580, options [mss 8940,n= op,nop,TS val 3687705482 ecr 0,nop,wscale 7,tfo cookie f025dd84b6122510,no= p,nop], length 0 > >> > >> 00:56:17.217747 IP6 2a00:1450:400c:c07::1b.25 > 2c0f:f720:0:3:d6ae:52f= f:feb8:f27b.59110: Flags [S.], seq 726465675, ack 956633780, win 65535, opt= ions [mss 1440,nop,nop,TS val 3477429218 ecr 3687705482,nop,wscale 8], leng= th 0 > >> > >> 00:56:17.218628 IP6 2a00:1450:400c:c07::1b.25 > 2c0f:f720:0:3:d6ae:52f= f:feb8:f27b.59110: Flags [P.], seq 726465676:726465760, ack 956633780, win = 256, options [nop,nop,TS val 3477429220 ecr 3687705482], length 84: SMTP: 2= 20 mx.google.com ESMTP e16-20020a05600c4e5000b0038c77be9b2dsi226281wmq.72 -= gsmtp > >> > >> 00:56:17.218663 IP6 2c0f:f720:0:3:d6ae:52ff:feb8:f27b.59110 > 2a00:145= 0:400c:c07::1b.25: Flags [.], ack 726465760, win 489, options [nop,nop,TS v= al 3687705645 ecr 3477429220], length 0 > >> > >> This is pretty normal, we advertise an MSS of 8940 and the return is 1= 440, thus > >> we shouldn't send segments larger than that, and they "can't". I need= to > >> determine if this is some form of offloading or they really are sendin= g >1500 > >> byte frames (which I know won't pass our firewalls without fragmentati= on so > >> probably some form of NIC offloading - which if it was active on older= 5.8 > >> kernels did not cause problems): > > Jaco, was there some previous kernel version on these client machines > > where this problem did not show up? Perhaps the v5.8 version you > > mention here? Can you please share the exact version number? > 5.8.14 Thanks for the client kernel version! (5.8.14) > > If so, a hypothesis would be: > > > > (1) There is a bug in netfilter's handling of TFO connections where > > the server sends a data packet after a TFO SYNACK, before the client > > ACKs anything (as we see in this trace). > > > > This bug is perhaps similar in character to the bug fixed by Yuchung's > > 2013 commit that Eric mentioned: > > > > 356d7d88e088687b6578ca64601b0a2c9d145296 > > netfilter: nf_conntrack: fix tcp_in_window for Fast Open > > > > (2) With kernel v5.8, TFO blackhole detection detected that in your > > workload there were TFO connections that died due to apparent > > blackholing (like what's shown in the trace), and dynamically disabled > > TFO on your machines. This allowed mail traffic to flow, because the > > netfilter bug was no longer tickled. This worked around the netfilter > > bug. > > > > (3) You upgraded your client-side machine from v5.8 to v5.17, which > > has the following commit from v5.14, which disables TFO blackhole > > logic by default: > > 213ad73d0607 tcp: disable TFO blackhole logic by default > > > > (4) Due to (3), the blackhole detection logic was no longer operative, > > and when the netfilter bug blackholed the connection, TFO stayed > > enabled. This caused mail traffic to Google to stall. > > > > This hypothesis would explain why: > > o disabling TFO fixes this problem > > o you are seeing this with a newer kernel (and apparently not with a > > kernel before v5.14?) > Agreed. > > > > With this hypothesis, we need several pieces to trigger this: > > > > (a) client side software that tries TFO to a server that supports TFO > > (like the exim mail transfer agent you are using, connecting to > > Google) > > > > (b) a client-side Linux kernel running buggy netfilter code (you are > > running netfilter) > > > > (c) a client-side Linux kernel with TFO support but no blackhole > > detection logic active (e.g. v5.14 or later, like your v5.17.1) > > > > That's probably a rare combination, so would explain why we have not > > had this report before. > > > > Jaco, to provide some evidence for this hypothesis, can you please > > re-enable fastopen but also enable the TFO blackhole detection that > > was disabled in v5.14 (213ad73d0607), with something like: > > > > sysctl -w net.ipv4.tcp_fastopen=3D1 > > sysctl -w tcp_fastopen_blackhole_timeout=3D3600 > > Done. Thanks for running that experiment and reporting your data! That was super-informative. So it seems like we have a working high-level theory about what's going on and where, and we just need to pinpoint the buggy lines in the netfilter conntrack code running on the mail client machines. > Including sysctl net.netfilter.nf_conntrack_log_invalid=3D6- which > generates lots of logs, something specific I should be looking for? I > suspect these relate: > > [Sat Apr 2 10:31:53 2022] nf_ct_proto_6: SEQ is over the upper bound > (over the window of the receiver) IN=3D OUT=3Dbond0 > SRC=3D2c0f:f720:0000:0003:d6ae:52ff:feb8:f27b > DST=3D2a00:1450:400c:0c08:0000:0000:0000:001a LEN=3D2928 TC=3D0 HOPLIMIT= =3D64 > FLOWLBL=3D867133 PROTO=3DTCP SPT=3D48920 DPT=3D25 SEQ=3D2689938314 ACK=3D= 4200412020 > WINDOW=3D447 RES=3D0x00 ACK PSH URGP=3D0 OPT (0101080A2F36C1C120EDFB91) U= ID=3D8 > GID=3D12 > [Sat Apr 2 10:31:53 2022] nf_ct_proto_6: SEQ is over the upper bound > (over the window of the receiver) IN=3D OUT=3Dbond0 > SRC=3D2c0f:f720:0000:0003:d6ae:52ff:feb8:f27b > DST=3D2a00:1450:400c:0c08:0000:0000:0000:001a LEN=3D2928 TC=3D0 HOPLIMIT= =3D64 > FLOWLBL=3D867133 PROTO=3DTCP SPT=3D48920 DPT=3D25 SEQ=3D2689941170 ACK=3D= 4200412020 > WINDOW=3D447 RES=3D0x00 ACK PSH URGP=3D0 OPT (0101080A2F36C1C120EDFB91) U= ID=3D8 > GID=3D12 > > (There are many more of those, and the remote side is Google in this case= ) FWIW those log entries indicate netfilter on the mail client machine dropping consecutive outbound skbs with 2*MSS of payload. So that explains the large consecutive losses of client data packets to the e-mail server. That seems to confirm my earlier hunch that those drops of consecutive client data packets "do not look like normal congestive packet loss". neal