--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Wed, 22 Jul 2020 11:19:01 -0400
+Subject: AX.25: Fix out-of-bounds read in ax25_connect()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+[ Upstream commit 2f2a7ffad5c6cbf3d438e813cfdc88230e185ba6 ]
+
+Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient.
+ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis`
+equals to 7 or 8. Fix it.
+
+This issue has been reported as a KMSAN uninit-value bug, because in such
+a case, ax25_connect() reaches into the uninitialized portion of the
+`struct sockaddr_storage` statically allocated in __sys_connect().
+
+It is safe to remove `fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS` because
+`addr_len` is guaranteed to be less than or equal to
+`sizeof(struct full_sockaddr_ax25)`.
+
+Reported-by: syzbot+c82752228ed975b0a623@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1191,7 +1191,9 @@ static int __must_check ax25_connect(str
+ if (addr_len > sizeof(struct sockaddr_ax25) &&
+ fsa->fsa_ax25.sax25_ndigis != 0) {
+ /* Valid number of digipeaters ? */
+- if (fsa->fsa_ax25.sax25_ndigis < 1 || fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS) {
++ if (fsa->fsa_ax25.sax25_ndigis < 1 ||
++ addr_len < sizeof(struct sockaddr_ax25) +
++ sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {
+ err = -EINVAL;
+ goto out_release;
+ }
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 23 Jul 2020 17:49:57 +0300
+Subject: AX.25: Prevent integer overflows in connect and sendmsg
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 17ad73e941b71f3bec7523ea4e9cbc3752461c2d ]
+
+We recently added some bounds checking in ax25_connect() and
+ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because
+they were no longer required.
+
+Unfortunately, I believe they are required to prevent integer overflows
+so I have added them back.
+
+Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()")
+Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1192,6 +1192,7 @@ static int __must_check ax25_connect(str
+ fsa->fsa_ax25.sax25_ndigis != 0) {
+ /* Valid number of digipeaters ? */
+ if (fsa->fsa_ax25.sax25_ndigis < 1 ||
++ fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS ||
+ addr_len < sizeof(struct sockaddr_ax25) +
+ sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {
+ err = -EINVAL;
+@@ -1512,7 +1513,9 @@ static int ax25_sendmsg(struct socket *s
+ struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
+
+ /* Valid number of digipeaters ? */
+- if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
++ if (usax->sax25_ndigis < 1 ||
++ usax->sax25_ndigis > AX25_MAX_DIGIS ||
++ addr_len < sizeof(struct sockaddr_ax25) +
+ sizeof(ax25_address) * usax->sax25_ndigis) {
+ err = -EINVAL;
+ goto out;
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Wed, 22 Jul 2020 12:05:12 -0400
+Subject: AX.25: Prevent out-of-bounds read in ax25_sendmsg()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+[ Upstream commit 8885bb0621f01a6c82be60a91e5fc0f6e2f71186 ]
+
+Checks on `addr_len` and `usax->sax25_ndigis` are insufficient.
+ax25_sendmsg() can go out of bounds when `usax->sax25_ndigis` equals to 7
+or 8. Fix it.
+
+It is safe to remove `usax->sax25_ndigis > AX25_MAX_DIGIS`, since
+`addr_len` is guaranteed to be less than or equal to
+`sizeof(struct full_sockaddr_ax25)`
+
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1512,7 +1512,8 @@ static int ax25_sendmsg(struct socket *s
+ struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
+
+ /* Valid number of digipeaters ? */
+- if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) {
++ if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
++ sizeof(ax25_address) * usax->sax25_ndigis) {
+ err = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Date: Thu, 23 Jul 2020 11:31:48 -0600
+Subject: dev: Defer free of skbs in flush_backlog
+
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+
+[ Upstream commit 7df5cb75cfb8acf96c7f2342530eb41e0c11f4c3 ]
+
+IRQs are disabled when freeing skbs in input queue.
+Use the IRQ safe variant to free skbs here.
+
+Fixes: 145dd5f9c88f ("net: flush the softnet backlog in process context")
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4392,7 +4392,7 @@ static void flush_backlog(struct work_st
+ skb_queue_walk_safe(&sd->input_pkt_queue, skb, tmp) {
+ if (skb->dev->reg_state == NETREG_UNREGISTERING) {
+ __skb_unlink(skb, &sd->input_pkt_queue);
+- kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ input_queue_head_incr(sd);
+ }
+ }
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: Xie He <xie.he.0141@gmail.com>
+Date: Thu, 16 Jul 2020 16:44:33 -0700
+Subject: drivers/net/wan/x25_asy: Fix to make it work
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit 8fdcabeac39824fe67480fd9508d80161c541854 ]
+
+This driver is not working because of problems of its receiving code.
+This patch fixes it to make it work.
+
+When the driver receives an LAPB frame, it should first pass the frame
+to the LAPB module to process. After processing, the LAPB module passes
+the data (the packet) back to the driver, the driver should then add a
+one-byte pseudo header and pass the data to upper layers.
+
+The changes to the "x25_asy_bump" function and the
+"x25_asy_data_indication" function are to correctly implement this
+procedure.
+
+Also, the "x25_asy_unesc" function ignores any frame that is shorter
+than 3 bytes. However the shortest frames are 2-byte long. So we need
+to change it to allow 2-byte frames to pass.
+
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Reviewed-by: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/x25_asy.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wan/x25_asy.c
++++ b/drivers/net/wan/x25_asy.c
+@@ -186,7 +186,7 @@ static inline void x25_asy_unlock(struct
+ netif_wake_queue(sl->dev);
+ }
+
+-/* Send one completely decapsulated IP datagram to the IP layer. */
++/* Send an LAPB frame to the LAPB module to process. */
+
+ static void x25_asy_bump(struct x25_asy *sl)
+ {
+@@ -198,13 +198,12 @@ static void x25_asy_bump(struct x25_asy
+ count = sl->rcount;
+ dev->stats.rx_bytes += count;
+
+- skb = dev_alloc_skb(count+1);
++ skb = dev_alloc_skb(count);
+ if (skb == NULL) {
+ netdev_warn(sl->dev, "memory squeeze, dropping packet\n");
+ dev->stats.rx_dropped++;
+ return;
+ }
+- skb_push(skb, 1); /* LAPB internal control */
+ memcpy(skb_put(skb, count), sl->rbuff, count);
+ skb->protocol = x25_type_trans(skb, sl->dev);
+ err = lapb_data_received(skb->dev, skb);
+@@ -212,7 +211,6 @@ static void x25_asy_bump(struct x25_asy
+ kfree_skb(skb);
+ printk(KERN_DEBUG "x25_asy: data received err - %d\n", err);
+ } else {
+- netif_rx(skb);
+ dev->stats.rx_packets++;
+ }
+ }
+@@ -358,12 +356,21 @@ static netdev_tx_t x25_asy_xmit(struct s
+ */
+
+ /*
+- * Called when I frame data arrives. We did the work above - throw it
+- * at the net layer.
++ * Called when I frame data arrive. We add a pseudo header for upper
++ * layers and pass it to upper layers.
+ */
+
+ static int x25_asy_data_indication(struct net_device *dev, struct sk_buff *skb)
+ {
++ if (skb_cow(skb, 1)) {
++ kfree_skb(skb);
++ return NET_RX_DROP;
++ }
++ skb_push(skb, 1);
++ skb->data[0] = X25_IFACE_DATA;
++
++ skb->protocol = x25_type_trans(skb, dev);
++
+ return netif_rx(skb);
+ }
+
+@@ -659,7 +666,7 @@ static void x25_asy_unesc(struct x25_asy
+ switch (s) {
+ case X25_END:
+ if (!test_and_clear_bit(SLF_ERROR, &sl->flags) &&
+- sl->rcount > 2)
++ sl->rcount >= 2)
+ x25_asy_bump(sl);
+ clear_bit(SLF_ESCAPE, &sl->flags);
+ sl->rcount = 0;
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:20:23 PM CEST
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Mon, 13 Jul 2020 23:59:50 +0800
+Subject: ip6_gre: fix null-ptr-deref in ip6gre_init_net()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 46ef5b89ec0ecf290d74c4aee844f063933c4da4 ]
+
+KASAN report null-ptr-deref error when register_netdev() failed:
+
+KASAN: null-ptr-deref in range [0x00000000000003c0-0x00000000000003c7]
+CPU: 2 PID: 422 Comm: ip Not tainted 5.8.0-rc4+ #12
+Call Trace:
+ ip6gre_init_net+0x4ab/0x580
+ ? ip6gre_tunnel_uninit+0x3f0/0x3f0
+ ops_init+0xa8/0x3c0
+ setup_net+0x2de/0x7e0
+ ? rcu_read_lock_bh_held+0xb0/0xb0
+ ? ops_init+0x3c0/0x3c0
+ ? kasan_unpoison_shadow+0x33/0x40
+ ? __kasan_kmalloc.constprop.0+0xc2/0xd0
+ copy_net_ns+0x27d/0x530
+ create_new_namespaces+0x382/0xa30
+ unshare_nsproxy_namespaces+0xa1/0x1d0
+ ksys_unshare+0x39c/0x780
+ ? walk_process_tree+0x2a0/0x2a0
+ ? trace_hardirqs_on+0x4a/0x1b0
+ ? _raw_spin_unlock_irq+0x1f/0x30
+ ? syscall_trace_enter+0x1a7/0x330
+ ? do_syscall_64+0x1c/0xa0
+ __x64_sys_unshare+0x2d/0x40
+ do_syscall_64+0x56/0xa0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ip6gre_tunnel_uninit() has set 'ign->fb_tunnel_dev' to NULL, later
+access to ign->fb_tunnel_dev cause null-ptr-deref. Fix it by saving
+'ign->fb_tunnel_dev' to local variable ndev.
+
+Fixes: dafabb6590cb ("ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1130,15 +1130,16 @@ static void ip6gre_destroy_tunnels(struc
+ static int __net_init ip6gre_init_net(struct net *net)
+ {
+ struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
++ struct net_device *ndev;
+ int err;
+
+- ign->fb_tunnel_dev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0",
+- NET_NAME_UNKNOWN,
+- ip6gre_tunnel_setup);
+- if (!ign->fb_tunnel_dev) {
++ ndev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0",
++ NET_NAME_UNKNOWN, ip6gre_tunnel_setup);
++ if (!ndev) {
+ err = -ENOMEM;
+ goto err_alloc_dev;
+ }
++ ign->fb_tunnel_dev = ndev;
+ dev_net_set(ign->fb_tunnel_dev, net);
+ /* FB netdevice is special: we have one, and only one per netns.
+ * Allowing to move it to another netns is clearly unsafe.
+@@ -1158,7 +1159,7 @@ static int __net_init ip6gre_init_net(st
+ return 0;
+
+ err_reg_dev:
+- ip6gre_dev_free(ign->fb_tunnel_dev);
++ ip6gre_dev_free(ndev);
+ err_alloc_dev:
+ return err;
+ }
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Date: Tue, 21 Jul 2020 15:02:57 +0800
+Subject: net-sysfs: add a newline when printing 'tx_timeout' by sysfs
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 9bb5fbea59f36a589ef886292549ca4052fe676c ]
+
+When I cat 'tx_timeout' by sysfs, it displays as follows. It's better to
+add a newline for easy reading.
+
+root@syzkaller:~# cat /sys/devices/virtual/net/lo/queues/tx-0/tx_timeout
+0root@syzkaller:~#
+
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net-sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -1018,7 +1018,7 @@ static ssize_t show_trans_timeout(struct
+ trans_timeout = queue->trans_timeout;
+ spin_unlock_irq(&queue->_xmit_lock);
+
+- return sprintf(buf, "%lu", trans_timeout);
++ return sprintf(buf, fmt_ulong, trans_timeout);
+ }
+
+ #ifdef CONFIG_XPS
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Tue, 21 Jul 2020 17:11:44 +0800
+Subject: net: udp: Fix wrong clean up for IS_UDPLITE macro
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit b0a422772fec29811e293c7c0e6f991c0fd9241d ]
+
+We can't use IS_UDPLITE to replace udp_sk->pcflag when UDPLITE_RECV_CC is
+checked.
+
+Fixes: b2bf1e2659b1 ("[UDP]: Clean up for IS_UDPLITE macro")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 2 +-
+ net/ipv6/udp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1554,7 +1554,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
+ /*
+ * UDP-Lite specific tests, ignored on UDP sockets
+ */
+- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
++ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
+
+ /*
+ * MIB statistics other than incrementing the error count are
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -601,7 +601,7 @@ int udpv6_queue_rcv_skb(struct sock *sk,
+ /*
+ * UDP-Lite specific tests, ignored on UDP sockets (see net/ipv4/udp.c).
+ */
+- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
++ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
+
+ if (up->pcrlen == 0) { /* full coverage was set */
+ net_dbg_ratelimited("UDPLITE6: partial coverage %d while full coverage %d requested\n",
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 20 Jul 2020 12:41:46 +0100
+Subject: rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 639f181f0ee20d3249dbc55f740f0167267180f0 ]
+
+rxrpc_sendmsg() returns EPIPE if there's an outstanding error, such as if
+rxrpc_recvmsg() indicating ENODATA if there's nothing for it to read.
+
+Change rxrpc_recvmsg() to return EAGAIN instead if there's nothing to read
+as this particular error doesn't get stored in ->sk_err by the networking
+core.
+
+Also change rxrpc_sendmsg() so that it doesn't fail with delayed receive
+errors (there's no way for it to report which call, if any, the error was
+caused by).
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/recvmsg.c | 2 +-
+ net/rxrpc/sendmsg.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/recvmsg.c
++++ b/net/rxrpc/recvmsg.c
+@@ -439,7 +439,7 @@ try_again:
+ list_empty(&rx->recvmsg_q) &&
+ rx->sk.sk_state != RXRPC_SERVER_LISTENING) {
+ release_sock(&rx->sk);
+- return -ENODATA;
++ return -EAGAIN;
+ }
+
+ if (list_empty(&rx->recvmsg_q)) {
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -191,7 +191,7 @@ static int rxrpc_send_data(struct rxrpc_
+ /* this should be in poll */
+ sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);
+
+- if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
++ if (sk->sk_shutdown & SEND_SHUTDOWN)
+ return -EPIPE;
+
+ more = msg->msg_flags & MSG_MORE;
parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch
ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch
ath9k-fix-regression-with-atheros-9271.patch
+ax.25-fix-out-of-bounds-read-in-ax25_connect.patch
+ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch
+dev-defer-free-of-skbs-in-flush_backlog.patch
+net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch
+net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch
+rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch
+ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch
+tcp-allow-at-most-one-tlp-probe-per-flight.patch
+ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch
+drivers-net-wan-x25_asy-fix-to-make-it-work.patch
--- /dev/null
+From foo@baz Wed 29 Jul 2020 12:20:23 PM CEST
+From: Yuchung Cheng <ycheng@google.com>
+Date: Thu, 23 Jul 2020 12:00:06 -0700
+Subject: tcp: allow at most one TLP probe per flight
+
+From: Yuchung Cheng <ycheng@google.com>
+
+[ Upstream commit 76be93fc0702322179bb0ea87295d820ee46ad14 ]
+
+Previously TLP may send multiple probes of new data in one
+flight. This happens when the sender is cwnd limited. After the
+initial TLP containing new data is sent, the sender receives another
+ACK that acks partial inflight. It may re-arm another TLP timer
+to send more, if no further ACK returns before the next TLP timeout
+(PTO) expires. The sender may send in theory a large amount of TLP
+until send queue is depleted. This only happens if the sender sees
+such irregular uncommon ACK pattern. But it is generally undesirable
+behavior during congestion especially.
+
+The original TLP design restrict only one TLP probe per inflight as
+published in "Reducing Web Latency: the Virtue of Gentle Aggression",
+SIGCOMM 2013. This patch changes TLP to send at most one probe
+per inflight.
+
+Note that if the sender is app-limited, TLP retransmits old data
+and did not have this issue.
+
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tcp.h | 4 +++-
+ net/ipv4/tcp_input.c | 11 ++++++-----
+ net/ipv4/tcp_output.c | 13 ++++++++-----
+ 3 files changed, 17 insertions(+), 11 deletions(-)
+
+--- a/include/linux/tcp.h
++++ b/include/linux/tcp.h
+@@ -218,6 +218,8 @@ struct tcp_sock {
+ u8 reord; /* reordering detected */
+ } rack;
+ u16 advmss; /* Advertised MSS */
++ u8 tlp_retrans:1, /* TLP is a retransmission */
++ unused_1:7;
+ u8 rate_app_limited:1, /* rate_{delivered,interval_us} limited? */
+ is_sack_reneg:1, /* in recovery from loss with SACK reneg? */
+ unused:6;
+@@ -234,7 +236,7 @@ struct tcp_sock {
+ syn_data_acked:1,/* data in SYN is acked by SYN-ACK */
+ save_syn:1, /* Save headers of SYN packet */
+ is_cwnd_limited:1;/* forward progress limited by snd_cwnd? */
+- u32 tlp_high_seq; /* snd_nxt at the time of TLP retransmit. */
++ u32 tlp_high_seq; /* snd_nxt at the time of TLP */
+
+ /* RTT measurement */
+ u32 srtt_us; /* smoothed round trip time << 3 in usecs */
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3566,10 +3566,8 @@ static void tcp_replace_ts_recent(struct
+ }
+ }
+
+-/* This routine deals with acks during a TLP episode.
+- * We mark the end of a TLP episode on receiving TLP dupack or when
+- * ack is after tlp_high_seq.
+- * Ref: loss detection algorithm in draft-dukkipati-tcpm-tcp-loss-probe.
++/* This routine deals with acks during a TLP episode and ends an episode by
++ * resetting tlp_high_seq. Ref: TLP algorithm in draft-ietf-tcpm-rack
+ */
+ static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag)
+ {
+@@ -3578,7 +3576,10 @@ static void tcp_process_tlp_ack(struct s
+ if (before(ack, tp->tlp_high_seq))
+ return;
+
+- if (flag & FLAG_DSACKING_ACK) {
++ if (!tp->tlp_retrans) {
++ /* TLP of new data has been acknowledged */
++ tp->tlp_high_seq = 0;
++ } else if (flag & FLAG_DSACKING_ACK) {
+ /* This DSACK means original and TLP probe arrived; no loss */
+ tp->tlp_high_seq = 0;
+ } else if (after(ack, tp->tlp_high_seq)) {
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2357,6 +2357,11 @@ void tcp_send_loss_probe(struct sock *sk
+ int pcount;
+ int mss = tcp_current_mss(sk);
+
++ /* At most one outstanding TLP */
++ if (tp->tlp_high_seq)
++ goto rearm_timer;
++
++ tp->tlp_retrans = 0;
+ skb = tcp_send_head(sk);
+ if (skb) {
+ if (tcp_snd_wnd_test(tp, skb, mss)) {
+@@ -2379,10 +2384,6 @@ void tcp_send_loss_probe(struct sock *sk
+ return;
+ }
+
+- /* At most one outstanding TLP retransmission. */
+- if (tp->tlp_high_seq)
+- goto rearm_timer;
+-
+ if (skb_still_in_host_queue(sk, skb))
+ goto rearm_timer;
+
+@@ -2403,10 +2404,12 @@ void tcp_send_loss_probe(struct sock *sk
+ if (__tcp_retransmit_skb(sk, skb, 1))
+ goto rearm_timer;
+
++ tp->tlp_retrans = 1;
++
++probe_sent:
+ /* Record snd_nxt for loss detection. */
+ tp->tlp_high_seq = tp->snd_nxt;
+
+-probe_sent:
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPLOSSPROBES);
+ /* Reset s.t. tcp_rearm_rto will restart timer from now */
+ inet_csk(sk)->icsk_pending = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
