From: Greg Kroah-Hartman Date: Mon, 21 Aug 2023 13:51:24 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.4.12~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56e1db7e65bafa259c8c82b8ac9f10360fda4ef5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch --- diff --git a/queue-6.1/netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch b/queue-6.1/netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch new file mode 100644 index 00000000000..98248bd4c56 --- /dev/null +++ b/queue-6.1/netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch @@ -0,0 +1,68 @@ +From 9bfab6d23a2865966a4f89a96536fbf23f83bc8c Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Tue, 15 Aug 2023 14:08:47 -0400 +Subject: netfilter: set default timeout to 3 secs for sctp shutdown send and recv state + +From: Xin Long + +commit 9bfab6d23a2865966a4f89a96536fbf23f83bc8c upstream. + +In SCTP protocol, it is using the same timer (T2 timer) for SHUTDOWN and +SHUTDOWN_ACK retransmission. However in sctp conntrack the default timeout +value for SCTP_CONNTRACK_SHUTDOWN_ACK_SENT state is 3 secs while it's 300 +msecs for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV state. + +As Paolo Valerio noticed, this might cause unwanted expiration of the ct +entry. In my test, with 1s tc netem delay set on the NAT path, after the +SHUTDOWN is sent, the sctp ct entry enters SCTP_CONNTRACK_SHUTDOWN_SEND +state. However, due to 300ms (too short) delay, when the SHUTDOWN_ACK is +sent back from the peer, the sctp ct entry has expired and been deleted, +and then the SHUTDOWN_ACK has to be dropped. + +Also, it is confusing these two sysctl options always show 0 due to all +timeout values using sec as unit: + + net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0 + net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0 + +This patch fixes it by also using 3 secs for sctp shutdown send and recv +state in sctp conntrack, which is also RTO.initial value in SCTP protocol. + +Note that the very short time value for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV +was probably used for a rare scenario where SHUTDOWN is sent on 1st path +but SHUTDOWN_ACK is replied on 2nd path, then a new connection started +immediately on 1st path. So this patch also moves from SHUTDOWN_SEND/RECV +to CLOSE when receiving INIT in the ORIGINAL direction. + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Reported-by: Paolo Valerio +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: Florian Westphal +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_proto_sctp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -49,8 +49,8 @@ static const unsigned int sctp_timeouts[ + [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, + [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, + [SCTP_CONNTRACK_ESTABLISHED] = 210 SECS, +- [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, +- [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, ++ [SCTP_CONNTRACK_SHUTDOWN_SENT] = 3 SECS, ++ [SCTP_CONNTRACK_SHUTDOWN_RECD] = 3 SECS, + [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, + [SCTP_CONNTRACK_HEARTBEAT_SENT] = 30 SECS, + }; +@@ -105,7 +105,7 @@ static const u8 sctp_conntracks[2][11][S + { + /* ORIGINAL */ + /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS */ +-/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW}, ++/* init */ {sCL, sCL, sCW, sCE, sES, sCL, sCL, sSA, sCW}, + /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL}, + /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, + /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL}, diff --git a/queue-6.1/series b/queue-6.1/series index 699278928a3..62af34650a4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -169,3 +169,4 @@ sched-fair-unlink-misfit-task-from-cpu-overutilized.patch sched-fair-remove-capacity-inversion-detection.patch drm-amd-display-implement-workaround-for-writing-to-otg_pixel_rate_div-register.patch hugetlb-do-not-clear-hugetlb-dtor-until-allocating-vmemmap.patch +netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch