From 7d7b9f79661e57d11d7a145c67f192d63f92cf7b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Aug 2023 15:48:04 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch
---
 ...or-sctp-shutdown-send-and-recv-state.patch | 68 +++++++++++++++++++
 queue-4.19/series                             |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 queue-4.19/netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch

diff --git a/queue-4.19/netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch b/queue-4.19/netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch
new file mode 100644
index 00000000000..24cc0c73e02
--- /dev/null
+++ b/queue-4.19/netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch
@@ -0,0 +1,68 @@
+From 9bfab6d23a2865966a4f89a96536fbf23f83bc8c Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 15 Aug 2023 14:08:47 -0400
+Subject: netfilter: set default timeout to 3 secs for sctp shutdown send and recv state
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 9bfab6d23a2865966a4f89a96536fbf23f83bc8c upstream.
+
+In SCTP protocol, it is using the same timer (T2 timer) for SHUTDOWN and
+SHUTDOWN_ACK retransmission. However in sctp conntrack the default timeout
+value for SCTP_CONNTRACK_SHUTDOWN_ACK_SENT state is 3 secs while it's 300
+msecs for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV state.
+
+As Paolo Valerio noticed, this might cause unwanted expiration of the ct
+entry. In my test, with 1s tc netem delay set on the NAT path, after the
+SHUTDOWN is sent, the sctp ct entry enters SCTP_CONNTRACK_SHUTDOWN_SEND
+state. However, due to 300ms (too short) delay, when the SHUTDOWN_ACK is
+sent back from the peer, the sctp ct entry has expired and been deleted,
+and then the SHUTDOWN_ACK has to be dropped.
+
+Also, it is confusing these two sysctl options always show 0 due to all
+timeout values using sec as unit:
+
+  net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
+  net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
+
+This patch fixes it by also using 3 secs for sctp shutdown send and recv
+state in sctp conntrack, which is also RTO.initial value in SCTP protocol.
+
+Note that the very short time value for SCTP_CONNTRACK_SHUTDOWN_SEND/RECV
+was probably used for a rare scenario where SHUTDOWN is sent on 1st path
+but SHUTDOWN_ACK is replied on 2nd path, then a new connection started
+immediately on 1st path. So this patch also moves from SHUTDOWN_SEND/RECV
+to CLOSE when receiving INIT in the ORIGINAL direction.
+
+Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
+Reported-by: Paolo Valerio <pvalerio@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_proto_sctp.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -58,8 +58,8 @@ static const unsigned int sctp_timeouts[
+ 	[SCTP_CONNTRACK_COOKIE_WAIT]		= 3 SECS,
+ 	[SCTP_CONNTRACK_COOKIE_ECHOED]		= 3 SECS,
+ 	[SCTP_CONNTRACK_ESTABLISHED]		= 5 DAYS,
+-	[SCTP_CONNTRACK_SHUTDOWN_SENT]		= 300 SECS / 1000,
+-	[SCTP_CONNTRACK_SHUTDOWN_RECD]		= 300 SECS / 1000,
++	[SCTP_CONNTRACK_SHUTDOWN_SENT]		= 3 SECS,
++	[SCTP_CONNTRACK_SHUTDOWN_RECD]		= 3 SECS,
+ 	[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]	= 3 SECS,
+ 	[SCTP_CONNTRACK_HEARTBEAT_SENT]		= 30 SECS,
+ 	[SCTP_CONNTRACK_HEARTBEAT_ACKED]	= 210 SECS,
+@@ -119,7 +119,7 @@ static const u8 sctp_conntracks[2][11][S
+ 	{
+ /*	ORIGINAL	*/
+ /*                  sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
+-/* init         */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
++/* init         */ {sCW, sCW, sCW, sCE, sES, sCL, sCL, sSA, sCW, sHA},
+ /* init_ack     */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
+ /* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
+ /* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
diff --git a/queue-4.19/series b/queue-4.19/series
index 9eccb9b3c8e..6b781c4f5b7 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -77,3 +77,4 @@ alsa-usb-audio-add-support-for-mythware-xa001au-capture-and-playback-interfaces.
 cifs-release-folio-lock-on-fscache-read-hit.patch
 mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
 test_firmware-prevent-race-conditions-by-a-correct-implementation-of-locking.patch
+netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch
-- 
2.47.3