From: Jakub Kicinski <kuba@kernel.org>
Date: Thu, 23 Apr 2026 18:04:05 +0000 (-0700)
Subject: Merge branch 'tcp-symmetric-challenge-ack-for-seg-ack-snd-nxt'
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7ebc650474bad55573eebe16854ed935ab262350;p=thirdparty%2Fkernel%2Fstable.git

Merge branch 'tcp-symmetric-challenge-ack-for-seg-ack-snd-nxt'

Jiayuan Chen says:

====================
tcp: symmetric challenge ACK for SEG.ACK > SND.NXT

Commit 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack
Mitigation") quotes RFC 5961 Section 5.2 in full, which requires
that any incoming segment whose ACK value falls outside
[SND.UNA - MAX.SND.WND, SND.NXT] MUST be discarded and an ACK sent
back.  Linux currently sends that challenge ACK only on the lower
edge (SEG.ACK < SND.UNA - MAX.SND.WND); on the symmetric upper edge
(SEG.ACK > SND.NXT) the segment is silently dropped with
SKB_DROP_REASON_TCP_ACK_UNSENT_DATA.

Patch 1 completes the mitigation by emitting a rate-limited challenge
ACK on that branch, reusing tcp_send_challenge_ack() and honouring
FLAG_NO_CHALLENGE_ACK for consistency with the lower-edge case.  It
also updates the existing tcp_ts_recent_invalid_ack.pkt selftest,
which drives this exact path, to consume the new challenge ACK so
bisect stays clean.

Patch 2 adds a new packetdrill selftest that exercises RFC 5961
Section 5.2 on both edges of the acceptable window, filling a gap in
the selftests tree (neither edge had dedicated coverage before).
====================

Link: https://patch.msgid.link/20260422123605.320000-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

7ebc650474bad55573eebe16854ed935ab262350