On Sun, Feb 22, 2026 at 1:35 PM Simon Baatz via B4 Relay <[email protected]> wrote: > > From: Simon Baatz <[email protected]> > > Commit 2bd99aef1b19 ("tcp: accept bare FIN packets under memory > pressure") allowed accepting FIN packets in tcp_data_queue() even when > the receive window was closed, to prevent ACK/FIN loops with broken > clients. > > Such a FIN packet is in sequence, but because the FIN consumes a > sequence number, it extends beyond the window. Before commit > 9ca48d616ed7 ("tcp: do not accept packets beyond window"), > tcp_sequence() only required the seq to be within the window. After > that change, the entire packet (including the FIN) must fit within the > window. As a result, such FIN packets are now dropped and the handling > path is no longer reached. > > Be more lenient by not counting the sequence number consumed by the > FIN when calling tcp_sequence(), restoring the previous behavior for > cases where only the FIN extends beyond the window. > > Fixes: 9ca48d616ed7 ("tcp: do not accept packets beyond window")
OK, but this commit is fine ? It seems the issue is coming from buggy peers ? Eventually the receive queue would be drained by the application, the peer would retransmit this FIN, and it would be accepted. > Signed-off-by: Simon Baatz <[email protected]> > --- > net/ipv4/tcp_input.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c > index > e7b41abb82aad33d8cab4fcfa989cc4771149b41..fde612f12d3625000081958d13cec8779684a642 > 100644 > --- a/net/ipv4/tcp_input.c > +++ b/net/ipv4/tcp_input.c > @@ -6379,7 +6379,12 @@ static bool tcp_validate_incoming(struct sock *sk, > struct sk_buff *skb, > > step1: > /* Step 1: check sequence number */ > - reason = tcp_sequence(sk, TCP_SKB_CB(skb)->seq, > TCP_SKB_CB(skb)->end_seq); > + > + /* Some stacks are known to handle FIN incorrectly; allow the FIN > + * to extend beyond the window and check it in detail later. > + */ > + reason = tcp_sequence(sk, TCP_SKB_CB(skb)->seq, > + TCP_SKB_CB(skb)->end_seq - th->fin); I don't think this is the right fix. Basically it says that FIN do not count, but TCP RFC says otherwise. It also adds code in TCP fast path. See for reference commit 22555032c513e62fe744d4cdd553539897e8e922 Author: Eric Dumazet <[email protected]> Date: Thu Apr 18 21:45:58 2024 +0000 tcp: remove dubious FIN exception from tcp_cwnd_test() tcp_cwnd_test() has a special handing for the last packet in the write queue if it is smaller than one MSS and has the FIN flag. This is in violation of TCP RFC, and seems quite dubious. This packet can be sent only if the current CWND is bigger than the number of packets in flight. Making tcp_cwnd_test() result independent of the first skb in the write queue is needed for the last patch of the series. Signed-off-by: Eric Dumazet <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]>
