From: Eric Dumazet <[email protected]> Date: Mon, 5 Oct 2020 06:48:13 -0700
> From: Eric Dumazet <[email protected]> > > We got reports from GKE customers flows being reset by netfilter > conntrack unless nf_conntrack_tcp_be_liberal is set to 1. > > Traces seemed to suggest ACK packet being dropped by the > packet capture, or more likely that ACK were received in the > wrong order. > > wscale=7, SYN and SYNACK not shown here. > > This ACK allows the sender to send 1871*128 bytes from seq 51359321 : > New right edge of the window -> 51359321+1871*128=51598809 ... > Now imagine ACK were delivered out of order and tcp_add_backlog() sets > window based on wrong packet. > New right edge of the window -> 51521241+859*128=51631193 > > Normally TCP stack handles OOO packets just fine, but it > turns out tcp_add_backlog() does not. It can update the window > field of the aggregated packet even if the ACK sequence > of the last received packet is too old. > > Many thanks to Alexandre Ferrieux for independently reporting the issue > and suggesting a fix. > > Fixes: 4f693b55c3d2 ("tcp: implement coalescing on backlog queue") > Signed-off-by: Eric Dumazet <[email protected]> > Reported-by: Alexandre Ferrieux <[email protected]> Applied and queued up for -stable, thank you.
