[5.10,099/167] tcp: disable TFO blackhole logic by default

Message ID	20210726153842.719316961@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Wei Wang <weiwan@google.com>, Eric Dumazet <edumazet@google.com>, Neal Cardwell <ncardwell@google.com>, Soheil Hassas Yeganeh <soheil@google.com>, Yuchung Cheng <ycheng@google.com>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.10 099/167] tcp: disable TFO blackhole logic by default Date: Mon, 26 Jul 2021 17:38:52 +0200 Message-Id: <20210726153842.719316961@linuxfoundation.org> In-Reply-To: <20210726153839.371771838@linuxfoundation.org> References: <20210726153839.371771838@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.10,003/167] igc: change default return of igc_read_phy_reg() [5.10,006/167] igb: Fix an error handling path in igb_probe() [5.10,008/167] e1000e: Fix an error handling path in e1000_probe() [5.10,011/167] igb: Fix position of assignment to *ring [5.10,013/167] net: add kcov handle to skb extensions [5.10,014/167] net: Introduce preferred busy-polling [5.10,017/167] ixgbevf: use xso.real_dev instead of xso.dev in callback functions of struct xfrmd... [5.10,018/167] bonding: fix suspicious RCU usage in bond_ipsec_del_sa() [5.10,020/167] bonding: Add struct bond_ipesc to manage SA [5.10,022/167] bonding: fix incorrect return value of bond_ipsec_offload_ok() [5.10,024/167] stmmac: platform: Fix signedness bug in stmmac_probe_config_dt() [5.10,027/167] pwm: sprd: Ensure configuring period and duty_cycle isnt wrongly skipped [5.10,028/167] cxgb4: fix IRQ free race during driver unload [5.10,032/167] KVM: x86/pmu: Clear anythread deprecated bit when 0xa leaf is unsupported on the SVM [5.10,034/167] perf map: Fix dso->nsinfo refcounting [5.10,035/167] perf probe: Fix dso->nsinfo refcounting [5.10,037/167] perf test session_topology: Delete session->evlist [5.10,039/167] perf dso: Fix memory leak in dso__new_map() [5.10,040/167] perf test maps__merge_in: Fix memory leak of maps [5.10,042/167] perf report: Free generated help strings for sort option [5.10,044/167] perf lzma: Close lzma stream on exit [5.10,046/167] perf data: Close all files in close_dir() [5.10,048/167] ASoC: wm_adsp: Correct wm_coeff_tlv_get handling [5.10,051/167] regulator: hi6421: Use correct variable type for regmap api val argument [5.10,053/167] spi: mediatek: fix fifo rx mode [5.10,055/167] bpf, test: fix NULL pointer dereference on invalid expected_attach_type [5.10,057/167] xdp, net: Fix use-after-free in bpf_xdp_link_release [5.10,059/167] liquidio: Fix unintentional sign extension issue on left shift of u16 [5.10,060/167] s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] [5.10,062/167] bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats [5.10,064/167] bpftool: Check malloc return value in mount_bpffs_for_pin [5.10,068/167] efi/tpm: Differentiate missing and invalid final event log table. [5.10,073/167] sctp: trim optlen when its a huge value in sctp_setsockopt [5.10,074/167] netrom: Decrease sock refcount when sock timers expire [5.10,075/167] scsi: iscsi: Fix iface sysfs attr detection [5.10,078/167] ACPI: Kconfig: Fix table override from built-in initrd [5.10,080/167] bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe() [5.10,082/167] bnxt_en: Validate vlan protocol ID on RX packets [5.10,084/167] net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition [5.10,086/167] ALSA: hda: intel-dsp-cfg: add missing ElkhartLake PCI ID [5.10,087/167] net: hns3: fix possible mismatches resp of mailbox [5.10,089/167] spi: spi-bcm2835: Fix deadlock [5.10,091/167] ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions [5.10,093/167] nvme-pci: dont WARN_ON in nvme_reset_work if ctrl.state is not RESETTING [5.10,095/167] afs: Fix tracepoint string placement with built-in AFS [5.10,097/167] nvme: set the PRACT bit when using Write Zeroes with T10 PI [5.10,098/167] sctp: update active_key for asoc when old key is being replaced [5.10,099/167] tcp: disable TFO blackhole logic by default [5.10,102/167] drm/panel: raspberrypi-touchscreen: Prevent double-free [5.10,104/167] cifs: fix fallocate when trying to allocate a hole. [5.10,105/167] proc: Avoid mixing integer types in mem_rw() [5.10,107/167] s390/ftrace: fix ftrace_update_ftrace_func implementation [5.10,108/167] s390/boot: fix use of expolines in the DMA code [5.10,109/167] ALSA: usb-audio: Add missing proc text entry for BESPOKEN type [5.10,110/167] ALSA: usb-audio: Add registration quirk for JBL Quantum headsets [5.10,112/167] ALSA: hda/realtek: Fix pop noise and 2 Front Mic issues on a machine [5.10,116/167] Revert "usb: renesas-xhci: Fix handling of unknown ROM state" [5.10,117/167] usb: xhci: avoid renesas_usb_fw.mem when its unusable [5.10,118/167] xhci: Fix lost USB 2 remote wake [5.10,120/167] KVM: PPC: Book3S HV Nested: Sanitise H_ENTER_NESTED TM state [5.10,123/167] USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS [5.10,126/167] USB: serial: option: add support for u-blox LARA-R6 family [5.10,127/167] USB: serial: cp210x: fix comments for GE CS1000 [5.10,130/167] usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode. [5.10,132/167] usb: typec: stusb160x: register role switch before interrupt registration [5.10,134/167] tracepoints: Update static_call before tp_funcs when adding a tracepoint [5.10,135/167] tracing/histogram: Rename "cpu" to "common_cpu" [5.10,136/167] tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. [5.10,139/167] media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() [5.10,141/167] bus: mhi: core: Validate channel ID when processing command completions [5.10,145/167] io_uring: remove double poll entry on arm failure [5.10,147/167] memblock: make for_each_mem_range() traverse MEMBLOCK_HOTPLUG regions [5.10,148/167] hugetlbfs: fix mount mode command line processing [5.10,150/167] rbd: always kick acquire on "acquired" and "released" notifications [5.10,153/167] driver core: Prevent warning when removing a device link from unregistered consumer [5.10,154/167] Revert "drm/i915: Propagate errors on awaiting already signaled fences" [5.10,157/167] net: dsa: mv88e6xxx: enable SerDes RX stats for Topaz [5.10,160/167] bonding: fix build issue [5.10,161/167] skbuff: Release nfct refcount on napi stolen or re-used skbs [5.10,166/167] sfc: ensure correct number of XDP queues [5.10,167/167] xhci: add xhci_get_virt_ep() helper

Message ID

20210726153842.719316961@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Wei Wang <weiwan@google.com>,
	Eric Dumazet <edumazet@google.com>, Neal Cardwell <ncardwell@google.com>,
	Soheil Hassas Yeganeh <soheil@google.com>,
	Yuchung Cheng <ycheng@google.com>,
	"David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 099/167] tcp: disable TFO blackhole logic by default
Date: Mon, 26 Jul 2021 17:38:52 +0200
Message-Id: <20210726153842.719316961@linuxfoundation.org>
In-Reply-To: <20210726153839.371771838@linuxfoundation.org>
References: <20210726153839.371771838@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman July 26, 2021, 3:38 p.m. UTC

From: Wei Wang <weiwan@google.com>

[ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ]

Multiple complaints have been raised from the TFO users on the internet
stating that the TFO blackhole logic is too aggressive and gets falsely
triggered too often.
(e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/)
Considering that most middleboxes no longer drop TFO packets, we decide
to disable the blackhole logic by setting
/proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by default.

Fixes: cf1ef3f0719b4 ("net/tcp_fastopen: Disable active side TFO in certain scenarios")
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/networking/ip-sysctl.rst | 2 +-
 net/ipv4/tcp_fastopen.c                | 9 ++++++++-
 net/ipv4/tcp_ipv4.c                    | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

Comments

Pavel Machek July 28, 2021, 10:12 a.m. UTC | #1

Hi!

> [ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ]

> 

> Multiple complaints have been raised from the TFO users on the internet

> stating that the TFO blackhole logic is too aggressive and gets falsely

> triggered too often.

> (e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/)

> Considering that most middleboxes no longer drop TFO packets, we decide

> to disable the blackhole logic by setting

> /proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by

> default.


I understand this makes sense for mainline, but should we have this in
stable? Somebody may still be using broken middlebox with their
"stable" server.

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Yuchung Cheng July 28, 2021, 4:32 p.m. UTC | #2

On Wed, Jul 28, 2021 at 3:12 AM Pavel Machek <pavel@denx.de> wrote:
>

> Hi!

>

> > [ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ]

> >

> > Multiple complaints have been raised from the TFO users on the internet

> > stating that the TFO blackhole logic is too aggressive and gets falsely

> > triggered too often.

> > (e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/)

> > Considering that most middleboxes no longer drop TFO packets, we decide

> > to disable the blackhole logic by setting

> > /proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by

> > default.

>

> I understand this makes sense for mainline, but should we have this in

> stable? Somebody may still be using broken middlebox with their

> "stable" server.

Thank you Pavel for raising this issue. You made a good point.

The enabled-by-default policy has caused disruptions to applications.
We have received quite a few others over the years beside the cited
report. Other major TFO implementations (e.g. iOS, Windows) do not
have such mechanisms and seem to work fine.

On the other hand maybe we do not hear middlebox issues because this
mechanism is working. So I am okay to avoid applying to stable and
keep in net-next to test this new policy.

>

> Best regards,

>                                                                 Pavel

>

> --

> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk

> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index 4abcfff15e38..4822a058a81d 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -751,7 +751,7 @@  tcp_fastopen_blackhole_timeout_sec - INTEGER
 	initial value when the blackhole issue goes away.
 	0 to disable the blackhole detection.
 
-	By default, it is set to 1hr.
+	By default, it is set to 0 (feature is disabled).
 
 tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs
 	The list consists of a primary key and an optional backup key. The
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 08548ff23d83..d49709ba8e16 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -507,6 +507,9 @@  void tcp_fastopen_active_disable(struct sock *sk)
 {
 	struct net *net = sock_net(sk);
 
+	if (!sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout)
+		return;
+
 	/* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
 	WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
 
@@ -526,10 +529,14 @@  void tcp_fastopen_active_disable(struct sock *sk)
 bool tcp_fastopen_active_should_disable(struct sock *sk)
 {
 	unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout;
-	int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
 	unsigned long timeout;
+	int tfo_da_times;
 	int multiplier;
 
+	if (!tfo_bh_timeout)
+		return false;
+
+	tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
 	if (!tfo_da_times)
 		return false;
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 5212db9ea157..04e259a04443 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2913,7 +2913,7 @@  static int __net_init tcp_sk_init(struct net *net)
 	net->ipv4.sysctl_tcp_comp_sack_nr = 44;
 	net->ipv4.sysctl_tcp_fastopen = TFO_CLIENT_ENABLE;
 	spin_lock_init(&net->ipv4.tcp_fastopen_ctx_lock);
-	net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 60 * 60;
+	net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 0;
 	atomic_set(&net->ipv4.tfo_active_disable_times, 0);
 
 	/* Reno is always built in */

[5.10,099/167] tcp: disable TFO blackhole logic by default

Commit Message

Comments

Patch