From: Eric Dumazet <edumazet@xxxxxxxxxx> commit 9e046bb111f13461d3f9331e24e974324245140e upstream. Some applications were reporting ETIMEDOUT errors on apparently good looking flows, according to packet dumps. We were able to root cause the issue to an accidental setting of tp->retrans_stamp in the following scenario: - client sends TFO SYN with data. - server has TFO disabled, ACKs only SYN but not payload. - client receives SYNACK covering only SYN. - tcp_ack() eats SYN and sets tp->retrans_stamp to 0. - tcp_rcv_fastopen_synack() calls tcp_xmit_retransmit_queue() to retransmit TFO payload w/o SYN, sets tp->retrans_stamp to "now", but we are not in any loss recovery state. - TFO payload is ACKed. - we are not in any loss recovery state, and don't see any dupacks, so we don't get to any code path that clears tp->retrans_stamp. - tp->retrans_stamp stays non-zero for the lifetime of the connection. - after first RTO, tcp_clamp_rto_to_user_timeout() clamps second RTO to 1 jiffy due to bogus tp->retrans_stamp. - on clamped RTO with non-zero icsk_retransmits, retransmits_timed_out() sets start_ts from tp->retrans_stamp from TFO payload retransmit hours/days ago, and computes bogus long elapsed time for loss recovery, and suffers ETIMEDOUT early. Fixes: a7abf3cd76e1 ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()") CC: stable@xxxxxxxxxxxxxxx Co-developed-by: Neal Cardwell <ncardwell@xxxxxxxxxx> Signed-off-by: Neal Cardwell <ncardwell@xxxxxxxxxx> Co-developed-by: Yuchung Cheng <ycheng@xxxxxxxxxx> Signed-off-by: Yuchung Cheng <ycheng@xxxxxxxxxx> Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> Link: https://lore.kernel.org/r/20240614130615.396837-1-edumazet@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv4/tcp_input.c | 1 + 1 file changed, 1 insertion(+) --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6289,6 +6289,7 @@ static bool tcp_rcv_fastopen_synack(stru skb_rbtree_walk_from(data) tcp_mark_skb_lost(sk, data); tcp_xmit_retransmit_queue(sk); + tp->retrans_stamp = 0; NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENACTIVEFAIL); return true; Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are queue-6.9/ipv6-prevent-possible-null-deref-in-fib6_nh_init.patch queue-6.9/netdev-genl-fix-error-codes-when-outputting-xdp-feat.patch queue-6.9/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch queue-6.9/ipv6-prevent-possible-null-dereference-in-rt6_probe.patch queue-6.9/af_packet-avoid-a-false-positive-warning-in-packet_s.patch queue-6.9/bpf-avoid-splat-in-pskb_pull_reason.patch queue-6.9/net-tcp_ao-don-t-leak-ao_info-on-error-path.patch queue-6.9/tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch queue-6.9/xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch