From: Eric Dumazet <edumazet@xxxxxxxxxx> commit 36534d3c54537bf098224a32dc31397793d4594d upstream. Due to timer wheel implementation, a timer will usually fire after its schedule. For instance, for HZ=1000, a timeout between 512ms and 4s has a granularity of 64ms. For this range of values, the extra delay could be up to 63ms. For TCP, this means that tp->rcv_tstamp may be after inet_csk(sk)->icsk_timeout whenever the timer interrupt finally triggers, if one packet came during the extra delay. We need to make sure tcp_rtx_probe0_timed_out() handles this case. Fixes: e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0") Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> Cc: Menglong Dong <imagedong@xxxxxxxxxxx> Acked-by: Neal Cardwell <ncardwell@xxxxxxxxxx> Reviewed-by: Jason Xing <kerneljasonxing@xxxxxxxxx> Link: https://lore.kernel.org/r/20240607125652.1472540-1-edumazet@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv4/tcp_timer.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -439,8 +439,13 @@ static bool tcp_rtx_probe0_timed_out(con { const struct tcp_sock *tp = tcp_sk(sk); const int timeout = TCP_RTO_MAX * 2; - u32 rcv_delta, rtx_delta; + u32 rtx_delta; + s32 rcv_delta; + /* Note: timer interrupt might have been delayed by at least one jiffy, + * and tp->rcv_tstamp might very well have been written recently. + * rcv_delta can thus be negative. + */ rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp; if (rcv_delta <= timeout) return false; Patches currently in stable-queue which might be from 3wNKVZggKBvcdctlZydsfnnfkd.bnlfqdfjgkhmtwentmcZshnm.nqf@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx are queue-5.4/tcp-use-signed-arithmetic-in-tcp_rtx_probe0_timed_out.patch