This is a note to let you know that I've just added the patch titled tcp: eliminate negative reordering in tcp_clean_rtx_queue to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: tcp-eliminate-negative-reordering-in-tcp_clean_rtx_queue.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Wed May 31 09:13:34 JST 2017 From: Soheil Hassas Yeganeh <soheil@xxxxxxxxxx> Date: Mon, 15 May 2017 17:05:47 -0400 Subject: tcp: eliminate negative reordering in tcp_clean_rtx_queue From: Soheil Hassas Yeganeh <soheil@xxxxxxxxxx> [ Upstream commit bafbb9c73241760023d8981191ddd30bb1c6dbac ] tcp_ack() can call tcp_fragment() which may dededuct the value tp->fackets_out when MSS changes. When prior_fackets is larger than tp->fackets_out, tcp_clean_rtx_queue() can invoke tcp_update_reordering() with negative values. This results in absurd tp->reodering values higher than sysctl_tcp_max_reordering. Note that tcp_update_reordering indeeds sets tp->reordering to min(sysctl_tcp_max_reordering, metric), but because the comparison is signed, a negative metric always wins. Fixes: c7caf8d3ed7a ("[TCP]: Fix reord detection due to snd_una covered holes") Reported-by: Rebecca Isaacs <risaacs@xxxxxxxxxx> Signed-off-by: Soheil Hassas Yeganeh <soheil@xxxxxxxxxx> Signed-off-by: Neal Cardwell <ncardwell@xxxxxxxxxx> Signed-off-by: Yuchung Cheng <ycheng@xxxxxxxxxx> Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3233,7 +3233,7 @@ static int tcp_clean_rtx_queue(struct so int delta; /* Non-retransmitted hole got filled? That's reordering */ - if (reord < prior_fackets) + if (reord < prior_fackets && reord <= tp->fackets_out) tcp_update_reordering(sk, tp->fackets_out - reord, 0); delta = tcp_is_fack(tp) ? pkts_acked : Patches currently in stable-queue which might be from soheil@xxxxxxxxxx are queue-4.9/tcp-eliminate-negative-reordering-in-tcp_clean_rtx_queue.patch queue-4.9/net-packet-fix-missing-net_device-reference-release.patch queue-4.9/tcp-avoid-fragmenting-peculiar-skbs-in-sack.patch