From nobody Wed Apr 24 20:30:20 2024
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VPrG45yGTz5J3R0;
	Wed, 24 Apr 2024 20:30:20 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VPrG45Py7z4LWt;
	Wed, 24 Apr 2024 20:30:20 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1713990620;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5y4IULsgraTXoKCMAIKHISpR+XH5YbTKrLprFe4ElTQ=;
	b=wE/+SetykJC3I5+Z2D5Y2c0btUnfE7Mm4oAUYbPQuGTJOYMGV+h2lEw3gFzhid6SaVIPli
	vJmtmYCuCCifEQIz64fjQIwoVKXvis+g6P1IOOoLxhIpay8CXzg34iLFycUEph+rusUB/4
	CMzkkp+hdONOTvVExYkrcejEzy6sua605KKSD3khGCELyhDTNIxKCz73YYd5q+mcQRwbn+
	e8W2TKkADn5rDbXd5cz9Rch5P5OeJZbL1wZVz9EEmPuOimFPF+xSb07TT9gvbHVKPMDgMF
	QjeKF4fapWMJx27W8FDdnyHIMLNoxn2M5CVmbh5ZUBO6vd18ixwJSutcrHzTdQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713990620; a=rsa-sha256; cv=none;
	b=qgPJxuIW6nrgptbOTKqs0tHyxHFl1ABKTKWq/AwYOS9ZFq80YREcmpR2pVATGf+GOlqd67
	8wBe55a3lG35ctgbcyeadIFDa7P/YcUKNxvwr/OzbtVyDbS0LX5pYC3KKRmKYpmCG/ifbD
	/aTGZBKOcbxEQvT+eHLzPRyvYgIcSNqvq33+SuzjxOhOSFOUiIALMZEE9dHbH4GY57Y0Wq
	qpnkjJALxxNiDZOwQKJua+EMQpH000FGY05Y+nrVfwjhq08qbsUon9F/YIqj+mhb2suw1h
	Bo/sQAXQeteqBoe+Y4TKOioJtlfurXCrxMVm7Vfc6gk++Oygg3ictOUN5dW9Jg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1713990620;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5y4IULsgraTXoKCMAIKHISpR+XH5YbTKrLprFe4ElTQ=;
	b=rpi1AcTTBvvJ1MZ1U2H8XZ+ZzloIm6Zhl6/zBfCCIs0h6rUoRJofB+Ooq0XP7baNLxzORz
	uJT1fcnJ+1RMyP0gAiW9kHzT+pmm0t56kQh0ZSMSojDoizueBmrcYSnqI7LG0Ea3q5jpi1
	y1B6fgPSIXLetgJ2ylPldyrhlzcejF2BMdZqGntnaiL2mYFJXsZZpRdI7ylqJ8b1e+fYNp
	YrJv4AsO9M48OUbK2+x5N+H5YD0OiT0zOkfCPC9lz99AEdnf42c7oMhuEsI1iiga+Q+Wfa
	BL+SaM8IyCNWGmGj9fB3CHLexVDrnf9YQBlJvgUJ3wp4+tFKMaF1Ay2GMbA/9A==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VPrG44v5jzVdm;
	Wed, 24 Apr 2024 20:30:20 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43OKUKQH091587;
	Wed, 24 Apr 2024 20:30:20 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43OKUKet091584;
	Wed, 24 Apr 2024 20:30:20 GMT
	(envelope-from git)
Date: Wed, 24 Apr 2024 20:30:20 GMT
Message-Id: <202404242030.43OKUKet091584@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Michael Tuexen <tuexen@FreeBSD.org>
Subject: git: d48e7e89e02f - stable/14 - TCP: Fix a rack bug that
  skyzall found which results in a crash.
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tuexen
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: d48e7e89e02f3b7f56121bf2bedbff7c94b7e9ba
Auto-Submitted: auto-generated

The branch stable/14 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=d48e7e89e02f3b7f56121bf2bedbff7c94b7e9ba

commit d48e7e89e02f3b7f56121bf2bedbff7c94b7e9ba
Author:     Randall Stewart <rrs@FreeBSD.org>
AuthorDate: 2023-10-04 19:16:01 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-04-24 20:26:27 +0000

    TCP: Fix a rack bug that skyzall found which results in a crash.
    
    So when we call the fast_rsm retransmit path, we should always move
    snd_nxt back up to snd_max. In fact during ack-processing if snd_nxt
    falls behind it should be moved up there as well. Otherwise what
    can happen is we have an incorrect mark on snd_nxt and incorrectly
    calculate the offset when we go through the  front path (which is
    what skzyall was able to do) then when we go to clean up the
    send the offset is all wrong and we crash.
    
    Special thanks to Gleb for pointing out the problem and the email
    that had the reproducer so I could find the issue.
    
    Reported-by: syzbot+f5061a372f74f021ec02@syzkaller.appspotmail.com
    Sponsored by: Netflix Inc
    
    (cherry picked from commit 8818f0f1124ea3d0e8028f85d667237536eba10c)
---
 sys/netinet/tcp_stacks/rack.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index 889622b7ff90..0bc3b5588b7b 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -12346,8 +12346,8 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th, struct socket *so,
 	if (SEQ_GT(tp->snd_una, tp->snd_recover))
 		tp->snd_recover = tp->snd_una;
 
-	if (SEQ_LT(tp->snd_nxt, tp->snd_una)) {
-		tp->snd_nxt = tp->snd_una;
+	if (SEQ_LT(tp->snd_nxt, tp->snd_max)) {
+		tp->snd_nxt = tp->snd_max;
 	}
 	if (under_pacing &&
 	    (rack->use_fixed_rate == 0) &&
@@ -16369,8 +16369,8 @@ rack_do_compressed_ack_processing(struct tcpcb *tp, struct socket *so, struct mb
 		/* Send recover and snd_nxt must be dragged along */
 		if (SEQ_GT(tp->snd_una, tp->snd_recover))
 			tp->snd_recover = tp->snd_una;
-		if (SEQ_LT(tp->snd_nxt, tp->snd_una))
-			tp->snd_nxt = tp->snd_una;
+		if (SEQ_LT(tp->snd_nxt, tp->snd_max))
+			tp->snd_nxt = tp->snd_max;
 		/*
 		 * If the RXT timer is running we want to
 		 * stop it, so we can restart a TLP (or new RXT).
@@ -19118,6 +19118,8 @@ rack_fast_rsm_output(struct tcpcb *tp, struct tcp_rack *rack, struct rack_sendma
 		lgb->tlb_errno = error;
 		lgb = NULL;
 	}
+	/* Move snd_nxt to snd_max so we don't have false retransmissions */
+	tp->snd_nxt = tp->snd_max;
 	if (error) {
 		goto failed;
 	} else if (rack->rc_hw_nobuf && (ip_sendflag != IP_NO_SND_TAG_RL)) {