[PATCH] tcp: check socket state before calling WARN_ON

From: Youngmin Nam
Date: Tue Dec 03 2024 - 03:12:31 EST


We encountered the following WARNINGs
in tcp_sacktag_write_queue()/tcp_fastretrans_alert()
which triggered a kernel panic due to panic_on_warn.

case 1.
------------[ cut here ]------------
WARNING: CPU: 4 PID: 453 at net/ipv4/tcp_input.c:2026
Call trace:
tcp_sacktag_write_queue+0xae8/0xb60
tcp_ack+0x4ec/0x12b8
tcp_rcv_state_process+0x22c/0xd38
tcp_v4_do_rcv+0x220/0x300
tcp_v4_rcv+0xa5c/0xbb4
ip_protocol_deliver_rcu+0x198/0x34c
ip_local_deliver_finish+0x94/0xc4
ip_local_deliver+0x74/0x10c
ip_rcv+0xa0/0x13c
Kernel panic - not syncing: kernel: panic_on_warn set ...

case 2.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 648 at net/ipv4/tcp_input.c:3004
Call trace:
tcp_fastretrans_alert+0x8ac/0xa74
tcp_ack+0x904/0x12b8
tcp_rcv_state_process+0x22c/0xd38
tcp_v4_do_rcv+0x220/0x300
tcp_v4_rcv+0xa5c/0xbb4
ip_protocol_deliver_rcu+0x198/0x34c
ip_local_deliver_finish+0x94/0xc4
ip_local_deliver+0x74/0x10c
ip_rcv+0xa0/0x13c
Kernel panic - not syncing: kernel: panic_on_warn set ...

When we check the socket state value at the time of the issue,
it was 0x4.

skc_state = 0x4,

This is "TCP_FIN_WAIT1" and which means the device closed its socket.

enum {
TCP_ESTABLISHED = 1,
TCP_SYN_SENT,
TCP_SYN_RECV,
TCP_FIN_WAIT1,

And also this means tp->packets_out was initialized as 0
by tcp_write_queue_purge().

In a congested network situation, a TCP ACK for
an already closed session may be received with a delay from the peer.
This can trigger the WARN_ON macro to help debug the situation.

To make this situation more meaningful, we would like to call
WARN_ON only when the state of the socket is "TCP_ESTABLISHED".
This will prevent the kernel from triggering a panic
due to panic_on_warn.

Signed-off-by: Youngmin Nam <youngmin.nam@xxxxxxxxxxx>
---
net/ipv4/tcp_input.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 5bdf13ac26ef..62f4c285ab80 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2037,7 +2037,8 @@ tcp_sacktag_write_queue(struct sock *sk, const struct sk_buff *ack_skb,
WARN_ON((int)tp->sacked_out < 0);
WARN_ON((int)tp->lost_out < 0);
WARN_ON((int)tp->retrans_out < 0);
- WARN_ON((int)tcp_packets_in_flight(tp) < 0);
+ if (sk->sk_state == TCP_ESTABLISHED)
+ WARN_ON((int)tcp_packets_in_flight(tp) < 0);
#endif
return state->flag;
}
@@ -3080,7 +3081,8 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una,
return;

/* C. Check consistency of the current state. */
- tcp_verify_left_out(tp);
+ if (sk->sk_state == TCP_ESTABLISHED)
+ tcp_verify_left_out(tp);

/* D. Check state exit conditions. State can be terminated
* when high_seq is ACKed. */
--
2.39.2