On 2024-05-21 01:51, David Gibson wrote:On Fri, May 17, 2024 at 11:24:14AM -0400, Jon Maloy wrote:The probes don't resolve the situation, so I skipped them in the latest version. Only payload data solves it.A bug in kernel TCP may lead to a deadlock where a zero window is sent from the peer, while it is unable to send out window updates even after reads have freed up enough buffer space to permit a larger window. In this situation, new window advertisemnts from the peer can only be triggered by packets arriving from this side. However, such packets are never sent, because the zero-window condition currently prevents this side from sending out any packets whatsoever to the peer. We notice that the above bug is triggered *only* after the peer has dropped an arriving packet because of severe memory squeeze, and that we hence always enter a retransmission situation when this occurs. This also means that it goes against the RFC 9293 recommendation that a previously advertised window never should shrink. RFC 9293 gives the solution to this situation. In chapter 3.6.1 we find the following statement: "A TCP receiver SHOULD NOT shrink the window, i.e., move the right window edge to the left (SHLD-14). However, a sending TCP peer MUST be robust against window shrinking, which may cause the "usable window" (see Section 3.8.6.2.1) to become negative (MUST-34). If this happens, the sender SHOULD NOT send new data (SHLD-15), but SHOULD retransmit normally the old unacknowledged data between SND.UNA and SND.UNA+SND.WND (SHLD-16). The sender MAY also retransmit old data beyond SND.UNA+SND.WND (MAY-7)"So... I'm beginning to think this section of the rfc isn't really helpful or useful here. For starters, it doesn't seem to cover all of what we're trying to do here - particularly the fact that we try to send keepalive probes when in this situation...Ok. But in my view, we don't have a choice until the kernel bug is fixed.We never see the window become negative, but we interpret this as a recommendation to use the previously available window during retransmission even when the currently advertised window is zero.... but also, looking at the RFC, I'm really not convinced of this interpretation. SND.WND generally refers to the last window we've seen advertised by the guest, and I don't see any indication that in this specific case we should instead consider the previous version it had. Indeed the "usable window" value it's discussing is elsewhere described in terms of SND.WND, and if we used the previous SND.WND value it would *not* become negative. I believe that last MAY-7 bit means we're not violating the RFC by using the previous window edge, but I don't think there's anything there to suggest we must or should be doing so.[In fact, I wonder if the reason behind MAY-7 is that it allows an implementation to satisfy this by just ignoring ignore window updates which would move the right edge backwards]That would be nice.So.. moving on from the RFC to what we actually need to do to workaround this bug. Do we actually need anything more than continuing to send keep-alive probes even when the window is zero?Yes. See above.Good point. I wonder if Stefano has any theory on that?We use the above mechanism only for timer-induced retransmits, while the fast-retransmit mechanism won't trigger on this condition. It should be noted that although this solves the problem we have at hand, it is not a genuine solution to the kernel bug. There may well be TCP stacks around in other OS-es which don't do this, nor have keep-alive probing as an alternatve way to solve the situation. Signed-off-by: Jon Maloy <jmaloy(a)redhat.com> --- v2: - Using previously advertised window during retransmission, instead highest send sequencece number in the cycle. v3: - Rebased to newest code - Changes based on feedback from PASST team - Sending out empty probe message at timer expiration when we are not in retransmit situation. v4: - Some small changes based on feedback from PASST team. - Replaced fast retransmit with a one-time 'fast probe' when window is zero. v5: - Gave up on 'fast probing' for now. When I got the sequence numbers right in the flag message (after having emptied the tap queue), it turns out an empty message does *not* force a new peer window update as was my previous understanding of the code. - Added cppcheck suppression line (which I was unable to verify) as suggested by S. Brivio. - Removed sending of empty probe when window from tap side is zero. It looks pointless at the moment, at least for solving the above described situation. v6: - Ensure that arrival of new data doesn´t cause us to ignore a zero-window situation. - Removed the pointless probing referred to in v5 comment. --- tcp.c | 26 ++++++++++++++++++++------ tcp_conn.h | 2 ++ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/tcp.c b/tcp.c index fa13292..38c3480 100644 --- a/tcp.c +++ b/tcp.c @@ -1764,9 +1764,17 @@ static void tcp_get_tap_ws(struct tcp_tap_conn *conn, */ static void tcp_tap_window_update(struct tcp_tap_conn *conn, unsigned wnd) { + uint32_t wnd_edge; + wnd = MIN(MAX_WINDOW, wnd << conn->ws_from_tap); + /* cppcheck-suppress [knownConditionTrueFalse, unmatchedSuppression] */If I recall from earlier, we thought this suppression was needed because of the cppcheck bug referenced in tcp_update_seqack_wnd(). If that's the case we need something like that comment here as well: knownConditionTrueFalse is not a check we should be suppressing lightly. But also... is it actually that bug? In that case the check tripped when we did an if based on the result of the MIN - it thought it was always zero. But here the suppression is on the MIN itself, which suggests something different. Is it instead that cppcheck is managing to deduce that wnd >> conn->ws_from_tap cannot be greater than USHRT_MAX. Which should indeed be the case, although I can't quickly see how you'd statically deduce it. I'm also not sure why this is showing up now, because these lines aren't changed.I know we discussed this at our last meeting, but then I realized this explicitly means reading these two fields, which we just accessed via the pointer, once again. It is possible, even likely, that GCC/CLANG are smart enough to catch this and optimize, but it is at least ugly. And again, we have exactly the same construct a few lines further up. If we fix it in one place we need to do both. What was the objection to just making 'already_sent' and 'max_send' to signed integers again? Otherwise, I can easily fix this with a couple of extra stack variables: 'seq' (which we already have), 'ack' (self explaining) and 'wnd_edge' (or just deliver 'max_send' as an argument, see further down)+I also don't think inserting a blank line between the suppression and the line where the error is occuring is a good idea. > conn->wnd_from_tap = MIN(wnd >> conn->ws_from_tap, USHRT_MAX); > > + wnd_edge = conn->seq_ack_from_tap + wnd; > + if (wnd && SEQ_GT(wnd_edge, conn->seq_wnd_edge_from_tap)) > + conn->seq_wnd_edge_from_tap = wnd_edge;+> /* FIXME: reflect the tap-side receiver's window back to the sock-side > * sender by adjusting SO_RCVBUF? */ > } > @@ -1799,6 +1807,7 @@ static void tcp_seq_init(const struct ctx *c, struct tcp_tap_conn *conn, > ns = (now->tv_sec * 1000000000 + now->tv_nsec) >> 5; > > conn->seq_to_tap = ((uint32_t)(hash >> 32) ^ (uint32_t)hash) + ns; > + conn->seq_wnd_edge_from_tap = conn->seq_to_tap; > } > > /** > @@ -2208,13 +2217,12 @@ static void tcp_data_to_tap(const struct ctx *c, struct tcp_tap_conn *conn, > */ > static int tcp_data_from_sock(struct ctx *c, struct tcp_tap_conn *conn) > { > - uint32_t wnd_scaled = conn->wnd_from_tap << conn->ws_from_tap; > int fill_bufs, send_bufs = 0, last_len, iov_rem = 0; > int sendlen, len, dlen, v4 = CONN_V4(conn); > + uint32_t already_sent, max_send, seq; > int s = conn->sock, i, ret = 0; > struct msghdr mh_sock = { 0 }; > uint16_t mss = MSS_GET(conn); > - uint32_t already_sent, seq; > struct iovec *iov; > > /* How much have we read/sent since last received ack ? */ > @@ -2228,19 +2236,24 @@ static int tcp_data_from_sock(struct ctx *c, struct tcp_tap_conn *conn) > tcp_set_peek_offset(s, 0); > } > > - if (!wnd_scaled || already_sent >= wnd_scaled) { > + /* How much are we still allowed to send within current window ? */ > + max_send = conn->seq_wnd_edge_from_tap - conn->seq_to_tap; > + if (SEQ_LE(max_send, 0)) { Although the maths probably works out correctly, I dislike using SEQ_LE on sequence differences here, rather that using SEQ_LE directly on seq_wnd_edge_from_tap and seq_to_tap.TBH, I cannot see SEQ_LT(seq_wnd_edge_from_tap, seq_to_tap) *ever* happening. They can be equal, because we may have consumed the whole permitted window, but since we logically never can read/send beyond the right edge of window, the condition SEQ_GE(seq_wnd_edge_from_tap, seq_to_tap) will always be true. I.e., I could just as well use if (seq_wnd_edge_from_tap == seq_to_tap), the assignment conn->seq_wnd_edge_from_tap = conn->seq_to_tap is in reality redundant. To put it differently, seq_wnd_edge_from_tap will never ever move to the left. The fact that seq_to_tap occasionally may revert to an older value doesn´t change that. So, using SEQ_LE() isn't logically necessary here, it is just healthy paranoia.+ flow_trace(conn, "Window full: right edge: %u, sent: %u", + conn->seq_wnd_edge_from_tap, conn->seq_to_tap); + conn->seq_wnd_edge_from_tap = conn->seq_to_tap;So, here we pull seq_wnd_edge_from_tap back in line with seq_to_tap. Which might be before even the "current" window of seq_ack_to_tap + wnd_scaled.Which means there's a pretty brief window in which seq_wnd_edge_from_tap will actually be beyond the latest window.How? It is always set to be in sync with the window, except when the window is announced to be zero from the peer. In the latter case it will be beyond it until a new non-zero window is announced, but that is the very point with this patch.It's not clear to me why that brief window is important - or why getting more data from the socket side would be relevant to finishing that window.See above.okconn_flag(c, conn, STALLED); conn_flag(c, conn, ACK_FROM_TAP_DUE); return 0; } /* Set up buffer descriptors we'll fill completely and partially. */ - fill_bufs = DIV_ROUND_UP(wnd_scaled - already_sent, mss); + fill_bufs = DIV_ROUND_UP(max_send, mss); if (fill_bufs > TCP_FRAMES) { fill_bufs = TCP_FRAMES; iov_rem = 0; } else { - iov_rem = (wnd_scaled - already_sent) % mss; + iov_rem = max_send % mss; } /* Prepare iov according to kernel capability */ @@ -2347,6 +2360,7 @@ err: * * Return: count of consumed packets */ +Spurious whitespace change.That is correct. When we receive a zero-window advertisement from the peer, it is either 1) The memory squeeze case we are dealing with. When that happens, ACK_FROM_TAP_DUE is always set anyway. We just sent a package which was dropped instead of being acked. 2) It is a "genuine" window exhaustion, where the receiver is not able to keep up, but everything is in its read queue. In that case, ACK_SEQ_FROM_TAP should *not* be set. The reader has received and acked, it has just not been able to consume it yet. 3) There is no third case, since the window edge never moves to the left, and we never send beyond that edge. I must admit I never really paid attention to the STALLED flag, though. It might be nicer if I can handle this case within tcp_data_from_sock(), of course, but if so I need to find a way to easily distinguish between the case when the call comes from tcp_sock_handler() and all the others. If I add 'max_send' as an argument to the call instead of calculating it inside the call it would actually solve this. What do you think? /jonstatic int tcp_data_from_tap(struct ctx *c, struct tcp_tap_conn *conn, const struct pool *p, int idx) { @@ -2950,7 +2964,7 @@ void tcp_sock_handler(struct ctx *c, union epoll_ref ref, uint32_t events) if (events & (EPOLLRDHUP | EPOLLHUP)) conn_event(c, conn, SOCK_FIN_RCVD); - if (events & EPOLLIN) + if (events & EPOLLIN && conn->wnd_from_tap)Hrm. If we don't even enter tcp_data_from_sock() when there's no window, doesn't that mean we won't hit the handling for the max_send < 0 case, we won't set STALLED, won't switch the epoll flags for the socket to edge triggered mode and will therefore just busy loop on EPOLLIN socket events until the window re-opens.> tcp_data_from_sock(c, conn); > > if (events & EPOLLOUT) > diff --git a/tcp_conn.h b/tcp_conn.h > index d280b22..5cbad2a 100644 > --- a/tcp_conn.h > +++ b/tcp_conn.h > @@ -30,6 +30,7 @@ > * @wnd_to_tap: Sending window advertised to tap, unscaled (as sent) > * @seq_to_tap: Next sequence for packets to tap > * @seq_ack_from_tap: Last ACK number received from tap > + * @seq_wnd_edge_from_tap: Right edge of last non-zero window from tap > * @seq_from_tap: Next sequence for packets from tap (not actually sent) > * @seq_ack_to_tap: Last ACK number sent to tap > * @seq_init_from_tap: Initial sequence number from tap > @@ -101,6 +102,7 @@ struct tcp_tap_conn { > > uint32_t seq_to_tap; > uint32_t seq_ack_from_tap; > + uint32_t seq_wnd_edge_from_tap; > uint32_t seq_from_tap; > uint32_t seq_ack_to_tap; > uint32_t seq_init_from_tap;