From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from imap.gmail.com [173.194.76.109] by localhost with POP3 (fetchmail-6.3.26) for (single-drop); Wed, 22 May 2024 00:25:40 +0200 (CEST) Received: by 2002:a05:6a11:2489:b0:55f:c3c0:ed08 with SMTP id sg9csp276924pxb; Tue, 21 May 2024 15:25:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXa2fO5ZliqzKhXrBxi2+sR+8PrpZXsSLeqWC826up54j2tOr68PstE/JoacOAcBmIVBJ1g8mJipkQIDUlS/buLTLf2aOd64Gw= X-Google-Smtp-Source: AGHT+IGiR5ZRvsbJFmnlUNosZ/Lsm/dUukAjxdfWuqd+sxhuLUR7wtJxpz9ZuP1i27AVT341sDNR X-Received: by 2002:a05:6808:1704:b0:3c9:7810:faf0 with SMTP id 5614622812f47-3cdb24817a0mr475336b6e.20.1716330325334; Tue, 21 May 2024 15:25:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1716330325; cv=none; d=google.com; s=arc-20160816; b=whIjP6XkR6Eq8x6W7fv3F1XRGrbZL6lcRkc0jXC2oEXMShN8Ml4juPQDmJzomqWCtE aRBqhDZZ8actsLHYkskwbGHztg7JBlA7rU16c0eU6vkzbu1KHR8v8fgPMmsT0Sn2I57d 3MGzkDfI7YQ3nFeKlSNOQnCiAXpeeZusYXhunqH+HKtjXiQgWW6k+ou0DdfJj6wi5rA8 DUzJaN7JpZ8KNzi+atR16T+4LTNHWN+SckIX/Wpf1g+9GDMcAE/RaVkd21j36b/E+r/8 dYGvszbs4Lf7CLdnBt7tM3ppeaAklpzi4vfpWzpyD2DatJVv50BY4O5dMNZtrqjdD/Vg ddDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id :delivered-to; bh=ePczgHIz955sdD/f+ayk2AnSyrCyUfjqebMTYJq4Sdg=; fh=COUz8sR5lWeemwnYsniUTCUIcfCz40T3ZKVR82wFNxI=; b=RmBpvUonWP05EEkBvmHlUlGJ3+Zte/l6Rm5D5S5x91cGMtbY3rA0lmPQYeyQQl+iXo EgnVQf+gXdOrT7ZpvAPLwmMlBCY9rmpg3Tq/Ohbf1+oXwO+T7trXi7HG4NYc2XeGVuTI pEWPsOBQNurQgN37XDeMfPGpU05MQpSksY6Vp1Pd3yoFOesCA6iTB8hmNpDQBNphdIVb ppdGwcCHvQMC02oWWNAQ7vz6EHBllR1UXw5WrUpTqTCaeuXkcyozxT57DC8thRiUs+yY JDs1CSJQoEHnSNGGuSzmp/HSXaAtyX191esKT5Lo5fhvZ4W7wEa0cEMK1pi/I4qzI0lW ZEcA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of jmaloy@redhat.com designates 209.85.219.71 as permitted sender) smtp.mailfrom=jmaloy@redhat.com Return-Path: Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com. [170.10.128.131]) by mx.google.com with ESMTPS id af79cd13be357-792bf309e9asi204278285a.227.2024.05.21.15.25.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 15:25:25 -0700 (PDT) Received-SPF: pass (google.com: domain of jmaloy@redhat.com designates 209.85.219.71 as permitted sender) client-ip=209.85.219.71; Authentication-Results: mx.google.com; spf=pass (google.com: domain of jmaloy@redhat.com designates 209.85.219.71 as permitted sender) smtp.mailfrom=jmaloy@redhat.com Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-163-otxUoBEsM0my4P2UE1yztA-1; Tue, 21 May 2024 18:25:23 -0400 X-MC-Unique: otxUoBEsM0my4P2UE1yztA-1 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C2DDA1935D3C for ; Tue, 21 May 2024 22:25:22 +0000 (UTC) Received: by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) id B138A3001D2D; Tue, 21 May 2024 22:25:22 +0000 (UTC) Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.23]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A4AF73001D22 for ; Tue, 21 May 2024 22:25:22 +0000 (UTC) Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [170.10.128.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 39D491954B10 for ; Tue, 21 May 2024 22:25:22 +0000 (UTC) Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-681-L-Hs_Q4RMcGnIz3ETKZ4_w-1; Tue, 21 May 2024 18:25:20 -0400 X-MC-Unique: L-Hs_Q4RMcGnIz3ETKZ4_w-1 Received: by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-6a9333d993aso44032736d6.3 for ; Tue, 21 May 2024 15:25:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716330320; x=1716935120; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ePczgHIz955sdD/f+ayk2AnSyrCyUfjqebMTYJq4Sdg=; b=rA6ImdbjFNtEmZP3b9Todff7skdhw5SHPQGLfmbkVZK4+TsnsFG7lZ5Qu2mmPcNUoa lfGhod3HUKzHZp8/5o+uPMIZqHnk2epCrfy7eah7WjS3cCclt6SyPo+3LM01XnpGnd3J DTVYKGL18V8W+MLO6A5r5xdrw6RqHxiAkODoYIJqVkUJLjuYMCtmfqjTNEqjS88CKLRn lxubE3WyMILkI6CXJkHdbsM/MQOBI/k7wYqNvZnN3BoUpALadSgJOk9YRbhBEY3vjskh 8CIDpk4cGUAG8yFTGCMaj7eI1xQ+TiDa9HXz+KEYTf/KyI/RLg4SaKHRl5SlKozWxSkw wMtA== X-Forwarded-Encrypted: i=1; AJvYcCVVHvzZAp02eqHlUSvOKM0+2mfNR8ApiUt1+2u7XesJQ1tU88x7zUWomvIFPWhkF+BQ7sY+gU1miSo61LSYnn/9blI= X-Gm-Message-State: AOJu0Yy6wbpR3bo+47XpH/Qlop8SVRFBDNLa6N6FOOaO2nvR2zwje7lo cGSO+Jo9r523q1qjz3/fHpLHUEjOo+gJf33ZceO5OxxyNznFoipcr2DXee2/8cPIUVrtC2Fx5Ie 3hP4f3iP/KfNNRBi4/OZuBO2RNvgTjpB15X+tXlux4IZSopF8YjI= X-Received: by 2002:a05:6214:4903:b0:6a9:f058:95ba with SMTP id 6a1803df08f44-6ab808f7a80mr2147236d6.54.1716330319635; Tue, 21 May 2024 15:25:19 -0700 (PDT) X-Received: by 2002:a05:6214:4903:b0:6a9:f058:95ba with SMTP id 6a1803df08f44-6ab808f7a80mr2146976d6.54.1716330319134; Tue, 21 May 2024 15:25:19 -0700 (PDT) Received: from [10.0.0.97] ([24.225.234.80]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6a15f1ff124sm127310806d6.138.2024.05.21.15.25.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 May 2024 15:25:18 -0700 (PDT) Message-ID: <87d2c314-6100-8b06-126c-fd1747108d75@redhat.com> Date: Tue, 21 May 2024 18:25:17 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH v6 3/3] tcp: allow retransmit when peer receive window is zero To: David Gibson Cc: passt-dev@passt.top, sbrivio@redhat.com, lvivier@redhat.com, dgibson@redhat.com References: <20240517152414.1188282-1-jmaloy@redhat.com> <20240517152414.1188282-4-jmaloy@redhat.com> From: Jon Maloy In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: On 2024-05-21 01:51, David Gibson wrote: > On Fri, May 17, 2024 at 11:24:14AM -0400, Jon Maloy wrote: >> A bug in kernel TCP may lead to a deadlock where a zero window is sent >> from the peer, while it is unable to send out window updates even after >> reads have freed up enough buffer space to permit a larger window. >> In this situation, new window advertisemnts from the peer can only be >> triggered by packets arriving from this side. >> >> However, such packets are never sent, because the zero-window condition >> currently prevents this side from sending out any packets whatsoever >> to the peer. >> >> We notice that the above bug is triggered *only* after the peer has >> dropped an arriving packet because of severe memory squeeze, and that we >> hence always enter a retransmission situation when this occurs. This >> also means that it goes against the RFC 9293 recommendation that a >> previously advertised window never should shrink. >> >> RFC 9293 gives the solution to this situation. In chapter 3.6.1 we find >> the following statement: >> "A TCP receiver SHOULD NOT shrink the window, i.e., move the right >> window edge to the left (SHLD-14). However, a sending TCP peer MUST >> be robust against window shrinking, which may cause the >> "usable window" (see Section 3.8.6.2.1) to become negative (MUST-34). >> >> If this happens, the sender SHOULD NOT send new data (SHLD-15), but >> SHOULD retransmit normally the old unacknowledged data between SND.UNA >> and SND.UNA+SND.WND (SHLD-16). The sender MAY also retransmit old data >> beyond SND.UNA+SND.WND (MAY-7)" > So... I'm beginning to think this section of the rfc isn't really > helpful or useful here. For starters, it doesn't seem to cover all of > what we're trying to do here - particularly the fact that we try to > send keepalive probes when in this situation... The probes don't resolve the situation, so I skipped them in the latest version. Only payload data solves it. > >> We never see the window become negative, but we interpret this as a >> recommendation to use the previously available window during >> retransmission even when the currently advertised window is zero. > ... but also, looking at the RFC, I'm really not convinced of this > interpretation. SND.WND generally refers to the last window we've > seen advertised by the guest, and I don't see any indication that in > this specific case we should instead consider the previous version it > had. > > Indeed the "usable window" value it's discussing is elsewhere > described in terms of SND.WND, and if we used the previous SND.WND > value it would *not* become negative. > > I believe that last MAY-7 bit means we're not violating the RFC by > using the previous window edge, but I don't think there's anything > there to suggest we must or should be doing so. Ok. But in my view, we don't have a choice until the kernel bug is fixed. > > [In fact, I wonder if the reason behind MAY-7 is that it allows an > implementation to satisfy this by just ignoring ignore window updates > which would move the right edge backwards] That would be nice. > > So.. moving on from the RFC to what we actually need to do to > workaround this bug. Do we actually need anything more than > continuing to send keep-alive probes even when the window is zero? Yes. See above. > >> We use the above mechanism only for timer-induced retransmits, while >> the fast-retransmit mechanism won't trigger on this condition. >> >> It should be noted that although this solves the problem we have at >> hand, it is not a genuine solution to the kernel bug. There may well >> be TCP stacks around in other OS-es which don't do this, nor have >> keep-alive probing as an alternatve way to solve the situation. >> >> Signed-off-by: Jon Maloy >> >> --- >> v2: - Using previously advertised window during retransmission, instead >> highest send sequencece number in the cycle. >> v3: - Rebased to newest code >> - Changes based on feedback from PASST team >> - Sending out empty probe message at timer expiration when >> we are not in retransmit situation. >> v4: - Some small changes based on feedback from PASST team. >> - Replaced fast retransmit with a one-time 'fast probe' when >> window is zero. >> v5: - Gave up on 'fast probing' for now. When I got the sequence >> numbers right in the flag message (after having emptied the tap >> queue), it turns out an empty message does *not* force a new peer >> window update as was my previous understanding of the code. >> - Added cppcheck suppression line (which I was unable to verify) >> as suggested by S. Brivio. >> - Removed sending of empty probe when window from tap side is zero. >> It looks pointless at the moment, at least for solving the above >> described situation. >> v6: - Ensure that arrival of new data doesn´t cause us to ignore a >> zero-window situation. >> - Removed the pointless probing referred to in v5 comment. >> --- >> tcp.c | 26 ++++++++++++++++++++------ >> tcp_conn.h | 2 ++ >> 2 files changed, 22 insertions(+), 6 deletions(-) >> >> diff --git a/tcp.c b/tcp.c >> index fa13292..38c3480 100644 >> --- a/tcp.c >> +++ b/tcp.c >> @@ -1764,9 +1764,17 @@ static void tcp_get_tap_ws(struct tcp_tap_conn *conn, >> */ >> static void tcp_tap_window_update(struct tcp_tap_conn *conn, unsigned wnd) >> { >> + uint32_t wnd_edge; >> + >> wnd = MIN(MAX_WINDOW, wnd << conn->ws_from_tap); >> + /* cppcheck-suppress [knownConditionTrueFalse, unmatchedSuppression] */ > If I recall from earlier, we thought this suppression was needed > because of the cppcheck bug referenced in tcp_update_seqack_wnd(). If > that's the case we need something like that comment here as well: > knownConditionTrueFalse is not a check we should be suppressing > lightly. > > But also... is it actually that bug? In that case the check tripped > when we did an if based on the result of the MIN - it thought it was > always zero. But here the suppression is on the MIN itself, which > suggests something different. Is it instead that cppcheck is managing > to deduce that wnd >> conn->ws_from_tap cannot be greater than > USHRT_MAX. Which should indeed be the case, although I can't quickly > see how you'd statically deduce it. > > I'm also not sure why this is showing up now, because these lines > aren't changed. Good point. I wonder if Stefano has any theory on that? > >> + > I also don't think inserting a blank line between the suppression and > the line where the error is occuring is a good idea. > >> conn->wnd_from_tap = MIN(wnd >> conn->ws_from_tap, USHRT_MAX); >> >> + wnd_edge = conn->seq_ack_from_tap + wnd; >> + if (wnd && SEQ_GT(wnd_edge, conn->seq_wnd_edge_from_tap)) >> + conn->seq_wnd_edge_from_tap = wnd_edge; >> + >> /* FIXME: reflect the tap-side receiver's window back to the sock-side >> * sender by adjusting SO_RCVBUF? */ >> } >> @@ -1799,6 +1807,7 @@ static void tcp_seq_init(const struct ctx *c, struct tcp_tap_conn *conn, >> ns = (now->tv_sec * 1000000000 + now->tv_nsec) >> 5; >> >> conn->seq_to_tap = ((uint32_t)(hash >> 32) ^ (uint32_t)hash) + ns; >> + conn->seq_wnd_edge_from_tap = conn->seq_to_tap; >> } >> >> /** >> @@ -2208,13 +2217,12 @@ static void tcp_data_to_tap(const struct ctx *c, struct tcp_tap_conn *conn, >> */ >> static int tcp_data_from_sock(struct ctx *c, struct tcp_tap_conn *conn) >> { >> - uint32_t wnd_scaled = conn->wnd_from_tap << conn->ws_from_tap; >> int fill_bufs, send_bufs = 0, last_len, iov_rem = 0; >> int sendlen, len, dlen, v4 = CONN_V4(conn); >> + uint32_t already_sent, max_send, seq; >> int s = conn->sock, i, ret = 0; >> struct msghdr mh_sock = { 0 }; >> uint16_t mss = MSS_GET(conn); >> - uint32_t already_sent, seq; >> struct iovec *iov; >> >> /* How much have we read/sent since last received ack ? */ >> @@ -2228,19 +2236,24 @@ static int tcp_data_from_sock(struct ctx *c, struct tcp_tap_conn *conn) >> tcp_set_peek_offset(s, 0); >> } >> >> - if (!wnd_scaled || already_sent >= wnd_scaled) { >> + /* How much are we still allowed to send within current window ? */ >> + max_send = conn->seq_wnd_edge_from_tap - conn->seq_to_tap; >> + if (SEQ_LE(max_send, 0)) { > Although the maths probably works out correctly, I dislike using > SEQ_LE on sequence differences here, rather that using SEQ_LE directly > on seq_wnd_edge_from_tap and seq_to_tap. I know we discussed this at our last meeting, but then I realized this explicitly means reading these two fields, which we just accessed via the pointer, once again. It is possible, even likely, that GCC/CLANG are smart enough to catch this and optimize, but it is at least ugly. And again, we have exactly the same construct a few lines further up. If we fix it in one place we need to do both. What was the objection to just making 'already_sent' and 'max_send' to signed integers again? Otherwise, I can easily fix this with a couple of extra stack variables: 'seq' (which we already have), 'ack' (self explaining) and 'wnd_edge' (or just deliver 'max_send' as an argument, see further down) > >> + flow_trace(conn, "Window full: right edge: %u, sent: %u", >> + conn->seq_wnd_edge_from_tap, conn->seq_to_tap); >> + conn->seq_wnd_edge_from_tap = conn->seq_to_tap; > So, here we pull seq_wnd_edge_from_tap back in line with seq_to_tap. > Which might be before even the "current" window of seq_ack_to_tap + > wnd_scaled. TBH, I cannot see SEQ_LT(seq_wnd_edge_from_tap, seq_to_tap) *ever* happening. They can be equal, because we may have consumed the whole permitted window, but since we logically never can read/send beyond the right edge of window, the condition SEQ_GE(seq_wnd_edge_from_tap, seq_to_tap) will always be true. I.e., I could just as well use if (seq_wnd_edge_from_tap == seq_to_tap), the assignment conn->seq_wnd_edge_from_tap = conn->seq_to_tap is in reality redundant. To put it differently, seq_wnd_edge_from_tap will never ever move to the left. The fact that seq_to_tap occasionally may revert to an older value doesn´t change that. So, using SEQ_LE() isn't logically necessary here, it is just healthy paranoia. > Which means there's a pretty brief window in which > seq_wnd_edge_from_tap will actually be beyond the latest window. How? It is always set to be in sync with the window, except when the window is announced to be zero from the peer. In the latter case it will be beyond it until a new non-zero window is announced, but that is the very point with this patch. > It's > not clear to me why that brief window is important - or why getting > more data from the socket side would be relevant to finishing that > window. See above. > >> conn_flag(c, conn, STALLED); >> conn_flag(c, conn, ACK_FROM_TAP_DUE); >> return 0; >> } >> >> /* Set up buffer descriptors we'll fill completely and partially. */ >> - fill_bufs = DIV_ROUND_UP(wnd_scaled - already_sent, mss); >> + fill_bufs = DIV_ROUND_UP(max_send, mss); >> if (fill_bufs > TCP_FRAMES) { >> fill_bufs = TCP_FRAMES; >> iov_rem = 0; >> } else { >> - iov_rem = (wnd_scaled - already_sent) % mss; >> + iov_rem = max_send % mss; >> } >> >> /* Prepare iov according to kernel capability */ >> @@ -2347,6 +2360,7 @@ err: >> * >> * Return: count of consumed packets >> */ >> + > Spurious whitespace change. ok > >> static int tcp_data_from_tap(struct ctx *c, struct tcp_tap_conn *conn, >> const struct pool *p, int idx) >> { >> @@ -2950,7 +2964,7 @@ void tcp_sock_handler(struct ctx *c, union epoll_ref ref, uint32_t events) >> if (events & (EPOLLRDHUP | EPOLLHUP)) >> conn_event(c, conn, SOCK_FIN_RCVD); >> >> - if (events & EPOLLIN) >> + if (events & EPOLLIN && conn->wnd_from_tap) > Hrm. If we don't even enter tcp_data_from_sock() when there's no > window, doesn't that mean we won't hit the handling for the max_send < > 0 case, we won't set STALLED, won't switch the epoll flags for the > socket to edge triggered mode and will therefore just busy loop on > EPOLLIN socket events until the window re-opens. That is correct. When we receive a zero-window advertisement from the peer, it is either 1) The memory squeeze case we are dealing with. When that happens, ACK_FROM_TAP_DUE is always set anyway.     We just sent a package which was dropped instead of being acked. 2) It is a "genuine" window exhaustion, where the receiver is not able to keep up, but everything is in its read queue.     In that case, ACK_SEQ_FROM_TAP should *not* be set. The reader has received and acked, it has just not been able to consume it yet. 3) There is no third case, since the window edge never moves to the left, and we never send beyond that edge. I must admit I never really paid attention to the STALLED flag, though. It might be nicer if I can handle this case within tcp_data_from_sock(), of course, but if so I need to find a way to easily distinguish between the case when the call comes from tcp_sock_handler() and all the others. If I add 'max_send' as an argument to the call instead of calculating it inside the call it would actually solve this. What do you think? /jon > >> tcp_data_from_sock(c, conn); >> >> if (events & EPOLLOUT) >> diff --git a/tcp_conn.h b/tcp_conn.h >> index d280b22..5cbad2a 100644 >> --- a/tcp_conn.h >> +++ b/tcp_conn.h >> @@ -30,6 +30,7 @@ >> * @wnd_to_tap: Sending window advertised to tap, unscaled (as sent) >> * @seq_to_tap: Next sequence for packets to tap >> * @seq_ack_from_tap: Last ACK number received from tap >> + * @seq_wnd_edge_from_tap: Right edge of last non-zero window from tap >> * @seq_from_tap: Next sequence for packets from tap (not actually sent) >> * @seq_ack_to_tap: Last ACK number sent to tap >> * @seq_init_from_tap: Initial sequence number from tap >> @@ -101,6 +102,7 @@ struct tcp_tap_conn { >> >> uint32_t seq_to_tap; >> uint32_t seq_ack_from_tap; >> + uint32_t seq_wnd_edge_from_tap; >> uint32_t seq_from_tap; >> uint32_t seq_ack_to_tap; >> uint32_t seq_init_from_tap;