3 files changed, 11 insertions, 6 deletions

diff --git a/include/net/tcp.h b/include/net/tcp.h
index e337e05035be..590e01a476ac 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -417,7 +417,7 @@ void tcp_update_metrics(struct sock *sk);
 void tcp_init_metrics(struct sock *sk);
 void tcp_metrics_init(void);
 bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst,
-                        bool paws_check);
+                        bool paws_check, bool timestamps);
 bool tcp_remember_stamp(struct sock *sk);
 bool tcp_tw_remember_stamp(struct inet_timewait_sock *tw);
 void tcp_fetch_timewait_stamp(struct sock *sk, struct dst_entry *dst);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 1a8e89fdd331..4f6cfbc57775 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5979,12 +5979,14 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
                  * timewait bucket, so that all the necessary checks
                  * are made in the function processing timewait state.
                  */
-                if (tmp_opt.saw_tstamp && tcp_death_row.sysctl_tw_recycle) {
+                if (tcp_death_row.sysctl_tw_recycle) {
                         bool strict;
 
                         dst = af_ops->route_req(sk, &fl, req, &strict);
+
                         if (dst && strict &&
-                            !tcp_peer_is_proven(req, dst, true)) {
+                            !tcp_peer_is_proven(req, dst, true,
+                                                tmp_opt.saw_tstamp)) {
                                 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_PAWSPASSIVEREJECTED);
                                 goto drop_and_release;
                         }
@@ -5993,7 +5995,8 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
                 else if (!sysctl_tcp_syncookies &&
                          (sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) <
                           (sysctl_max_syn_backlog >> 2)) &&
-                         !tcp_peer_is_proven(req, dst, false)) {
+                         !tcp_peer_is_proven(req, dst, false,
+                                             tmp_opt.saw_tstamp)) {
                         /* Without syncookies last quarter of
                          * backlog is filled with destinations,
                          * proven to be alive.
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 0d54e59b9ea8..ed9c9a91851c 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -576,7 +576,8 @@ reset:
         tp->snd_cwnd_stamp = tcp_time_stamp;
 }
 
-bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst, bool paws_check)
+bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst,
+                        bool paws_check, bool timestamps)
 {
         struct tcp_metrics_block *tm;
         bool ret;
@@ -589,7 +590,8 @@ bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst, bool pa
         if (paws_check) {
                 if (tm &&
                     (u32)get_seconds() - tm->tcpm_ts_stamp < TCP_PAWS_MSL &&
-                    (s32)(tm->tcpm_ts - req->ts_recent) > TCP_PAWS_WINDOW)
+                    ((s32)(tm->tcpm_ts - req->ts_recent) > TCP_PAWS_WINDOW ||
+                     !timestamps))
                         ret = false;
                 else
                         ret = true;