* [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
@ 2015-04-15 18:00 Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Ben Hutchings @ 2015-04-15 18:00 UTC (permalink / raw)
To: stable; +Cc: netdev, Eric Dumazet, 782515
[-- Attachment #1: Type: text/plain, Size: 1501 bytes --]
Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
skb rather than using skb_copy_expand().
The open-coded copy does not cover the skb_shared_info::gso_segs
field, so in the new skb it is left set to 0. When this commit was
backported into stable branches between 3.10.y and 3.16.7-ckty
inclusive, it triggered the BUG() in tcp_transmit_skb().
Since Linux 3.18 the GSO segment count is kept in the
tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
tcp_skb_cb structure to the new skb, so mainline and newer stable
branches are not affected.
Set skb_shared_info::gso_segs to the correct value of 1.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index d5457e4..1ea0a07 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
goto fallback;
syn_data->ip_summed = CHECKSUM_PARTIAL;
memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+ skb_shinfo(syn_data)->gso_segs = 1;
if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
fo->data->msg_iov, 0, space))) {
kfree_skb(syn_data);
--
Ben Hutchings
Editing code like this is akin to sticking plasters on the bleeding stump
of a severed limb. - me, 29 June 1999
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
@ 2015-04-15 18:22 ` Eric Dumazet
2015-04-15 18:33 ` David Miller
2015-04-16 16:24 ` Luis Henriques
` (4 subsequent siblings)
5 siblings, 1 reply; 8+ messages in thread
From: Eric Dumazet @ 2015-04-15 18:22 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, 782515
On Wed, 2015-04-15 at 19:00 +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index d5457e4..1ea0a07 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
> goto fallback;
> syn_data->ip_summed = CHECKSUM_PARTIAL;
> memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
> + skb_shinfo(syn_data)->gso_segs = 1;
> if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
> fo->data->msg_iov, 0, space))) {
> kfree_skb(syn_data);
>
Looks goot to me, thanks Ben !
Acked-by: Eric Dumazet <edumazet@google.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:22 ` Eric Dumazet
@ 2015-04-15 18:33 ` David Miller
0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2015-04-15 18:33 UTC (permalink / raw)
To: eric.dumazet; +Cc: ben, stable, netdev, 782515
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 15 Apr 2015 11:22:44 -0700
> On Wed, 2015-04-15 at 19:00 +0100, Ben Hutchings wrote:
>> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
>> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
>> skb rather than using skb_copy_expand().
>>
>> The open-coded copy does not cover the skb_shared_info::gso_segs
>> field, so in the new skb it is left set to 0. When this commit was
>> backported into stable branches between 3.10.y and 3.16.7-ckty
>> inclusive, it triggered the BUG() in tcp_transmit_skb().
>>
>> Since Linux 3.18 the GSO segment count is kept in the
>> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
>> tcp_skb_cb structure to the new skb, so mainline and newer stable
>> branches are not affected.
>>
>> Set skb_shared_info::gso_segs to the correct value of 1.
>>
>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
...
> Looks goot to me, thanks Ben !
>
> Acked-by: Eric Dumazet <edumazet@google.com>
Ben, thanks for taking care of this.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
@ 2015-04-16 16:24 ` Luis Henriques
2015-04-17 9:43 ` Greg KH
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Luis Henriques @ 2015-04-16 16:24 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, Eric Dumazet, 782515
On Wed, Apr 15, 2015 at 07:00:32PM +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Thanks a lot, Ben. I'll queue this for the next 3.16 kernel release.
Cheers,
--
Luís
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index d5457e4..1ea0a07 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
> goto fallback;
> syn_data->ip_summed = CHECKSUM_PARTIAL;
> memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
> + skb_shinfo(syn_data)->gso_segs = 1;
> if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
> fo->data->msg_iov, 0, space))) {
> kfree_skb(syn_data);
>
> --
> Ben Hutchings
> Editing code like this is akin to sticking plasters on the bleeding stump
> of a severed limb. - me, 29 June 1999
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
2015-04-16 16:24 ` Luis Henriques
@ 2015-04-17 9:43 ` Greg KH
2015-04-17 9:45 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree gregkh
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2015-04-17 9:43 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, Eric Dumazet, 782515
On Wed, Apr 15, 2015 at 07:00:32PM +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
Thanks for working on this and sending the patch out.
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
` (2 preceding siblings ...)
2015-04-17 9:43 ` Greg KH
@ 2015-04-17 9:45 ` gregkh
2015-04-17 10:05 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree gregkh
2015-05-01 17:13 ` [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Kamal Mostafa
5 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2015-04-17 9:45 UTC (permalink / raw)
To: ben, edumazet, eric.dumazet, gregkh, netdev, stable
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
tcp: Fix crash in TCP Fast Open
to the 3.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-fix-crash-in-tcp-fast-open.patch
and it can be found in the queue-3.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From ben@decadent.org.uk Fri Apr 17 11:41:49 2015
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 15 Apr 2015 19:00:32 +0100
Subject: tcp: Fix crash in TCP Fast Open
To: stable <stable@vger.kernel.org>
Cc: netdev <netdev@vger.kernel.org>, Eric Dumazet <eric.dumazet@gmail.com>, 782515@bugs.debian.org
Message-ID: <1429120832.3211.91.camel@decadent.org.uk>
From: Ben Hutchings <ben@decadent.org.uk>
Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
skb rather than using skb_copy_expand().
The open-coded copy does not cover the skb_shared_info::gso_segs
field, so in the new skb it is left set to 0. When this commit was
backported into stable branches between 3.10.y and 3.16.7-ckty
inclusive, it triggered the BUG() in tcp_transmit_skb().
Since Linux 3.18 the GSO segment count is kept in the
tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
tcp_skb_cb structure to the new skb, so mainline and newer stable
branches are not affected.
Set skb_shared_info::gso_segs to the correct value of 1.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_output.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2909,6 +2909,7 @@ static int tcp_send_syn_data(struct sock
goto fallback;
syn_data->ip_summed = CHECKSUM_PARTIAL;
memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+ skb_shinfo(syn_data)->gso_segs = 1;
if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
fo->data->msg_iov, 0, space))) {
kfree_skb(syn_data);
Patches currently in stable-queue which might be from ben@decadent.org.uk are
queue-3.10/tcp-fix-crash-in-tcp-fast-open.patch
^ permalink raw reply [flat|nested] 8+ messages in thread
* Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
` (3 preceding siblings ...)
2015-04-17 9:45 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree gregkh
@ 2015-04-17 10:05 ` gregkh
2015-05-01 17:13 ` [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Kamal Mostafa
5 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2015-04-17 10:05 UTC (permalink / raw)
To: ben, edumazet, eric.dumazet, gregkh, netdev, stable
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
tcp: Fix crash in TCP Fast Open
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-fix-crash-in-tcp-fast-open.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From ben@decadent.org.uk Fri Apr 17 11:41:49 2015
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 15 Apr 2015 19:00:32 +0100
Subject: tcp: Fix crash in TCP Fast Open
To: stable <stable@vger.kernel.org>
Cc: netdev <netdev@vger.kernel.org>, Eric Dumazet <eric.dumazet@gmail.com>, 782515@bugs.debian.org
Message-ID: <1429120832.3211.91.camel@decadent.org.uk>
From: Ben Hutchings <ben@decadent.org.uk>
Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
skb rather than using skb_copy_expand().
The open-coded copy does not cover the skb_shared_info::gso_segs
field, so in the new skb it is left set to 0. When this commit was
backported into stable branches between 3.10.y and 3.16.7-ckty
inclusive, it triggered the BUG() in tcp_transmit_skb().
Since Linux 3.18 the GSO segment count is kept in the
tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
tcp_skb_cb structure to the new skb, so mainline and newer stable
branches are not affected.
Set skb_shared_info::gso_segs to the correct value of 1.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_output.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2933,6 +2933,7 @@ static int tcp_send_syn_data(struct sock
goto fallback;
syn_data->ip_summed = CHECKSUM_PARTIAL;
memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+ skb_shinfo(syn_data)->gso_segs = 1;
if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
fo->data->msg_iov, 0, space))) {
kfree_skb(syn_data);
Patches currently in stable-queue which might be from ben@decadent.org.uk are
queue-3.14/tcp-fix-crash-in-tcp-fast-open.patch
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
` (4 preceding siblings ...)
2015-04-17 10:05 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree gregkh
@ 2015-05-01 17:13 ` Kamal Mostafa
5 siblings, 0 replies; 8+ messages in thread
From: Kamal Mostafa @ 2015-05-01 17:13 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, Eric Dumazet, 782515
On Wed, 2015-04-15 at 19:00 +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Queued for 3.13-stable. Thanks very much, Ben!
-Kamal
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index d5457e4..1ea0a07 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
> goto fallback;
> syn_data->ip_summed = CHECKSUM_PARTIAL;
> memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
> + skb_shinfo(syn_data)->gso_segs = 1;
> if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
> fo->data->msg_iov, 0, space))) {
> kfree_skb(syn_data);
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-05-01 17:13 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
2015-04-15 18:33 ` David Miller
2015-04-16 16:24 ` Luis Henriques
2015-04-17 9:43 ` Greg KH
2015-04-17 9:45 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree gregkh
2015-04-17 10:05 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree gregkh
2015-05-01 17:13 ` [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Kamal Mostafa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.