From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Andrew Prout <aprout@ll.mit.edu>,
Jonathan Lemon <jonathan.lemon@gmail.com>,
Michal Kubecek <mkubecek@suse.cz>,
Neal Cardwell <ncardwell@google.com>,
Yuchung Cheng <ycheng@google.com>,
Christoph Paasch <cpaasch@apple.com>,
Jonathan Looney <jtl@netflix.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 05/21] tcp: be more careful in tcp_fragment()
Date: Fri, 9 Aug 2019 15:45:09 +0200 [thread overview]
Message-ID: <20190809134241.798600233@linuxfoundation.org> (raw)
In-Reply-To: <20190809134241.565496442@linuxfoundation.org>
[ Upstream commit b617158dc096709d8600c53b6052144d12b89fab ]
Some applications set tiny SO_SNDBUF values and expect
TCP to just work. Recent patches to address CVE-2019-11478
broke them in case of losses, since retransmits might
be prevented.
We should allow these flows to make progress.
This patch allows the first and last skb in retransmit queue
to be split even if memory limits are hit.
It also adds the some room due to the fact that tcp_sendmsg()
and tcp_sendpage() might overshoot sk_wmem_queued by about one full
TSO skb (64KB size). Note this allowance was already present
in stable backports for kernels < 4.15
Note for < 4.15 backports :
tcp_rtx_queue_tail() will probably look like :
static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
{
struct sk_buff *skb = tcp_send_head(sk);
return skb ? tcp_write_queue_prev(sk, skb) : tcp_write_queue_tail(sk);
}
Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrew Prout <aprout@ll.mit.edu>
Tested-by: Andrew Prout <aprout@ll.mit.edu>
Tested-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Tested-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Christoph Paasch <cpaasch@apple.com>
Cc: Jonathan Looney <jtl@netflix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tcp.h | 17 +++++++++++++++++
net/ipv4/tcp_output.c | 11 ++++++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 77438a8406ecf..0410fd29d5695 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1526,6 +1526,23 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
tcp_sk(sk)->highest_sack = NULL;
}
+static inline struct sk_buff *tcp_rtx_queue_head(const struct sock *sk)
+{
+ struct sk_buff *skb = tcp_write_queue_head(sk);
+
+ if (skb == tcp_send_head(sk))
+ skb = NULL;
+
+ return skb;
+}
+
+static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
+{
+ struct sk_buff *skb = tcp_send_head(sk);
+
+ return skb ? tcp_write_queue_prev(sk, skb) : tcp_write_queue_tail(sk);
+}
+
static inline void __tcp_add_write_queue_tail(struct sock *sk, struct sk_buff *skb)
{
__skb_queue_tail(&sk->sk_write_queue, skb);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 53edd60fd3817..76ffce0c18aeb 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1151,6 +1151,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
struct tcp_sock *tp = tcp_sk(sk);
struct sk_buff *buff;
int nsize, old_factor;
+ long limit;
int nlen;
u8 flags;
@@ -1161,7 +1162,15 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
if (nsize < 0)
nsize = 0;
- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
+ /* tcp_sendmsg() can overshoot sk_wmem_queued by one full size skb.
+ * We need some allowance to not penalize applications setting small
+ * SO_SNDBUF values.
+ * Also allow first and last skb in retransmit queue to be split.
+ */
+ limit = sk->sk_sndbuf + 2 * SKB_TRUESIZE(GSO_MAX_SIZE);
+ if (unlikely((sk->sk_wmem_queued >> 1) > limit &&
+ skb != tcp_rtx_queue_head(sk) &&
+ skb != tcp_rtx_queue_tail(sk))) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
return -ENOMEM;
}
--
2.20.1
next prev parent reply other threads:[~2019-08-09 13:46 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-09 13:45 [PATCH 4.4 00/21] 4.4.189-stable review Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 01/21] arm64: cpufeature: Fix CTR_EL0 field definitions Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 02/21] arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 03/21] netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 04/21] HID: Add quirk for HP X1200 PIXART OEM mouse Greg Kroah-Hartman
2019-08-09 13:45 ` Greg Kroah-Hartman [this message]
2019-08-09 13:45 ` [PATCH 4.4 06/21] atm: iphase: Fix Spectre v1 vulnerability Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 07/21] net: bridge: delete local fdb on device init failure Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 08/21] net: fix ifindex collision during namespace removal Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 09/21] tipc: compat: allow tipc commands without arguments Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 10/21] net: sched: Fix a possible null-pointer dereference in dequeue_func() Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 11/21] net/mlx5: Use reversed order when unregister devices Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 12/21] bnx2x: Disable multi-cos feature Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 13/21] compat_ioctl: pppoe: fix PPPOEIOCSFWD handling Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 14/21] block: blk_init_allocated_queue() set q->fq as NULL in the fail case Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 15/21] spi: bcm2835: Fix 3-wire mode if DMA is enabled Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 16/21] x86: cpufeatures: Sort feature word 7 Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 17/21] x86/entry/64: Fix context tracking state warning when load_gs_index fails Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 18/21] x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 19/21] x86/speculation: Enable " Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 20/21] x86/entry/64: Use JMP instead of JMPQ Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.4 21/21] x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS Greg Kroah-Hartman
2019-08-09 22:08 ` [PATCH 4.4 00/21] 4.4.189-stable review shuah
2019-08-10 4:15 ` kernelci.org bot
2019-08-10 15:45 ` Guenter Roeck
2019-08-10 16:02 ` Dan Rue
2019-08-11 7:37 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190809134241.798600233@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aprout@ll.mit.edu \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jonathan.lemon@gmail.com \
--cc=jtl@netflix.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mkubecek@suse.cz \
--cc=ncardwell@google.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).