Patch "tcp: fix overflow in __tcp_retransmit_skb()" has been added to the 4.4-stable tree

All of lore.kernel.org
 help / color / mirror / Atom feed

* Patch "tcp: fix overflow in __tcp_retransmit_skb()" has been added to the 4.4-stable tree
@ 2016-11-10 15:46 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-11-10 15:46 UTC (permalink / raw)
  To: edumazet, davem, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    tcp: fix overflow in __tcp_retransmit_skb()

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-fix-overflow-in-__tcp_retransmit_skb.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Thu Nov 10 16:42:45 CET 2016
From: Eric Dumazet <edumazet@google.com>
Date: Thu, 15 Sep 2016 08:12:33 -0700
Subject: tcp: fix overflow in __tcp_retransmit_skb()

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit ffb4d6c8508657824bcef68a36b2a0f9d8c09d10 ]

If a TCP socket gets a large write queue, an overflow can happen
in a test in __tcp_retransmit_skb() preventing all retransmits.

The flow then stalls and resets after timeouts.

Tested:

sysctl -w net.core.wmem_max=1000000000
netperf -H dest -- -s 1000000000

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_output.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2569,7 +2569,8 @@ int __tcp_retransmit_skb(struct sock *sk
 	 * copying overhead: fragmentation, tunneling, mangling etc.
 	 */
 	if (atomic_read(&sk->sk_wmem_alloc) >
-	    min(sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2), sk->sk_sndbuf))
+	    min_t(u32, sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2),
+		  sk->sk_sndbuf))
 		return -EAGAIN;
 
 	if (skb_still_in_host_queue(sk, skb))


Patches currently in stable-queue which might be from edumazet@google.com are

queue-4.4/ipv4-use-the-right-lock-for-ping_group_range.patch
queue-4.4/ipv4-disable-bh-in-set_ping_group_range.patch
queue-4.4/tcp-fix-a-compile-error-in-dbgundo.patch
queue-4.4/net-avoid-sk_forward_alloc-overflows.patch
queue-4.4/udp-fix-ip_checksum-handling.patch
queue-4.4/netlink-do-not-enter-direct-reclaim-from-netlink_dump.patch
queue-4.4/ipv6-tcp-restore-ip6cb-for-pktoptions-skbs.patch
queue-4.4/tcp-fix-overflow-in-__tcp_retransmit_skb.patch
queue-4.4/packet-on-direct_xmit-limit-tso-and-csum-to-supported-devices.patch
queue-4.4/net-pktgen-remove-rcu-locking-in-pktgen_change_name.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-11-10 15:47 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-10 15:46 Patch "tcp: fix overflow in __tcp_retransmit_skb()" has been added to the 4.4-stable tree gregkh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.