From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Petr Matousek <pmatouse@redhat.com>,
Jesper Dangaard Brouer <brouer@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Stephen Hemminger <shemminger@vyatta.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 50/66] net: fix divide by zero in tcp algorithm illinois
Date: Wed, 14 Nov 2012 20:10:55 -0800 [thread overview]
Message-ID: <20121115040942.738788784@linuxfoundation.org> (raw)
In-Reply-To: <20121115040939.016421011@linuxfoundation.org>
3.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesper Dangaard Brouer <brouer@redhat.com>
[ Upstream commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 ]
Reading TCP stats when using TCP Illinois congestion control algorithm
can cause a divide by zero kernel oops.
The division by zero occur in tcp_illinois_info() at:
do_div(t, ca->cnt_rtt);
where ca->cnt_rtt can become zero (when rtt_reset is called)
Steps to Reproduce:
1. Register tcp_illinois:
# sysctl -w net.ipv4.tcp_congestion_control=illinois
2. Monitor internal TCP information via command "ss -i"
# watch -d ss -i
3. Establish new TCP conn to machine
Either it fails at the initial conn, or else it needs to wait
for a loss or a reset.
This is only related to reading stats. The function avg_delay() also
performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
calling point in update_params(). Thus, simply fix tcp_illinois_info().
Function tcp_illinois_info() / get_info() is called without
socket lock. Thus, eliminate any race condition on ca->cnt_rtt
by using a local stack variable. Simply reuse info.tcpv_rttcnt,
as its already set to ca->cnt_rtt.
Function avg_delay() is not affected by this race condition, as
its called with the socket lock.
Cc: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_illinois.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct soc
.tcpv_rttcnt = ca->cnt_rtt,
.tcpv_minrtt = ca->base_rtt,
};
- u64 t = ca->sum_rtt;
- do_div(t, ca->cnt_rtt);
- info.tcpv_rtt = t;
+ if (info.tcpv_rttcnt > 0) {
+ u64 t = ca->sum_rtt;
+ do_div(t, info.tcpv_rttcnt);
+ info.tcpv_rtt = t;
+ }
nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
}
}
next prev parent reply other threads:[~2012-11-15 4:11 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-15 4:10 [ 00/66] 3.6.7-stable review Greg Kroah-Hartman
2012-11-15 4:10 ` [ 01/66] xen/gntdev: dont leak memory from IOCTL_GNTDEV_MAP_GRANT_REF Greg Kroah-Hartman
2012-11-15 4:10 ` [ 02/66] xen/mmu: Use Xen specific TLB flush instead of the generic one Greg Kroah-Hartman
2012-11-15 4:10 ` [ 03/66] ixgbe: PTP get_ts_info missing software support Greg Kroah-Hartman
2012-11-15 4:10 ` [ 04/66] Input: tsc40 - remove wrong announcement of pressure support Greg Kroah-Hartman
2012-11-15 4:10 ` [ 05/66] ath9k: fix stale pointers potentially causing access to freed skbs Greg Kroah-Hartman
2012-11-15 4:10 ` [ 06/66] ath9k: Test for TID only in BlockAcks while checking tx status Greg Kroah-Hartman
2012-11-15 4:10 ` [ 07/66] rt2800: validate step value for temperature compensation Greg Kroah-Hartman
2012-11-15 4:10 ` [ 08/66] target: Dont return success from module_init() if setup fails Greg Kroah-Hartman
2012-11-15 4:10 ` [ 09/66] target: Avoid integer overflow in se_dev_align_max_sectors() Greg Kroah-Hartman
2012-11-15 4:10 ` [ 10/66] iscsi-target: Fix missed wakeup race in TX thread Greg Kroah-Hartman
2012-11-15 4:10 ` [ 11/66] target: Fix incorrect usage of nested IRQ spinlocks in ABORT_TASK path Greg Kroah-Hartman
2012-11-15 4:10 ` [ 12/66] target: Re-add explict zeroing of INQUIRY bounce buffer memory Greg Kroah-Hartman
2012-11-15 4:10 ` [ 13/66] cfg80211: fix antenna gain handling Greg Kroah-Hartman
2012-11-15 4:10 ` [ 14/66] wireless: drop invalid mesh address extension frames Greg Kroah-Hartman
2012-11-15 4:10 ` [ 15/66] mac80211: use blacklist for duplicate IE check Greg Kroah-Hartman
2012-11-15 4:10 ` [ 16/66] mac80211: Only process mesh config header on frames that RA_MATCH Greg Kroah-Hartman
2012-11-15 4:10 ` [ 17/66] mac80211: dont inspect Sequence Control field on control frames Greg Kroah-Hartman
2012-11-15 4:10 ` [ 18/66] DRM/Radeon: Fix Load Detection on legacy primary DAC Greg Kroah-Hartman
2012-11-15 4:10 ` [ 19/66] drm/udl: fix stride issues scanning out stride != width*bpp Greg Kroah-Hartman
2012-11-15 4:10 ` [ 20/66] drm/i915: clear the entire sdvo infoframe buffer Greg Kroah-Hartman
2012-11-15 4:10 ` [ 21/66] drm/i915: fix overlay on i830M Greg Kroah-Hartman
2012-11-16 16:14 ` Ben Hutchings
2012-11-21 1:25 ` Greg Kroah-Hartman
2012-11-15 4:10 ` [ 22/66] drm/i915: Only kick out vesafb if we takeover the fbcon with KMS Greg Kroah-Hartman
2012-11-15 4:10 ` [ 23/66] mac80211: check management frame header length Greg Kroah-Hartman
2012-11-15 4:10 ` [ 24/66] mac80211: verify that skb data is present Greg Kroah-Hartman
2012-11-15 4:10 ` [ 25/66] mac80211: make sure data is accessible in EAPOL check Greg Kroah-Hartman
2012-11-15 4:10 ` [ 26/66] mac80211: fix SSID copy on IBSS JOIN Greg Kroah-Hartman
2012-11-15 4:10 ` [ 27/66] nfsv3: Make v3 mounts fail with ETIMEDOUTs instead EIO on mountd timeouts Greg Kroah-Hartman
2012-11-15 4:10 ` [ 28/66] nfs: Show original device name verbatim in /proc/*/mount{s,info} Greg Kroah-Hartman
2012-11-15 4:10 ` [ 29/66] NFSv4: nfs4_locku_done must release the sequence id Greg Kroah-Hartman
2012-11-15 4:10 ` [ 30/66] NFSv4.1: We must release the sequence id when we fail to get a session slot Greg Kroah-Hartman
2012-11-15 4:10 ` [ 31/66] NFS: Wait for session recovery to finish before returning Greg Kroah-Hartman
2012-11-16 16:17 ` Ben Hutchings
2012-11-21 1:26 ` Greg Kroah-Hartman
2012-11-15 4:10 ` [ 32/66] NFS: fix bug in legacy DNS resolver Greg Kroah-Hartman
2012-11-15 4:10 ` [ 33/66] batman-adv: Fix broadcast packet CRC calculation Greg Kroah-Hartman
2012-11-15 4:10 ` [ 34/66] drm: restore open_count if drm_setup fails Greg Kroah-Hartman
2012-11-15 4:10 ` [ 35/66] drm: set dev_mapping before calling drm_open_helper Greg Kroah-Hartman
2012-11-15 4:10 ` [ 36/66] hwmon: (w83627ehf) Force initial bank selection Greg Kroah-Hartman
2012-11-15 4:10 ` [ 37/66] ALSA: PCM: Fix some races at disconnection Greg Kroah-Hartman
2012-11-15 4:10 ` [ 38/66] ALSA: usb-audio: Fix " Greg Kroah-Hartman
2012-11-15 4:10 ` [ 39/66] ALSA: usb-audio: Use rwsem for disconnect protection Greg Kroah-Hartman
2012-11-15 4:10 ` [ 40/66] ALSA: usb-audio: Fix races at disconnection in mixer_quirks.c Greg Kroah-Hartman
2012-11-15 4:10 ` [ 41/66] ALSA: Add a reference counter to card instance Greg Kroah-Hartman
2012-11-15 4:10 ` [ 42/66] ALSA: Avoid endless sleep after disconnect Greg Kroah-Hartman
2012-11-15 7:25 ` Takashi Iwai
2012-11-15 22:49 ` Greg Kroah-Hartman
2012-11-15 4:10 ` [ 43/66] sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter() Greg Kroah-Hartman
2012-11-15 4:10 ` [ 44/66] ipv4: Fix flushing of cached routing informations Greg Kroah-Hartman
2012-11-15 4:10 ` [ 45/66] netlink: use kfree_rcu() in netlink_release() Greg Kroah-Hartman
2012-11-15 4:10 ` [ 46/66] tcp: fix FIONREAD/SIOCINQ Greg Kroah-Hartman
2012-11-15 4:10 ` [ 47/66] net: fix secpath kmemleak Greg Kroah-Hartman
2012-11-15 4:10 ` [ 48/66] ipv6: Set default hoplimit as zero Greg Kroah-Hartman
2012-11-15 4:10 ` [ 49/66] net: usb: Fix memory leak on Tx data path Greg Kroah-Hartman
2012-11-15 4:10 ` Greg Kroah-Hartman [this message]
2012-11-15 4:10 ` [ 51/66] drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free Greg Kroah-Hartman
2012-11-15 4:10 ` [ 52/66] l2tp: fix oops in l2tp_eth_create() error path Greg Kroah-Hartman
2012-11-15 4:10 ` [ 53/66] tcp-repair: Handle zero-length data put in rcv queue Greg Kroah-Hartman
2012-11-15 4:10 ` [ 54/66] net: inet_diag -- Return error code if protocol handler is missed Greg Kroah-Hartman
2012-11-15 4:11 ` [ 55/66] af-packet: fix oops when socket is not present Greg Kroah-Hartman
2012-11-15 4:11 ` [ 56/66] ipv6: send unsolicited neighbour advertisements to all-nodes Greg Kroah-Hartman
2012-11-15 4:11 ` [ 57/66] futex: Handle futex_pi OWNER_DIED take over correctly Greg Kroah-Hartman
2012-11-15 4:11 ` [ 58/66] mmc: sh_mmcif: fix use after free Greg Kroah-Hartman
2012-11-15 4:11 ` [ 59/66] mmc: sdhci: fix NULL dereference in sdhci_request() tuning Greg Kroah-Hartman
2012-11-15 4:11 ` [ 60/66] drm/vmwgfx: Fix hibernation device reset Greg Kroah-Hartman
2012-11-15 4:11 ` [ 61/66] drm/vmwgfx: Fix a case where the code would BUG when trying to pin GMR memory Greg Kroah-Hartman
2012-11-15 4:11 ` [ 62/66] drm/radeon/cayman: add some missing regs to the VM reg checker Greg Kroah-Hartman
2012-11-15 4:11 ` [ 63/66] drm/radeon/si: " Greg Kroah-Hartman
2012-11-15 4:11 ` [ 64/66] GFS2: Test bufdata with buffer locked and gfs2_log_lock held Greg Kroah-Hartman
2012-11-25 13:11 ` Ben Hutchings
2012-11-26 15:13 ` Steven Whitehouse
2012-12-02 3:52 ` Ben Hutchings
2012-11-15 4:11 ` [ 65/66] xfs: fix reading of wrapped log data Greg Kroah-Hartman
2012-11-15 4:11 ` [ 66/66] xfs: fix buffer shudown reference count mismatch Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121115040942.738788784@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=brouer@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmatouse@redhat.com \
--cc=shemminger@vyatta.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.