From: Luis Henriques <luis.henriques@canonical.com>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: stable <stable@vger.kernel.org>, netdev <netdev@vger.kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
782515@bugs.debian.org
Subject: Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
Date: Thu, 16 Apr 2015 17:24:05 +0100 [thread overview]
Message-ID: <20150416162405.GF5949@hercules> (raw)
In-Reply-To: <1429120832.3211.91.camel@decadent.org.uk>
On Wed, Apr 15, 2015 at 07:00:32PM +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Thanks a lot, Ben. I'll queue this for the next 3.16 kernel release.
Cheers,
--
Luís
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index d5457e4..1ea0a07 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
> goto fallback;
> syn_data->ip_summed = CHECKSUM_PARTIAL;
> memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
> + skb_shinfo(syn_data)->gso_segs = 1;
> if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
> fo->data->msg_iov, 0, space))) {
> kfree_skb(syn_data);
>
> --
> Ben Hutchings
> Editing code like this is akin to sticking plasters on the bleeding stump
> of a severed limb. - me, 29 June 1999
next prev parent reply other threads:[~2015-04-16 16:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
2015-04-15 18:33 ` David Miller
2015-04-16 16:24 ` Luis Henriques [this message]
2015-04-17 9:43 ` Greg KH
2015-04-17 9:45 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree gregkh
2015-04-17 10:05 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree gregkh
2015-05-01 17:13 ` [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150416162405.GF5949@hercules \
--to=luis.henriques@canonical.com \
--cc=782515@bugs.debian.org \
--cc=ben@decadent.org.uk \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.