From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrew Vagin <avagin@openvz.org>,
Pavel Emelyanov <xemul@parallels.com>,
Christoph Paasch <christoph.paasch@uclouvain.be>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.15 050/109] tcp: Fix divide by zero when pushing during tcp-repair
Date: Sat, 26 Jul 2014 12:02:12 -0700 [thread overview]
Message-ID: <20140726190225.382467284@linuxfoundation.org> (raw)
In-Reply-To: <20140726190223.834037485@linuxfoundation.org>
3.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <christoph.paasch@uclouvain.be>
[ Upstream commit 5924f17a8a30c2ae18d034a86ee7581b34accef6 ]
When in repair-mode and TCP_RECV_QUEUE is set, we end up calling
tcp_push with mss_now being 0. If data is in the send-queue and
tcp_set_skb_tso_segs gets called, we crash because it will divide by
mss_now:
[ 347.151939] divide error: 0000 [#1] SMP
[ 347.152907] Modules linked in:
[ 347.152907] CPU: 1 PID: 1123 Comm: packetdrill Not tainted 3.16.0-rc2 #4
[ 347.152907] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 347.152907] task: f5b88540 ti: f3c82000 task.ti: f3c82000
[ 347.152907] EIP: 0060:[<c1601359>] EFLAGS: 00210246 CPU: 1
[ 347.152907] EIP is at tcp_set_skb_tso_segs+0x49/0xa0
[ 347.152907] EAX: 00000b67 EBX: f5acd080 ECX: 00000000 EDX: 00000000
[ 347.152907] ESI: f5a28f40 EDI: f3c88f00 EBP: f3c83d10 ESP: f3c83d00
[ 347.152907] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 347.152907] CR0: 80050033 CR2: 083158b0 CR3: 35146000 CR4: 000006b0
[ 347.152907] Stack:
[ 347.152907] c167f9d9 f5acd080 000005b4 00000002 f3c83d20 c16013e6 f3c88f00 f5acd080
[ 347.152907] f3c83da0 c1603b5a f3c83d38 c10a0188 00000000 00000000 f3c83d84 c10acc85
[ 347.152907] c1ad5ec0 00000000 00000000 c1ad679c 010003e0 00000000 00000000 f3c88fc8
[ 347.152907] Call Trace:
[ 347.152907] [<c167f9d9>] ? apic_timer_interrupt+0x2d/0x34
[ 347.152907] [<c16013e6>] tcp_init_tso_segs+0x36/0x50
[ 347.152907] [<c1603b5a>] tcp_write_xmit+0x7a/0xbf0
[ 347.152907] [<c10a0188>] ? up+0x28/0x40
[ 347.152907] [<c10acc85>] ? console_unlock+0x295/0x480
[ 347.152907] [<c10ad24f>] ? vprintk_emit+0x1ef/0x4b0
[ 347.152907] [<c1605716>] __tcp_push_pending_frames+0x36/0xd0
[ 347.152907] [<c15f4860>] tcp_push+0xf0/0x120
[ 347.152907] [<c15f7641>] tcp_sendmsg+0xf1/0xbf0
[ 347.152907] [<c116d920>] ? kmem_cache_free+0xf0/0x120
[ 347.152907] [<c106a682>] ? __sigqueue_free+0x32/0x40
[ 347.152907] [<c106a682>] ? __sigqueue_free+0x32/0x40
[ 347.152907] [<c114f0f0>] ? do_wp_page+0x3e0/0x850
[ 347.152907] [<c161c36a>] inet_sendmsg+0x4a/0xb0
[ 347.152907] [<c1150269>] ? handle_mm_fault+0x709/0xfb0
[ 347.152907] [<c15a006b>] sock_aio_write+0xbb/0xd0
[ 347.152907] [<c1180b79>] do_sync_write+0x69/0xa0
[ 347.152907] [<c1181023>] vfs_write+0x123/0x160
[ 347.152907] [<c1181d55>] SyS_write+0x55/0xb0
[ 347.152907] [<c167f0d8>] sysenter_do_call+0x12/0x28
This can easily be reproduced with the following packetdrill-script (the
"magic" with netem, sk_pacing and limit_output_bytes is done to prevent
the kernel from pushing all segments, because hitting the limit without
doing this is not so easy with packetdrill):
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 32792 <mss 1460>
+0 > S. 0:0(0) ack 1 <mss 1460>
+0.1 < . 1:1(0) ack 1 win 65000
+0 accept(3, ..., ...) = 4
// This forces that not all segments of the snd-queue will be pushed
+0 `tc qdisc add dev tun0 root netem delay 10ms`
+0 `sysctl -w net.ipv4.tcp_limit_output_bytes=2`
+0 setsockopt(4, SOL_SOCKET, 47, [2], 4) = 0
+0 write(4,...,10000) = 10000
+0 write(4,...,10000) = 10000
// Set tcp-repair stuff, particularly TCP_RECV_QUEUE
+0 setsockopt(4, SOL_TCP, 19, [1], 4) = 0
+0 setsockopt(4, SOL_TCP, 20, [1], 4) = 0
// This now will make the write push the remaining segments
+0 setsockopt(4, SOL_SOCKET, 47, [20000], 4) = 0
+0 `sysctl -w net.ipv4.tcp_limit_output_bytes=130000`
// Now we will crash
+0 write(4,...,1000) = 1000
This happens since ec3423257508 (tcp: fix retransmission in repair
mode). Prior to that, the call to tcp_push was prevented by a check for
tp->repair.
The patch fixes it, by adding the new goto-label out_nopush. When exiting
tcp_sendmsg and a push is not required, which is the case for tp->repair,
we go to this label.
When repairing and calling send() with TCP_RECV_QUEUE, the data is
actually put in the receive-queue. So, no push is required because no
data has been added to the send-queue.
Cc: Andrew Vagin <avagin@openvz.org>
Cc: Pavel Emelyanov <xemul@parallels.com>
Fixes: ec3423257508 (tcp: fix retransmission in repair mode)
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Acked-by: Andrew Vagin <avagin@openvz.org>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1108,7 +1108,7 @@ int tcp_sendmsg(struct kiocb *iocb, stru
if (unlikely(tp->repair)) {
if (tp->repair_queue == TCP_RECV_QUEUE) {
copied = tcp_send_rcvq(sk, msg, size);
- goto out;
+ goto out_nopush;
}
err = -EINVAL;
@@ -1282,6 +1282,7 @@ wait_for_memory:
out:
if (copied)
tcp_push(sk, flags, mss_now, tp->nonagle, size_goal);
+out_nopush:
release_sock(sk);
return copied + copied_syn;
next prev parent reply other threads:[~2014-07-26 19:31 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-26 19:01 [PATCH 3.15 000/109] 3.15.7-stable review Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 001/109] usb: Check if port status is equal to RxDetect Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 002/109] usb: chipidea: udc: Disable auto ZLP generation on ep0 Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 003/109] media: gspca_pac7302: Add new usb-id for Genius i-Look 317 Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 004/109] ALSA: hda - Revert stream assignment order for Intel controllers Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 005/109] ALSA: hda - Fix broken PM due to incomplete i915 initialization Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 006/109] Drivers: hv: hv_fcopy: fix a race condition for SMP guest Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 007/109] Drivers: hv: util: Fix a bug in the KVP code Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 008/109] Revert "Bluetooth: Add a new PID/VID 0cf3/e005 for AR3012." Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 009/109] Bluetooth: Ignore H5 non-link packets in non-active state Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 010/109] fuse: timeout comparison fix Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 011/109] fuse: avoid scheduling while atomic Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 012/109] fuse: handle large user and group ID Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 013/109] fuse: ignore entry-timeout on LOOKUP_REVAL Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 014/109] iio:core: Handle error when mask type is not separate Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 015/109] tracing: instance_rmdir() leaks ftrace_event_file->filter Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 016/109] tracing: Fix graph tracer with stack tracer on other archs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 017/109] tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 018/109] tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 019/109] xen/balloon: set ballooned out pages as invalid in p2m Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 020/109] xen/manage: fix potential deadlock when resuming the console Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 021/109] hwmon: (da9055) Dont use dash in the name attribute Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 022/109] hwmon: (da9052) " Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 023/109] hwmon: (adt7470) Fix writes to temperature limit registers Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 024/109] igb: Workaround for i210 Errata 25: Slow System Clock Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 025/109] igb: do a reset on SR-IOV re-init if device is down Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 026/109] quota: missing lock in dqcache_shrink_scan() Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 027/109] iwlwifi: update the 7265 series HW IDs Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 028/109] iwlwifi: dvm: dont enable CTS to self Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 029/109] shmem: fix faulting into a hole while its punched Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 030/109] shmem: fix faulting into a hole, not taking i_mutex Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 031/109] shmem: fix splicing from a hole while its punched Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 032/109] net/mlx4_core: Fix the error flow when probing with invalid VF configuration Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 033/109] net/mlx4_en: Dont configure the HW vxlan parser when vxlan offloading isnt set Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 034/109] ip_tunnel: fix ip_tunnel_lookup Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 035/109] slip: Fix deadlock in write_wakeup Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 036/109] slcan: Port write_wakeup deadlock fix from slip Greg Kroah-Hartman
2014-07-26 19:01 ` [PATCH 3.15 037/109] net: sctp: propagate sysctl errors from proc_do* properly Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 038/109] net: filter: fix upper BPF instruction limit Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 039/109] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 040/109] net: sctp: check proc_dointvec result in proc_sctp_do_auth Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 041/109] 8021q: fix a potential memory leak Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 042/109] drivers: net: cpsw: fix dual EMAC stall when connected to same switch Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 044/109] net: fix UDP tunnel GSO of frag_list GRO packets Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 045/109] ipv4: fix dst race in sk_dst_get() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 046/109] ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 047/109] net: fix sparse warning in sk_dst_set() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 048/109] vlan: free percpu stats in device destructor Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 049/109] bnx2x: fix possible panic under memory stress Greg Kroah-Hartman
2014-07-26 19:02 ` Greg Kroah-Hartman [this message]
2014-07-26 19:02 ` [PATCH 3.15 051/109] ipv4: icmp: Fix pMTU handling for rare case Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 054/109] net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 055/109] igmp: fix the problem when mc leave group Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 056/109] tcp: fix false undo corner cases Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 057/109] appletalk: Fix socket referencing in skb Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 058/109] net: mvneta: fix operation in 10 Mbit/s mode Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 059/109] net: mvneta: Fix big endian issue in mvneta_txq_desc_csum() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 060/109] netlink: Fix handling of error from netlink_dump() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 061/109] be2net: set EQ DB clear-intr bit in be_open() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 062/109] r8152: fix r8152_csum_workaround function Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 063/109] tipc: clear next-pointer of message fragments before reassembly Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 064/109] net: sctp: fix information leaks in ulpevent layer Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 065/109] net: pppoe: use correct channel MTU when using Multilink PPP Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 066/109] bonding: fix ad_select module param check Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 067/109] net-gre-gro: Fix a bug that breaks the forwarding path Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 068/109] sunvnet: clean up objects created in vnet_new() on vnet_exit() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 069/109] net: ppp: fix creating PPP pass and active filters Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 071/109] net: ppp: dont call sk_chk_filter twice Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 073/109] dns_resolver: Null-terminate the right string Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 074/109] ipv4: fix buffer overflow in ip_options_compile() Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 075/109] xen-netback: Fix handling frag_list on grant op error path Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 076/109] xen-netback: Fix releasing frag_list skbs in " Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 077/109] xen-netback: Fix releasing header slot on " Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 078/109] xen-netback: Fix pointer incrementation to avoid incorrect logging Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 079/109] perf: Do not allow optimized switch for non-cloned events Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 081/109] mwifiex: fix Tx timeout issue Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 082/109] ring-buffer: Fix polling on trace_pipe Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 083/109] irqchip: gic: Add support for cortex a7 compatible string Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 084/109] irqchip: gic: Add binding probe for ARM GIC400 Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 085/109] irqchip: gic: Fix core ID calculation when topology is read from DT Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 086/109] drm/radeon: set default bl level to something reasonable Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 087/109] drm/qxl: return IRQ_NONE if it was not our irq Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 088/109] drm/radeon: avoid leaking edid data Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 089/109] Revert "drm/i915: reverse dp link param selection, prefer fast over wide again" Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 090/109] alarmtimer: Fix bug where relative alarm timers were treated as absolute Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 091/109] hwrng: fetch randomness only after device init Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 092/109] x86, tsc: Fix cpufreq lockup Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 093/109] cpufreq: move policy kobj to policy->cpu at resume Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 094/109] random: check for increase of entropy_count because of signed conversion Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 095/109] mtd: devices: elm: fix elm_context_save() and elm_context_restore() functions Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 096/109] dm thin metadata: do not allow the data block size to change Greg Kroah-Hartman
2014-07-26 19:02 ` [PATCH 3.15 097/109] dm cache " Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 098/109] RDMA/cxgb4: Initialize the device status page Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 099/109] PM / sleep: Fix request_firmware() error at resume Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 100/109] locking/mutex: Disable optimistic spinning on some architectures Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 101/109] sched: Fix possible divide by zero in avg_atom() calculation Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 103/109] IB/mlx5: Enable "block multicast loopback" for kernel consumers Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 104/109] aio: protect reqs_available updates from changes in interrupt handlers Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 105/109] gpio: dwapb: drop irq_setup_generic_chip() Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 106/109] ARM: dts: imx: Add alias for ethernet controller Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 107/109] iwlwifi: mvm: disable CTS to Self Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 108/109] Dont trigger congestion wait on dirty-but-not-writeout pages Greg Kroah-Hartman
2014-07-26 19:03 ` [PATCH 3.15 109/109] ARC: Implement ptrace(PTRACE_GET_THREAD_AREA) Greg Kroah-Hartman
2014-07-27 7:04 ` [PATCH 3.15 000/109] 3.15.7-stable review Satoru Takeuchi
2014-07-27 14:51 ` Greg Kroah-Hartman
2014-07-27 15:01 ` Guenter Roeck
2014-07-27 15:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140726190225.382467284@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=avagin@openvz.org \
--cc=christoph.paasch@uclouvain.be \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox