* [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
@ 2015-04-15 18:00 Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Ben Hutchings @ 2015-04-15 18:00 UTC (permalink / raw)
To: stable; +Cc: netdev, Eric Dumazet, 782515
[-- Attachment #1: Type: text/plain, Size: 1501 bytes --]
Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
skb rather than using skb_copy_expand().
The open-coded copy does not cover the skb_shared_info::gso_segs
field, so in the new skb it is left set to 0. When this commit was
backported into stable branches between 3.10.y and 3.16.7-ckty
inclusive, it triggered the BUG() in tcp_transmit_skb().
Since Linux 3.18 the GSO segment count is kept in the
tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
tcp_skb_cb structure to the new skb, so mainline and newer stable
branches are not affected.
Set skb_shared_info::gso_segs to the correct value of 1.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index d5457e4..1ea0a07 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
goto fallback;
syn_data->ip_summed = CHECKSUM_PARTIAL;
memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+ skb_shinfo(syn_data)->gso_segs = 1;
if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
fo->data->msg_iov, 0, space))) {
kfree_skb(syn_data);
--
Ben Hutchings
Editing code like this is akin to sticking plasters on the bleeding stump
of a severed limb. - me, 29 June 1999
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
@ 2015-04-15 18:22 ` Eric Dumazet
2015-04-15 18:33 ` David Miller
2015-04-16 16:24 ` Luis Henriques
` (4 subsequent siblings)
5 siblings, 1 reply; 8+ messages in thread
From: Eric Dumazet @ 2015-04-15 18:22 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, 782515
On Wed, 2015-04-15 at 19:00 +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index d5457e4..1ea0a07 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
> goto fallback;
> syn_data->ip_summed = CHECKSUM_PARTIAL;
> memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
> + skb_shinfo(syn_data)->gso_segs = 1;
> if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
> fo->data->msg_iov, 0, space))) {
> kfree_skb(syn_data);
>
Looks goot to me, thanks Ben !
Acked-by: Eric Dumazet <edumazet@google.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:22 ` Eric Dumazet
@ 2015-04-15 18:33 ` David Miller
0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2015-04-15 18:33 UTC (permalink / raw)
To: eric.dumazet; +Cc: ben, stable, netdev, 782515
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 15 Apr 2015 11:22:44 -0700
> On Wed, 2015-04-15 at 19:00 +0100, Ben Hutchings wrote:
>> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
>> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
>> skb rather than using skb_copy_expand().
>>
>> The open-coded copy does not cover the skb_shared_info::gso_segs
>> field, so in the new skb it is left set to 0. When this commit was
>> backported into stable branches between 3.10.y and 3.16.7-ckty
>> inclusive, it triggered the BUG() in tcp_transmit_skb().
>>
>> Since Linux 3.18 the GSO segment count is kept in the
>> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
>> tcp_skb_cb structure to the new skb, so mainline and newer stable
>> branches are not affected.
>>
>> Set skb_shared_info::gso_segs to the correct value of 1.
>>
>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
...
> Looks goot to me, thanks Ben !
>
> Acked-by: Eric Dumazet <edumazet@google.com>
Ben, thanks for taking care of this.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
@ 2015-04-16 16:24 ` Luis Henriques
2015-04-17 9:43 ` Greg KH
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Luis Henriques @ 2015-04-16 16:24 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, Eric Dumazet, 782515
On Wed, Apr 15, 2015 at 07:00:32PM +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Thanks a lot, Ben. I'll queue this for the next 3.16 kernel release.
Cheers,
--
Luís
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index d5457e4..1ea0a07 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
> goto fallback;
> syn_data->ip_summed = CHECKSUM_PARTIAL;
> memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
> + skb_shinfo(syn_data)->gso_segs = 1;
> if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
> fo->data->msg_iov, 0, space))) {
> kfree_skb(syn_data);
>
> --
> Ben Hutchings
> Editing code like this is akin to sticking plasters on the bleeding stump
> of a severed limb. - me, 29 June 1999
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
2015-04-16 16:24 ` Luis Henriques
@ 2015-04-17 9:43 ` Greg KH
2015-04-17 9:45 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree gregkh
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2015-04-17 9:43 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, Eric Dumazet, 782515
On Wed, Apr 15, 2015 at 07:00:32PM +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
Thanks for working on this and sending the patch out.
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
` (2 preceding siblings ...)
2015-04-17 9:43 ` Greg KH
@ 2015-04-17 9:45 ` gregkh
2015-04-17 10:05 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree gregkh
2015-05-01 17:13 ` [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Kamal Mostafa
5 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2015-04-17 9:45 UTC (permalink / raw)
To: ben, edumazet, eric.dumazet, gregkh, netdev, stable
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
tcp: Fix crash in TCP Fast Open
to the 3.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-fix-crash-in-tcp-fast-open.patch
and it can be found in the queue-3.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From ben@decadent.org.uk Fri Apr 17 11:41:49 2015
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 15 Apr 2015 19:00:32 +0100
Subject: tcp: Fix crash in TCP Fast Open
To: stable <stable@vger.kernel.org>
Cc: netdev <netdev@vger.kernel.org>, Eric Dumazet <eric.dumazet@gmail.com>, 782515@bugs.debian.org
Message-ID: <1429120832.3211.91.camel@decadent.org.uk>
From: Ben Hutchings <ben@decadent.org.uk>
Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
skb rather than using skb_copy_expand().
The open-coded copy does not cover the skb_shared_info::gso_segs
field, so in the new skb it is left set to 0. When this commit was
backported into stable branches between 3.10.y and 3.16.7-ckty
inclusive, it triggered the BUG() in tcp_transmit_skb().
Since Linux 3.18 the GSO segment count is kept in the
tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
tcp_skb_cb structure to the new skb, so mainline and newer stable
branches are not affected.
Set skb_shared_info::gso_segs to the correct value of 1.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_output.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2909,6 +2909,7 @@ static int tcp_send_syn_data(struct sock
goto fallback;
syn_data->ip_summed = CHECKSUM_PARTIAL;
memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+ skb_shinfo(syn_data)->gso_segs = 1;
if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
fo->data->msg_iov, 0, space))) {
kfree_skb(syn_data);
Patches currently in stable-queue which might be from ben@decadent.org.uk are
queue-3.10/tcp-fix-crash-in-tcp-fast-open.patch
^ permalink raw reply [flat|nested] 8+ messages in thread
* Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
` (3 preceding siblings ...)
2015-04-17 9:45 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree gregkh
@ 2015-04-17 10:05 ` gregkh
2015-05-01 17:13 ` [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Kamal Mostafa
5 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2015-04-17 10:05 UTC (permalink / raw)
To: ben, edumazet, eric.dumazet, gregkh, netdev, stable
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
tcp: Fix crash in TCP Fast Open
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-fix-crash-in-tcp-fast-open.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From ben@decadent.org.uk Fri Apr 17 11:41:49 2015
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 15 Apr 2015 19:00:32 +0100
Subject: tcp: Fix crash in TCP Fast Open
To: stable <stable@vger.kernel.org>
Cc: netdev <netdev@vger.kernel.org>, Eric Dumazet <eric.dumazet@gmail.com>, 782515@bugs.debian.org
Message-ID: <1429120832.3211.91.camel@decadent.org.uk>
From: Ben Hutchings <ben@decadent.org.uk>
Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
skb rather than using skb_copy_expand().
The open-coded copy does not cover the skb_shared_info::gso_segs
field, so in the new skb it is left set to 0. When this commit was
backported into stable branches between 3.10.y and 3.16.7-ckty
inclusive, it triggered the BUG() in tcp_transmit_skb().
Since Linux 3.18 the GSO segment count is kept in the
tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
tcp_skb_cb structure to the new skb, so mainline and newer stable
branches are not affected.
Set skb_shared_info::gso_segs to the correct value of 1.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_output.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2933,6 +2933,7 @@ static int tcp_send_syn_data(struct sock
goto fallback;
syn_data->ip_summed = CHECKSUM_PARTIAL;
memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+ skb_shinfo(syn_data)->gso_segs = 1;
if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
fo->data->msg_iov, 0, space))) {
kfree_skb(syn_data);
Patches currently in stable-queue which might be from ben@decadent.org.uk are
queue-3.14/tcp-fix-crash-in-tcp-fast-open.patch
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
` (4 preceding siblings ...)
2015-04-17 10:05 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree gregkh
@ 2015-05-01 17:13 ` Kamal Mostafa
5 siblings, 0 replies; 8+ messages in thread
From: Kamal Mostafa @ 2015-05-01 17:13 UTC (permalink / raw)
To: Ben Hutchings; +Cc: stable, netdev, Eric Dumazet, 782515
On Wed, 2015-04-15 at 19:00 +0100, Ben Hutchings wrote:
> Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
> changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
> skb rather than using skb_copy_expand().
>
> The open-coded copy does not cover the skb_shared_info::gso_segs
> field, so in the new skb it is left set to 0. When this commit was
> backported into stable branches between 3.10.y and 3.16.7-ckty
> inclusive, it triggered the BUG() in tcp_transmit_skb().
>
> Since Linux 3.18 the GSO segment count is kept in the
> tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
> tcp_skb_cb structure to the new skb, so mainline and newer stable
> branches are not affected.
>
> Set skb_shared_info::gso_segs to the correct value of 1.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Queued for 3.13-stable. Thanks very much, Ben!
-Kamal
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index d5457e4..1ea0a07 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
> goto fallback;
> syn_data->ip_summed = CHECKSUM_PARTIAL;
> memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
> + skb_shinfo(syn_data)->gso_segs = 1;
> if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
> fo->data->msg_iov, 0, space))) {
> kfree_skb(syn_data);
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-05-01 17:13 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-15 18:00 [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Ben Hutchings
2015-04-15 18:22 ` Eric Dumazet
2015-04-15 18:33 ` David Miller
2015-04-16 16:24 ` Luis Henriques
2015-04-17 9:43 ` Greg KH
2015-04-17 9:45 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.10-stable tree gregkh
2015-04-17 10:05 ` Patch "tcp: Fix crash in TCP Fast Open" has been added to the 3.14-stable tree gregkh
2015-05-01 17:13 ` [PATCH stable 3.10-3.16] tcp: Fix crash in TCP Fast Open Kamal Mostafa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).