From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Matt Schnall <mischnal@google.com>,
Eric Dumazet <edumazet@google.com>,
Bernhard Beck <bbeck@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 06/27] tcp: fix tcp_md5_hash_skb_data()
Date: Tue, 25 Jun 2013 11:35:25 -0700 [thread overview]
Message-ID: <20130625183518.416599403@linuxfoundation.org> (raw)
In-Reply-To: <20130625183517.651770593@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e ]
TCP md5 communications fail [1] for some devices, because sg/crypto code
assume page offsets are below PAGE_SIZE.
This was discovered using mlx4 driver [2], but I suspect loopback
might trigger the same bug now we use order-3 pages in tcp_sendmsg()
[1] Failure is giving following messages.
huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
exited with 00000101?
[2] mlx4 driver uses order-2 pages to allocate RX frags
Reported-by: Matt Schnall <mischnal@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Bernhard Beck <bbeck@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3055,8 +3055,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5
for (i = 0; i < shi->nr_frags; ++i) {
const struct skb_frag_struct *f = &shi->frags[i];
- struct page *page = skb_frag_page(f);
- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
+ unsigned int offset = f->page_offset;
+ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
+
+ sg_set_page(&sg, page, skb_frag_size(f),
+ offset_in_page(offset));
if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
return 1;
}
next prev parent reply other threads:[~2013-06-25 18:35 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-25 18:35 [ 00/27] 3.4.51-stable review Greg Kroah-Hartman
2013-06-25 18:35 ` [ 01/27] ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310 Greg Kroah-Hartman
2013-06-25 18:35 ` [ 02/27] ALSA: usb-audio: work around Android accessory firmware bug Greg Kroah-Hartman
2013-06-25 18:35 ` [ 03/27] clk: remove notifier from list before freeing it Greg Kroah-Hartman
2013-06-25 18:35 ` [ 04/27] tilepro: work around module link error with gcc 4.7 Greg Kroah-Hartman
2013-06-25 18:35 ` [ 05/27] KVM: x86: remove vcpus CPL check in host-invoked XCR set Greg Kroah-Hartman
2013-06-25 18:35 ` Greg Kroah-Hartman [this message]
2013-06-25 18:35 ` [ 07/27] gianfar: add missing iounmap() on error in gianfar_ptp_probe() Greg Kroah-Hartman
2013-06-25 18:35 ` [ 08/27] ipv6: fix possible crashes in ip6_cork_release() Greg Kroah-Hartman
2013-06-25 18:35 ` [ 09/27] netlabel: improve domain mapping validation Greg Kroah-Hartman
2013-06-25 18:35 ` [ 10/27] r8169: fix offloaded tx checksum for small packets Greg Kroah-Hartman
2013-06-25 18:35 ` [ 11/27] 8139cp: reset BQL when ring tx ring cleared Greg Kroah-Hartman
2013-06-25 18:35 ` [ 12/27] tcp: bug fix in proportional rate reduction Greg Kroah-Hartman
2013-06-25 18:35 ` [ 13/27] tcp: xps: fix reordering issues Greg Kroah-Hartman
2013-06-25 18:35 ` [ 14/27] ip_tunnel: fix kernel panic with icmp_dest_unreach Greg Kroah-Hartman
2013-06-25 18:35 ` [ 15/27] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg Greg Kroah-Hartman
2013-06-25 18:35 ` [ 16/27] net: force a reload of first item in hlist_nulls_for_each_entry_rcu Greg Kroah-Hartman
2013-06-25 18:35 ` [ 17/27] ipv6: assign rt6_info to inet6_ifaddr in init_loopback Greg Kroah-Hartman
2013-06-25 18:35 ` [ 18/27] net: sctp: fix NULL pointer dereference in socket destruction Greg Kroah-Hartman
2013-06-25 18:35 ` [ 19/27] team: check return value of team_get_port_by_index_rcu() for NULL Greg Kroah-Hartman
2013-06-25 18:35 ` [ 20/27] packet: packet_getname_spkt: make sure string is always 0-terminated Greg Kroah-Hartman
2013-06-25 18:35 ` [ 21/27] l2tp: Fix PPP header erasure and memory leak Greg Kroah-Hartman
2013-06-25 18:35 ` [ 22/27] l2tp: Fix sendmsg() return value Greg Kroah-Hartman
2013-06-25 18:35 ` [ 23/27] bonding: rlb mode of bond should not alter ARP originating via bridge Greg Kroah-Hartman
2013-06-25 18:35 ` [ 24/27] Input: cyttsp - fix memcpy size param Greg Kroah-Hartman
2013-06-25 18:35 ` [ 25/27] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable Greg Kroah-Hartman
2013-06-25 18:35 ` [ 26/27] target/iscsi: dont corrupt bh_count in iscsit_stop_time2retain_timer() Greg Kroah-Hartman
2013-06-25 18:35 ` [ 27/27] inotify: invalid mask should return a error number but not set it Greg Kroah-Hartman
2013-06-25 19:39 ` [ 00/27] 3.4.51-stable review Guenter Roeck
2013-06-26 3:37 ` Greg Kroah-Hartman
2013-06-26 16:58 ` Shuah Khan
2013-06-26 17:02 ` [ 00/95] 3.9.8-stable review Shuah Khan
2013-06-26 17:10 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130625183518.416599403@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bbeck@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mischnal@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).