From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Andrew Prout <aprout@ll.mit.edu>,
Jonathan Lemon <jonathan.lemon@gmail.com>,
Michal Kubecek <mkubecek@suse.cz>,
Neal Cardwell <ncardwell@google.com>,
Yuchung Cheng <ycheng@google.com>,
Christoph Paasch <cpaasch@apple.com>,
Jonathan Looney <jtl@netflix.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.1 23/62] tcp: be more careful in tcp_fragment()
Date: Fri, 26 Jul 2019 17:24:35 +0200 [thread overview]
Message-ID: <20190726152304.117729660@linuxfoundation.org> (raw)
In-Reply-To: <20190726152301.720139286@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b617158dc096709d8600c53b6052144d12b89fab ]
Some applications set tiny SO_SNDBUF values and expect
TCP to just work. Recent patches to address CVE-2019-11478
broke them in case of losses, since retransmits might
be prevented.
We should allow these flows to make progress.
This patch allows the first and last skb in retransmit queue
to be split even if memory limits are hit.
It also adds the some room due to the fact that tcp_sendmsg()
and tcp_sendpage() might overshoot sk_wmem_queued by about one full
TSO skb (64KB size). Note this allowance was already present
in stable backports for kernels < 4.15
Note for < 4.15 backports :
tcp_rtx_queue_tail() will probably look like :
static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
{
struct sk_buff *skb = tcp_send_head(sk);
return skb ? tcp_write_queue_prev(sk, skb) : tcp_write_queue_tail(sk);
}
Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrew Prout <aprout@ll.mit.edu>
Tested-by: Andrew Prout <aprout@ll.mit.edu>
Tested-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Tested-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Christoph Paasch <cpaasch@apple.com>
Cc: Jonathan Looney <jtl@netflix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/tcp.h | 5 +++++
net/ipv4/tcp_output.c | 13 +++++++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1679,6 +1679,11 @@ static inline struct sk_buff *tcp_rtx_qu
return skb_rb_first(&sk->tcp_rtx_queue);
}
+static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
+{
+ return skb_rb_last(&sk->tcp_rtx_queue);
+}
+
static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk)
{
return skb_peek(&sk->sk_write_queue);
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1289,6 +1289,7 @@ int tcp_fragment(struct sock *sk, enum t
struct tcp_sock *tp = tcp_sk(sk);
struct sk_buff *buff;
int nsize, old_factor;
+ long limit;
int nlen;
u8 flags;
@@ -1299,8 +1300,16 @@ int tcp_fragment(struct sock *sk, enum t
if (nsize < 0)
nsize = 0;
- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf &&
- tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) {
+ /* tcp_sendmsg() can overshoot sk_wmem_queued by one full size skb.
+ * We need some allowance to not penalize applications setting small
+ * SO_SNDBUF values.
+ * Also allow first and last skb in retransmit queue to be split.
+ */
+ limit = sk->sk_sndbuf + 2 * SKB_TRUESIZE(GSO_MAX_SIZE);
+ if (unlikely((sk->sk_wmem_queued >> 1) > limit &&
+ tcp_queue != TCP_FRAG_IN_WRITE_QUEUE &&
+ skb != tcp_rtx_queue_head(sk) &&
+ skb != tcp_rtx_queue_tail(sk))) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
return -ENOMEM;
}
next prev parent reply other threads:[~2019-07-26 15:37 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 15:24 [PATCH 5.1 00/62] 5.1.21-stable review Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 01/62] bnx2x: Prevent load reordering in tx completion processing Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 02/62] caif-hsi: fix possible deadlock in cfhsi_exit_module() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 03/62] hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 04/62] igmp: fix memory leak in igmpv3_del_delrec() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 05/62] ipv4: dont set IPv6 only flags to IPv4 addresses Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 06/62] ipv6: rt6_check should return NULL if from is NULL Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 07/62] ipv6: Unlink sibling route in case of failure Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 08/62] net: bcmgenet: use promisc for unsupported filters Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 09/62] net: dsa: mv88e6xxx: wait after reset deactivation Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 10/62] net: make skb_dst_force return true when dst is refcounted Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 11/62] net: neigh: fix multiple neigh timer scheduling Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 12/62] net: openvswitch: fix csum updates for MPLS actions Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 13/62] net: phy: sfp: hwmon: Fix scaling of RX power Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 14/62] net_sched: unset TCQ_F_CAN_BYPASS when adding filters Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 15/62] net: stmmac: Re-work the queue selection for TSO packets Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 16/62] net/tls: make sure offload also gets the keys wiped Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 17/62] nfc: fix potential illegal memory access Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 18/62] r8169: fix issue with confused RX unit after PHY power-down on RTL8411b Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 19/62] rxrpc: Fix send on a connected, but unbound socket Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 20/62] sctp: fix error handling on stream scheduler initialization Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 21/62] sctp: not bind the socket in sctp_connect Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 22/62] sky2: Disable MSI on ASUS P6T Greg Kroah-Hartman
2019-07-26 15:24 ` Greg Kroah-Hartman [this message]
2019-07-26 15:24 ` [PATCH 5.1 24/62] tcp: fix tcp_set_congestion_control() use from bpf hook Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 25/62] tcp: Reset bytes_acked and bytes_received when disconnecting Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 26/62] vrf: make sure skb->data contains ip header to make routing Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 27/62] net/mlx5e: IPoIB, Add error path in mlx5_rdma_setup_rn Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 28/62] net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 29/62] net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 30/62] net: bridge: dont cache ether dest pointer on input Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 31/62] net: bridge: stp: dont cache eth dest pointer before skb pull Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 32/62] macsec: fix use-after-free of skb during RX Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 33/62] macsec: fix checksumming after decryption Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 34/62] netrom: fix a memory leak in nr_rx_frame() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 35/62] netrom: hold sock when setting skb->destructor Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 36/62] selftests: txring_overwrite: fix incorrect test of mmap() return value Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 37/62] net/tls: fix poll ignoring partially copied records Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 38/62] net/tls: reject offload of TLS 1.3 Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 39/62] net/mlx5e: Fix port tunnel GRE entropy control Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 40/62] net/mlx5e: Rx, Fix checksum calculation for new hardware Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 41/62] net/mlx5e: Fix return value from timeout recover function Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 42/62] net/mlx5e: Fix error flow in tx reporter diagnose Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 43/62] dma-buf: balance refcount inbalance Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 44/62] dma-buf: Discard old fence_excl on retrying get_fences_rcu for realloc Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 45/62] gpiolib: of: fix a memory leak in of_gpio_flags_quirks() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 46/62] gpio: davinci: silence error prints in case of EPROBE_DEFER Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 47/62] MIPS: lb60: Fix pin mappings Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 48/62] perf script: Assume native_arch for pipe mode Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 49/62] perf/core: Fix exclusive events grouping Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 50/62] perf/core: Fix race between close() and fork() Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 51/62] ext4: dont allow any modifications to an immutable file Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 52/62] ext4: enforce the immutable flag on open files Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 53/62] mm: add filemap_fdatawait_range_keep_errors() Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 54/62] jbd2: introduce jbd2_inode dirty range scoping Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 55/62] ext4: use " Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 56/62] ext4: allow directory holes Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 57/62] KVM: nVMX: do not use dangling shadow VMCS after guest reset Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 58/62] KVM: nVMX: Clear pending KVM_REQ_GET_VMCS12_PAGES when leaving nested Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 59/62] Revert "kvm: x86: Use task structs fpu field for user" Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 60/62] sd_zbc: Fix report zones buffer allocation Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 61/62] block: Limit zone array allocation size Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 62/62] mm: vmscan: scan anonymous pages on file refaults Greg Kroah-Hartman
2019-07-27 2:34 ` [PATCH 5.1 00/62] 5.1.21-stable review shuah
2019-07-27 4:34 ` kernelci.org bot
2019-07-27 5:34 ` Naresh Kamboju
2019-07-27 16:07 ` Guenter Roeck
2019-07-29 9:02 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726152304.117729660@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aprout@ll.mit.edu \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jonathan.lemon@gmail.com \
--cc=jtl@netflix.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mkubecek@suse.cz \
--cc=ncardwell@google.com \
--cc=stable@vger.kernel.org \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).