This is a note to let you know that I've just added the patch titled
tcp: fix splice() and tcp collapsing interaction
to the 3.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-fix-splice-and-tcp-collapsing-interaction.patch
and it can be found in the queue-3.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From a2252d0dd0d7345a6266c6c1c5c3e7ff7025c207 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <[email protected]>
Date: Wed, 9 Jan 2013 20:59:09 +0000
Subject: tcp: fix splice() and tcp collapsing interaction
From: Eric Dumazet <[email protected]>
[ Upstream commit f26845b43c75d3f32f98d194c1327b5b1e6b3fb0 ]
Under unusual circumstances, TCP collapse can split a big GRO TCP packet
while its being used in a splice(socket->pipe) operation.
skb_splice_bits() releases the socket lock before calling
splice_to_pipe().
[ 1081.353685] WARNING: at net/ipv4/tcp.c:1330 tcp_cleanup_rbuf+0x4d/0xfc()
[ 1081.371956] Hardware name: System x3690 X5 -[7148Z68]-
[ 1081.391820] cleanup rbuf bug: copied AD3BCF1 seq AD370AF rcvnxt AD3CF13
To fix this problem, we must eat skbs in tcp_recv_skb().
Remove the inline keyword from tcp_recv_skb() definition since
it has three call sites.
Reported-by: Christian Becker <[email protected]>
Cc: Willy Tarreau <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Tested-by: Willy Tarreau <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/tcp.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1427,12 +1427,12 @@ static void tcp_service_net_dma(struct s
}
#endif
-static inline struct sk_buff *tcp_recv_skb(struct sock *sk, u32 seq, u32 *off)
+static struct sk_buff *tcp_recv_skb(struct sock *sk, u32 seq, u32 *off)
{
struct sk_buff *skb;
u32 offset;
- skb_queue_walk(&sk->sk_receive_queue, skb) {
+ while ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) {
offset = seq - TCP_SKB_CB(skb)->seq;
if (tcp_hdr(skb)->syn)
offset--;
@@ -1440,6 +1440,11 @@ static inline struct sk_buff *tcp_recv_s
*off = offset;
return skb;
}
+ /* This looks weird, but this can happen if TCP collapsing
+ * splitted a fat GRO packet, while we released socket lock
+ * in skb_splice_bits()
+ */
+ sk_eat_skb(sk, skb, false);
}
return NULL;
}
@@ -1519,8 +1524,10 @@ int tcp_read_sock(struct sock *sk, read_
tcp_rcv_space_adjust(sk);
/* Clean up data we have read: This will do ACK frames. */
- if (copied > 0)
+ if (copied > 0) {
+ tcp_recv_skb(sk, seq, &offset);
tcp_cleanup_rbuf(sk, copied);
+ }
return copied;
}
EXPORT_SYMBOL(tcp_read_sock);
Patches currently in stable-queue which might be from [email protected] are
queue-3.7/tcp-frto-should-not-set-snd_cwnd-to-0.patch
queue-3.7/net-splice-avoid-high-order-page-splitting.patch
queue-3.7/ipv6-ip6_gre-fix-error-case-handling-in-ip6gre_tunnel_xmit.patch
queue-3.7/tcp-fix-a-panic-on-up-machines-in-reqsk_fastopen_remove.patch
queue-3.7/ip_gre-fix-kernel-panic-in-ip_gre-with-gre-csum.patch
queue-3.7/tcp-fix-for-zero-packets_in_flight-was-too-broad.patch
queue-3.7/tcp-fix-splice-and-tcp-collapsing-interaction.patch
queue-3.7/net-prevent-setting-ttl-0-via-ip_ttl.patch
queue-3.7/tcp-don-t-abort-splice-after-small-transfers.patch
queue-3.7/macvlan-fix-macvlan_get_size.patch
queue-3.7/net-splice-fix-__splice_segment.patch
queue-3.7/net-wireless-overwrite-default_ethtool_ops.patch
queue-3.7/netxen-fix-off-by-one-bug-in-netxen_release_tx_buffer.patch
queue-3.7/net-loopback-fix-a-dst-refcounting-issue.patch
queue-3.7/tcp-fix-incorrect-lockdroppedicmps-counter.patch
queue-3.7/tcp-splice-fix-an-infinite-loop-in-tcp_read_sock.patch
queue-3.7/tcp-fix-an-infinite-loop-in-tcp_slow_start.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
