--- /dev/null
+From ben@decadent.org.uk Fri Apr 17 11:41:49 2015
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 15 Apr 2015 19:00:32 +0100
+Subject: tcp: Fix crash in TCP Fast Open
+To: stable <stable@vger.kernel.org>
+Cc: netdev <netdev@vger.kernel.org>, Eric Dumazet <eric.dumazet@gmail.com>, 782515@bugs.debian.org
+Message-ID: <1429120832.3211.91.camel@decadent.org.uk>
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
+changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
+skb rather than using skb_copy_expand().
+
+The open-coded copy does not cover the skb_shared_info::gso_segs
+field, so in the new skb it is left set to 0. When this commit was
+backported into stable branches between 3.10.y and 3.16.7-ckty
+inclusive, it triggered the BUG() in tcp_transmit_skb().
+
+Since Linux 3.18 the GSO segment count is kept in the
+tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
+tcp_skb_cb structure to the new skb, so mainline and newer stable
+branches are not affected.
+
+Set skb_shared_info::gso_segs to the correct value of 1.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp_output.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2909,6 +2909,7 @@ static int tcp_send_syn_data(struct sock
+ goto fallback;
+ syn_data->ip_summed = CHECKSUM_PARTIAL;
+ memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
++ skb_shinfo(syn_data)->gso_segs = 1;
+ if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
+ fo->data->msg_iov, 0, space))) {
+ kfree_skb(syn_data);
projects / thirdparty / kernel / stable-queue.git / commitdiff
