From: Greg Kroah-Hartman Date: Fri, 11 Aug 2017 21:14:53 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.18.65~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91f855e9af9b14f1726e5c0571aa68b1c4847e8b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch net-account-for-current-skb-length-when-deciding-about-ufo.patch --- diff --git a/queue-4.4/ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch b/queue-4.4/ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch new file mode 100644 index 00000000000..f710990281e --- /dev/null +++ b/queue-4.4/ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch @@ -0,0 +1,42 @@ +From 0a28cfd51e17f4f0a056bcf66bfbe492c3b99f38 Mon Sep 17 00:00:00 2001 +From: zheng li +Date: Mon, 12 Dec 2016 09:56:05 +0800 +Subject: ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output + +From: zheng li + +commit 0a28cfd51e17f4f0a056bcf66bfbe492c3b99f38 upstream. + +There is an inconsistent conditional judgement in __ip_append_data and +ip_finish_output functions, the variable length in __ip_append_data just +include the length of application's payload and udp header, don't include +the length of ip header, but in ip_finish_output use +(skb->len > ip_skb_dst_mtu(skb)) as judgement, and skb->len include the +length of ip header. + +That causes some particular application's udp payload whose length is +between (MTU - IP Header) and MTU were fragmented by ip_fragment even +though the rst->dev support UFO feature. + +Add the length of ip header to length in __ip_append_data to keep +consistent conditional judgement as ip_finish_output for ip fragment. + +Signed-off-by: Zheng Li +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -923,7 +923,7 @@ static int __ip_append_data(struct sock + + cork->length += length; + if ((skb && skb_is_gso(skb)) || +- ((length > mtu) && ++ (((length + fragheaderlen) > mtu) && + (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && diff --git a/queue-4.4/net-account-for-current-skb-length-when-deciding-about-ufo.patch b/queue-4.4/net-account-for-current-skb-length-when-deciding-about-ufo.patch new file mode 100644 index 00000000000..dffc85222cd --- /dev/null +++ b/queue-4.4/net-account-for-current-skb-length-when-deciding-about-ufo.patch @@ -0,0 +1,76 @@ +From a5cb659bbc1c8644efa0c3138a757a1e432a4880 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= +Date: Mon, 19 Jun 2017 13:03:43 +0200 +Subject: net: account for current skb length when deciding about UFO + +From: Michal Kubeček + +commit a5cb659bbc1c8644efa0c3138a757a1e432a4880 upstream. + +Our customer encountered stuck NFS writes for blocks starting at specific +offsets w.r.t. page boundary caused by networking stack sending packets via +UFO enabled device with wrong checksum. The problem can be reproduced by +composing a long UDP datagram from multiple parts using MSG_MORE flag: + + sendto(sd, buff, 1000, MSG_MORE, ...); + sendto(sd, buff, 1000, MSG_MORE, ...); + sendto(sd, buff, 3000, 0, ...); + +Assume this packet is to be routed via a device with MTU 1500 and +NETIF_F_UFO enabled. When second sendto() gets into __ip_append_data(), +this condition is tested (among others) to decide whether to call +ip_ufo_append_data(): + + ((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb)) + +At the moment, we already have skb with 1028 bytes of data which is not +marked for GSO so that the test is false (fragheaderlen is usually 20). +Thus we append second 1000 bytes to this skb without invoking UFO. Third +sendto(), however, has sufficient length to trigger the UFO path so that we +end up with non-UFO skb followed by a UFO one. Later on, udp_send_skb() +uses udp_csum() to calculate the checksum but that assumes all fragments +have correct checksum in skb->csum which is not true for UFO fragments. + +When checking against MTU, we need to add skb->len to length of new segment +if we already have a partially filled skb and fragheaderlen only if there +isn't one. + +In the IPv6 case, skb can only be null if this is the first segment so that +we have to use headersize (length of the first IPv6 header) rather than +fragheaderlen (length of IPv6 header of further fragments) for skb == NULL. + +Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") +Fixes: e4c5e13aa45c ("ipv6: Should use consistent conditional judgement for + ip6 fragment between __ip6_append_data and ip6_finish_output") +Signed-off-by: Michal Kubecek +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -923,7 +923,7 @@ static int __ip_append_data(struct sock + + cork->length += length; + if ((skb && skb_is_gso(skb)) || +- (((length + fragheaderlen) > mtu) && ++ (((length + (skb ? skb->len : fragheaderlen)) > mtu) && + (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1358,7 +1358,7 @@ emsgsize: + + cork->length += length; + if ((skb && skb_is_gso(skb)) || +- (((length + fragheaderlen) > mtu) && ++ (((length + (skb ? skb->len : headersize)) > mtu) && + (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && diff --git a/queue-4.4/series b/queue-4.4/series index f562cf29497..472d30f660d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,5 @@ udp-consistently-apply-ufo-or-fragmentation.patch sparc64-prevent-perf-from-running-during-super-critical-sections.patch kvm-arm-arm64-handle-hva-aging-while-destroying-the-vm.patch mm-mempool-avoid-kasan-marking-mempool-poison-checks-as-use-after-free.patch +ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch +net-account-for-current-skb-length-when-deciding-about-ufo.patch