From 1cb96976d134a40724d91a3f5080b6b29f311f7e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 Apr 2015 11:45:03 +0200 Subject: [PATCH] 3.10-stable patches added patches: tcp-fix-crash-in-tcp-fast-open.patch --- queue-3.10/series | 1 + .../tcp-fix-crash-in-tcp-fast-open.patch | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 queue-3.10/tcp-fix-crash-in-tcp-fast-open.patch diff --git a/queue-3.10/series b/queue-3.10/series index cfa43d0037b..ac13415a368 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -2,3 +2,4 @@ alsa-hda-add-one-more-node-in-the-eapd-supporting-candidate-list.patch alsa-usb-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch alsa-hda-fix-headphone-pin-config-for-lifebook-t731.patch selinux-fix-sel_write_enforce-broken-return-value.patch +tcp-fix-crash-in-tcp-fast-open.patch diff --git a/queue-3.10/tcp-fix-crash-in-tcp-fast-open.patch b/queue-3.10/tcp-fix-crash-in-tcp-fast-open.patch new file mode 100644 index 00000000000..647884e2290 --- /dev/null +++ b/queue-3.10/tcp-fix-crash-in-tcp-fast-open.patch @@ -0,0 +1,44 @@ +From ben@decadent.org.uk Fri Apr 17 11:41:49 2015 +From: Ben Hutchings +Date: Wed, 15 Apr 2015 19:00:32 +0100 +Subject: tcp: Fix crash in TCP Fast Open +To: stable +Cc: netdev , Eric Dumazet , 782515@bugs.debian.org +Message-ID: <1429120832.3211.91.camel@decadent.org.uk> + +From: Ben Hutchings + +Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly") +changed tcp_send_syn_data() to perform an open-coded copy of the 'syn' +skb rather than using skb_copy_expand(). + +The open-coded copy does not cover the skb_shared_info::gso_segs +field, so in the new skb it is left set to 0. When this commit was +backported into stable branches between 3.10.y and 3.16.7-ckty +inclusive, it triggered the BUG() in tcp_transmit_skb(). + +Since Linux 3.18 the GSO segment count is kept in the +tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the +tcp_skb_cb structure to the new skb, so mainline and newer stable +branches are not affected. + +Set skb_shared_info::gso_segs to the correct value of 1. + +Signed-off-by: Ben Hutchings +Acked-by: Eric Dumazet +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_output.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2909,6 +2909,7 @@ static int tcp_send_syn_data(struct sock + goto fallback; + syn_data->ip_summed = CHECKSUM_PARTIAL; + memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); ++ skb_shinfo(syn_data)->gso_segs = 1; + if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space), + fo->data->msg_iov, 0, space))) { + kfree_skb(syn_data); -- 2.47.3