From a17622a1c493c221dae4d8073f86a9f9749729e6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 19 Mar 2012 16:34:26 -0700 Subject: [PATCH] 3.2-stable patches added patches: ipv6-don-t-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch tcp-fix-syncookie-regression.patch --- ...-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch | 34 ++++++ queue-3.2/series | 2 + queue-3.2/tcp-fix-syncookie-regression.patch | 107 ++++++++++++++++++ 3 files changed, 143 insertions(+) create mode 100644 queue-3.2/ipv6-don-t-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch create mode 100644 queue-3.2/tcp-fix-syncookie-regression.patch diff --git a/queue-3.2/ipv6-don-t-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch b/queue-3.2/ipv6-don-t-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch new file mode 100644 index 00000000000..73996c74704 --- /dev/null +++ b/queue-3.2/ipv6-don-t-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch @@ -0,0 +1,34 @@ +From 83a87eb0683a5166845b7ea0cb236eab039f693b Mon Sep 17 00:00:00 2001 +From: "RongQing.Li" +Date: Thu, 15 Mar 2012 22:54:14 +0000 +Subject: ipv6: Don't dev_hold(dev) in ip6_mc_find_dev_rcu. + + +From: RongQing.Li + +[ Upstream commit c577923756b7fe9071f28a76b66b83b306d1d001 ] + +ip6_mc_find_dev_rcu() is called with rcu_read_lock(), so don't +need to dev_hold(). +With dev_hold(), not corresponding dev_put(), will lead to leak. + +[ bug introduced in 96b52e61be1 (ipv6: mcast: RCU conversions) ] + +Signed-off-by: RongQing.Li +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/mcast.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -257,7 +257,6 @@ static struct inet6_dev *ip6_mc_find_dev + + if (rt) { + dev = rt->rt6i_dev; +- dev_hold(dev); + dst_release(&rt->dst); + } + } else diff --git a/queue-3.2/series b/queue-3.2/series index 76c97a77df5..ab89381b041 100644 --- a/queue-3.2/series +++ b/queue-3.2/series @@ -3,3 +3,5 @@ afs-read-of-file-returns-ebadmsg.patch afs-remote-abort-can-cause-bug-in-rxrpc-code.patch perf-tools-incorrect-use-of-snprintf-results-in-segv.patch perf-tools-use-scnprintf-where-applicable.patch +tcp-fix-syncookie-regression.patch +ipv6-don-t-dev_hold-dev-in-ip6_mc_find_dev_rcu.patch diff --git a/queue-3.2/tcp-fix-syncookie-regression.patch b/queue-3.2/tcp-fix-syncookie-regression.patch new file mode 100644 index 00000000000..2990f18a103 --- /dev/null +++ b/queue-3.2/tcp-fix-syncookie-regression.patch @@ -0,0 +1,107 @@ +From 3e9eb20e6f5e649c43be81677248c86a8e7b3961 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 10 Mar 2012 09:20:21 +0000 +Subject: tcp: fix syncookie regression + + +From: Eric Dumazet + +[ Upstream commit dfd25ffffc132c00070eed64200e8950da5d7e9d ] + +commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) +added a serious regression on synflood handling. + +Simon Kirby discovered a successful connection was delayed by 20 seconds +before being responsive. + +In my tests, I discovered that xmit frames were lost, and needed ~4 +retransmits and a socket dst rebuild before being really sent. + +In case of syncookie initiated connection, we use a different path to +initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + +As ip_queue_xmit() now depends on inet flow being setup, fix this by +copying the temp flowi4 we use in cookie_v4_check(). + +Reported-by: Simon Kirby +Bisected-by: Simon Kirby +Signed-off-by: Eric Dumazet +Tested-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/syncookies.c | 30 ++++++++++++++++-------------- + net/ipv4/tcp_ipv4.c | 10 +++++++--- + 2 files changed, 23 insertions(+), 17 deletions(-) + +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -278,6 +278,7 @@ struct sock *cookie_v4_check(struct sock + struct rtable *rt; + __u8 rcv_wscale; + bool ecn_ok = false; ++ struct flowi4 fl4; + + if (!sysctl_tcp_syncookies || !th->ack || th->rst) + goto out; +@@ -346,20 +347,16 @@ struct sock *cookie_v4_check(struct sock + * hasn't changed since we received the original syn, but I see + * no easy way to do this. + */ +- { +- struct flowi4 fl4; +- +- flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), +- RT_SCOPE_UNIVERSE, IPPROTO_TCP, +- inet_sk_flowi_flags(sk), +- (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, +- ireq->loc_addr, th->source, th->dest); +- security_req_classify_flow(req, flowi4_to_flowi(&fl4)); +- rt = ip_route_output_key(sock_net(sk), &fl4); +- if (IS_ERR(rt)) { +- reqsk_free(req); +- goto out; +- } ++ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), ++ RT_SCOPE_UNIVERSE, IPPROTO_TCP, ++ inet_sk_flowi_flags(sk), ++ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ++ ireq->loc_addr, th->source, th->dest); ++ security_req_classify_flow(req, flowi4_to_flowi(&fl4)); ++ rt = ip_route_output_key(sock_net(sk), &fl4); ++ if (IS_ERR(rt)) { ++ reqsk_free(req); ++ goto out; + } + + /* Try to redo what tcp_v4_send_synack did. */ +@@ -373,5 +370,10 @@ struct sock *cookie_v4_check(struct sock + ireq->rcv_wscale = rcv_wscale; + + ret = get_cookie_sock(sk, skb, req, &rt->dst); ++ /* ip_queue_xmit() depends on our flow being setup ++ * Normal sockets get it right from inet_csk_route_child_sock() ++ */ ++ if (ret) ++ inet_sk(ret)->cork.fl.u.ip4 = fl4; + out: return ret; + } +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1465,9 +1465,13 @@ struct sock *tcp_v4_syn_recv_sock(struct + inet_csk(newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen; + newinet->inet_id = newtp->write_seq ^ jiffies; + +- if (!dst && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL) +- goto put_and_exit; +- ++ if (!dst) { ++ dst = inet_csk_route_child_sock(sk, newsk, req); ++ if (!dst) ++ goto put_and_exit; ++ } else { ++ /* syncookie case : see end of cookie_v4_check() */ ++ } + sk_setup_caps(newsk, dst); + + tcp_mtup_init(newsk); -- 2.47.3