diff options
| author | Alexey Kodanev <alexey.kodanev@oracle.com> | 2015-03-27 05:24:22 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-03-29 16:36:05 -0400 |
| commit | 4ad19de8774e2a7b075b3e8ea48db85adcf33fa6 (patch) | |
| tree | e71b0da1f6f8b68c20ab7d26aa68dfbcdbcc584f /net/ipv6 | |
| parent | 2ff2acf1fb65f1c83c41b67aba990c6d49a2274c (diff) | |
net: tcp6: fix double call of tcp_v6_fill_cb()
tcp_v6_fill_cb() will be called twice if socket's state changes from
TCP_TIME_WAIT to TCP_LISTEN. That can result in control buffer data
corruption because in the second tcp_v6_fill_cb() call it's not copying
IP6CB(skb) anymore, but 'seq', 'end_seq', etc., so we can get weird and
unpredictable results. Performance loss of up to 1200% has been observed
in LTP/vxlan03 test.
This can be fixed by copying inet6_skb_parm to the beginning of 'cb'
only if xfrm6_policy_check() and tcp_v6_fill_cb() are going to be
called again.
Fixes: 2dc49d1680b53 ("tcp6: don't move IP6CB before xfrm6_policy_check()")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index b283a498f7a4..1f5e62229aaa 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c | |||
| @@ -1411,6 +1411,15 @@ static void tcp_v6_fill_cb(struct sk_buff *skb, const struct ipv6hdr *hdr, | |||
| 1411 | TCP_SKB_CB(skb)->sacked = 0; | 1411 | TCP_SKB_CB(skb)->sacked = 0; |
| 1412 | } | 1412 | } |
| 1413 | 1413 | ||
| 1414 | static void tcp_v6_restore_cb(struct sk_buff *skb) | ||
| 1415 | { | ||
| 1416 | /* We need to move header back to the beginning if xfrm6_policy_check() | ||
| 1417 | * and tcp_v6_fill_cb() are going to be called again. | ||
| 1418 | */ | ||
| 1419 | memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6, | ||
| 1420 | sizeof(struct inet6_skb_parm)); | ||
| 1421 | } | ||
| 1422 | |||
| 1414 | static int tcp_v6_rcv(struct sk_buff *skb) | 1423 | static int tcp_v6_rcv(struct sk_buff *skb) |
| 1415 | { | 1424 | { |
| 1416 | const struct tcphdr *th; | 1425 | const struct tcphdr *th; |
| @@ -1543,6 +1552,7 @@ do_time_wait: | |||
| 1543 | inet_twsk_deschedule(tw, &tcp_death_row); | 1552 | inet_twsk_deschedule(tw, &tcp_death_row); |
| 1544 | inet_twsk_put(tw); | 1553 | inet_twsk_put(tw); |
| 1545 | sk = sk2; | 1554 | sk = sk2; |
| 1555 | tcp_v6_restore_cb(skb); | ||
| 1546 | goto process; | 1556 | goto process; |
| 1547 | } | 1557 | } |
| 1548 | /* Fall through to ACK */ | 1558 | /* Fall through to ACK */ |
| @@ -1551,6 +1561,7 @@ do_time_wait: | |||
| 1551 | tcp_v6_timewait_ack(sk, skb); | 1561 | tcp_v6_timewait_ack(sk, skb); |
| 1552 | break; | 1562 | break; |
| 1553 | case TCP_TW_RST: | 1563 | case TCP_TW_RST: |
| 1564 | tcp_v6_restore_cb(skb); | ||
| 1554 | goto no_tcp_socket; | 1565 | goto no_tcp_socket; |
| 1555 | case TCP_TW_SUCCESS: | 1566 | case TCP_TW_SUCCESS: |
| 1556 | ; | 1567 | ; |