git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Fri, 31 May 2019 20:59:27 +0000 (20:59 +0000)
committer	Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
	Tue, 4 Jun 2019 20:32:03 +0000 (17:32 -0300)
commit	196379e675ffc658eb2414426d3f55311a575b46
tree	9f8a389785eba2cd5cab6363b7c7ca512cc5fd29	tree
parent	d23c845c7be0f961f77300005443927758fa9dd1	commit \| diff

UBUNTU: SAUCE: tcp: limit payload size of sacked skbs

Jonathan Looney reported that TCP can trigger the following crash
in tcp_shifted_skb() :

BUG_ON(tcp_skb_pcount(skb) < pcount);

This can happen if the remote peer has advertized the smallest
MSS that linux TCP accepts : 48

An skb can hold 17 fragments, and each fragment can hold 32KB
on x86, or 64KB on PowerPC.

This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs
can overflow.

Note that tcp_sendmsg() builds skbs with less than 64KB
of payload, so this problem needs SACK to be enabled.
SACK blocks allow TCP to coalesce multiple skbs in the retransmit
queue, thus filling the 17 fragments to maximal capacity.

Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Bruce Curtis <brucec@netflix.com>
BugLink: https://bugs.launchpad.net/bugs/1831637
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>

include/linux/tcp.h		diff \| blob \| blame \| history
include/net/tcp.h		diff \| blob \| blame \| history
net/ipv4/tcp.c		diff \| blob \| blame \| history
net/ipv4/tcp_input.c		diff \| blob \| blame \| history
net/ipv4/tcp_output.c		diff \| blob \| blame \| history