path: root/net/ipv6/tcp_ipv6.c
diff options
authorAlexey Kodanev <alexey.kodanev@oracle.com>2015-03-27 12:24:22 +0300
committerDavid S. Miller <davem@davemloft.net>2015-03-29 13:36:05 -0700
commit4ad19de8774e2a7b075b3e8ea48db85adcf33fa6 (patch)
treee71b0da1f6f8b68c20ab7d26aa68dfbcdbcc584f /net/ipv6/tcp_ipv6.c
parent2ff2acf1fb65f1c83c41b67aba990c6d49a2274c (diff)
net: tcp6: fix double call of tcp_v6_fill_cb()
tcp_v6_fill_cb() will be called twice if socket's state changes from TCP_TIME_WAIT to TCP_LISTEN. That can result in control buffer data corruption because in the second tcp_v6_fill_cb() call it's not copying IP6CB(skb) anymore, but 'seq', 'end_seq', etc., so we can get weird and unpredictable results. Performance loss of up to 1200% has been observed in LTP/vxlan03 test. This can be fixed by copying inet6_skb_parm to the beginning of 'cb' only if xfrm6_policy_check() and tcp_v6_fill_cb() are going to be called again. Fixes: 2dc49d1680b53 ("tcp6: don't move IP6CB before xfrm6_policy_check()") Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/tcp_ipv6.c')
1 files changed, 11 insertions, 0 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index b283a498f7a4..1f5e62229aaa 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1411,6 +1411,15 @@ static void tcp_v6_fill_cb(struct sk_buff *skb, const struct ipv6hdr *hdr,
TCP_SKB_CB(skb)->sacked = 0;
+static void tcp_v6_restore_cb(struct sk_buff *skb)
+ /* We need to move header back to the beginning if xfrm6_policy_check()
+ * and tcp_v6_fill_cb() are going to be called again.
+ */
+ memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6,
+ sizeof(struct inet6_skb_parm));
static int tcp_v6_rcv(struct sk_buff *skb)
const struct tcphdr *th;
@@ -1543,6 +1552,7 @@ do_time_wait:
inet_twsk_deschedule(tw, &tcp_death_row);
sk = sk2;
+ tcp_v6_restore_cb(skb);
goto process;
/* Fall through to ACK */
@@ -1551,6 +1561,7 @@ do_time_wait:
tcp_v6_timewait_ack(sk, skb);
case TCP_TW_RST:
+ tcp_v6_restore_cb(skb);
goto no_tcp_socket;

Privacy Policy