tcp: tcp_fragment() should not assume rtx skbs
authorEric Dumazet <edumazet@google.com>
Fri, 3 Nov 2017 01:10:03 +0000 (18:10 -0700)
committerDavid S. Miller <davem@davemloft.net>
Fri, 3 Nov 2017 07:02:56 +0000 (16:02 +0900)
While stress testing MTU probing, we had crashes in list_del() that we root-caused
to the fact that tcp_fragment() is unconditionally inserting the freshly allocated
skb into tsorted_sent_queue list.

But this list is supposed to contain skbs that were sent.
This was mostly harmless until MTU probing was enabled.

Fortunately we can use the tcp_queue enum added later (but in same linux version)
for rtx-rb-tree to fix the bug.

Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK recovery")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Priyaranjan Jha <priyarjha@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_output.c

index 06a0c89ffe408b58ee17bdafd81bb08c3eb2e3fd..822962ece2840824db3d89993f6889780cd2ab99 100644 (file)
@@ -1395,7 +1395,8 @@ int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue,
        /* Link BUFF into the send queue. */
        __skb_header_release(buff);
        tcp_insert_write_queue_after(skb, buff, sk, tcp_queue);
-       list_add(&buff->tcp_tsorted_anchor, &skb->tcp_tsorted_anchor);
+       if (tcp_queue == TCP_FRAG_IN_RTX_QUEUE)
+               list_add(&buff->tcp_tsorted_anchor, &skb->tcp_tsorted_anchor);
 
        return 0;
 }