• Herbert Xu's avatar
    [TCP]: Fix bug #5070: kernel BUG at net/ipv4/tcp_output.c:864 · 35d59efd
    Herbert Xu authored
    1) We send out a normal sized packet with TSO on to start off.
    2) ICMP is received indicating a smaller MTU.
    3) We send the current sk_send_head which needs to be fragmented
    since it was created before the ICMP event.  The first fragment
    is then sent out.
    
    At this point the remaining fragment is allocated by tcp_fragment.
    However, its size is padded to fit the L1 cache-line size therefore
    creating tail-room up to 124 bytes long.
    
    This fragment will also be sitting at sk_send_head.
    
    4) tcp_sendmsg is called again and it stores data in the tail-room of
    of the fragment.
    5) tcp_push_one is called by tcp_sendmsg which then calls tso_fragment
    since the packet as a whole exceeds the MTU.
    
    At this point we have a packet that has data in the head area being
    fed to tso_fragment which bombs out.
    
    My take on this is that we shouldn't ever call tcp_fragment on a TSO
    socket for a packet that is yet to be transmitted since this creates
    a packet on sk_send_head that cannot be extended.
    
    So here is a patch to change it so that tso_fragment is always used
    in this case.
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    35d59efd
tcp_output.c 58.7 KB