kernel-fxtec-pro1x/net
Ilpo Järvinen a6604471db tcp: fix skb vs fack_count out-of-sync condition
This bug is able to corrupt fackets_out in very rare cases.
In order for this to cause corruption:
  1) DSACK in the middle of previous SACK block must be generated.
  2) In order to take that particular branch, part or all of the
     DSACKed segment must already be SACKed so that we have that
     in cache in the first place.
  3) The new info must be top enough so that fackets_out will be
     updated on this iteration.
...then fack_count is updated while skb wasn't, then we walk again
that particular segment thus updating fack_count twice for
a single skb and finally that value is assigned to fackets_out
by tcp_sacktag_one.

It is safe to call tcp_sacktag_one just once for a segment (at
DSACK), no need to call again for plain SACK.

Potential problem of the miscount are limited to premature entry
to recovery and to inflated reordering metric (which could even
cancel each other out in the most the luckiest scenarios :-)).
Both are quite insignificant in worst case too and there exists
also code to reset them (fackets_out once sacked_out becomes zero
and reordering metric on RTO).

This has been reported by a number of people, because it occurred
quite rarely, it has been very evasive. Andy Furniss was able to
get it to occur couple of times so that a bit more info was
collected about the problem using a debug patch, though it still
required lot of checking around. Thanks also to others who have
tried to help here.

This is listed as Bugzilla #10346. The bug was introduced by
me in commit 68f8353b48 ([TCP]: Rewrite SACK block processing & 
sack_recv_cache use), I probably thought back then that there's
need to scan that entry twice or didn't dare to make it go
through it just once there. Going through twice would have
required restoring fack_count after the walk but as noted above,
I chose to drop the additional walk step altogether here.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-04 12:07:44 -07:00
..
9p 9p: fix error path during early mount 2008-05-14 19:23:27 -05:00
802 [TR] net/802/tr.c: sysctl_tr_rif_timeout static 2008-01-31 19:28:31 -08:00
8021q vlan: Use bitmask of feature flags instead of seperate feature bits 2008-05-23 00:27:50 -07:00
appletalk [NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS. 2008-03-26 04:39:53 +09:00
atm Revert "atm: Do not free already unregistered net device." 2008-05-06 00:00:16 -07:00
ax25 ax25: Fix NULL pointer dereference and lockup. 2008-06-03 14:53:46 -07:00
bluetooth bluetooth: rfcomm_dev_state_change deadlock fix 2008-06-03 14:27:17 -07:00
bridge bridge: Consolidate error paths in br_add_bridge(). 2008-05-04 17:58:07 -07:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-05-08 19:03:26 -07:00
core netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
dccp dccp ccid-3: Fix "t_ipi explosion" bug 2008-05-27 06:33:54 -07:00
decnet ip: Use inline function dst_metric() instead of direct access to dst->metric[] 2008-05-04 22:14:42 -07:00
econet net: Allow netdevices to specify needed head/tailroom 2008-05-12 20:48:31 -07:00
ethernet [NET]: Return more appropriate error from eth_validate_addr(). 2008-04-13 22:45:40 -07:00
ieee80211 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-14 02:30:23 -07:00
ipv4 tcp: fix skb vs fack_count out-of-sync condition 2008-06-04 12:07:44 -07:00
ipv6 netfilter: nf_conntrack_ipv6: fix inconsistent lock state in nf_ct_frag6_gather() 2008-06-04 09:58:27 -07:00
ipx [NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS. 2008-03-26 04:39:53 +09:00
irda irda: Sock leak on error path in irda_create. 2008-06-03 15:18:36 -07:00
iucv iucv: Delay bus registration until core is ready. 2008-04-10 02:12:45 -07:00
key af_key: Fix selector family initialization. 2008-05-21 13:26:11 -07:00
lapb [LAPB] net/lapb/lapb_iface.c: use LIST_HEAD instead of LIST_HEAD_INIT 2008-01-28 14:56:52 -08:00
llc llc: Fix double accounting of received packets 2008-05-30 02:57:29 -07:00
mac80211 mac80211: fix alignment issue with compare_ether_addr() 2008-05-28 16:43:50 -04:00
netfilter netfilter: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state 2008-06-04 09:57:51 -07:00
netlabel Audit: collect sessionid in netlink messages 2008-04-28 06:18:03 -04:00
netlink netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
netrom [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
packet net: Allow netdevices to specify needed head/tailroom 2008-05-12 20:48:31 -07:00
rfkill rfkill: Fix device type check when toggling states 2008-04-15 15:04:35 -04:00
rose rose: Wrong list_lock argument in rose_node seqops 2008-05-02 17:03:22 -07:00
rxrpc net: Add missing braces to multi-statement if()s 2008-05-02 16:20:10 -07:00
sched netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
sctp sctp: Fix use of uninitialized pointer 2008-05-13 23:25:00 -07:00
sunrpc Merge branch 'for-2.6.26' of git://linux-nfs.org/~bfields/linux 2008-05-20 19:30:54 -07:00
tipc tipc: Increase buffer header to support worst-case device 2008-05-08 21:38:24 -07:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-24 08:40:34 -07:00
wanrouter [WANROUTER]: Use proc_create() to setup ->proc_fops first 2008-02-28 14:15:56 -08:00
wireless netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
x25 [NET] NETNS: Omit sock->sk_net without CONFIG_NET_NS. 2008-03-26 04:39:55 +09:00
xfrm xfrm: xfrm_algo: correct usage of RIPEMD-160 2008-06-04 12:04:55 -07:00
compat.c net: Add compat support for getsockopt (MCAST_MSFILTER) 2008-04-29 03:23:22 -07:00
Kconfig [IPV4]: Fix size description of CONFIG_INET. 2008-03-04 15:18:22 +09:00
Makefile [CAN]: Add PF_CAN core module 2008-01-28 14:54:10 -08:00
nonet.c
socket.c net: Unexport move_addr_to_{kernel,user} 2008-04-23 03:37:49 -07:00
sysctl_net.c net: fix returning void-valued expression warnings 2008-05-01 02:47:38 -07:00
TUNABLE