[stable] Patch "tcp: Don't change unlocked socket state in tcp_v4_err()." has been added to the 2.6.36-stable tree

Mon, 20 Dec 2010 11:56:00 -0800 

This is a note to let you know that I've just added the patch titled

    tcp: Don't change unlocked socket state in tcp_v4_err().

to the 2.6.36-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
and it can be found in the queue-2.6.36 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 34eef919139f6a7558b43576b12b40731f12f7d7 Mon Sep 17 00:00:00 2001
From: David S. Miller <[email protected]>
Date: Fri, 12 Nov 2010 13:35:00 -0800
Subject: tcp: Don't change unlocked socket state in tcp_v4_err().


From: David S. Miller <[email protected]>

[ Upstream commit 8f49c2703b33519aaaccc63f571b465b9d2b3a2d ]

Alexey Kuznetsov noticed a regression introduced by
commit f1ecd5d9e7366609d640ff4040304ea197fbc618
("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable")

The RTO and timer modification code added to tcp_v4_err()
doesn't check sock_owned_by_user(), which if true means we
don't have exclusive access to the socket and therefore cannot
modify it's critical state.

Just skip this new code block if sock_owned_by_user() is true
and eliminate the now superfluous sock_owned_by_user() code
block contained within.

Reported-by: Alexey Kuznetsov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
CC: Damian Lukowski <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 net/ipv4/tcp_ipv4.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb
                    !icsk->icsk_backoff)
                        break;
 
+               if (sock_owned_by_user(sk))
+                       break;
+
                icsk->icsk_backoff--;
                inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
                                         icsk->icsk_backoff;
@@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb
                if (remaining) {
                        inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
                                                  remaining, TCP_RTO_MAX);
-               } else if (sock_owned_by_user(sk)) {
-                       /* RTO revert clocked out retransmission,
-                        * but socket is locked. Will defer. */
-                       inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
-                                                 HZ/20, TCP_RTO_MAX);
                } else {
                        /* RTO revert clocked out retransmission.
                         * Will retransmit now */


Patches currently in stable-queue which might be from [email protected] are

queue-2.6.36/driver-net-benet-fix-be_cmd_multicast_set-memcpy-bug.patch
queue-2.6.36/sparc64-delete-prom_puts-unused.patch
queue-2.6.36/sparc-remove-prom_pathtoinode.patch
queue-2.6.36/bridge-fix-ipv6-queries-for-bridge-multicast-snooping.patch
queue-2.6.36/tcp-protect-sysctl_tcp_cookie_size-reads.patch
queue-2.6.36/tcp-don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
queue-2.6.36/net-dst-dst_dev_event-called-after-other-notifiers.patch
queue-2.6.36/r8169-fix-sleeping-while-holding-spinlock.patch
queue-2.6.36/l2tp-fix-modalias-of-l2tp_ip.patch
queue-2.6.36/sparc64-delete-prom_setcallback.patch
queue-2.6.36/pppoe.c-fix-kernel-panic-caused-by-__pppoe_xmit.patch
queue-2.6.36/bonding-fix-slave-selection-bug.patch
queue-2.6.36/sparc-do-not-export-prom_nb-get-put-char.patch
queue-2.6.36/econet-do-the-correct-cleanup-after-an-unprivileged-siocsifaddr.patch
queue-2.6.36/sparc-write-to-prom-console-using-indirect-buffer.patch
queue-2.6.36/econet-fix-crash-in-aun_incoming.patch
queue-2.6.36/sparc-delete-prom_-getchar.patch
queue-2.6.36/net-fix-skb_defer_rx_timestamp.patch
queue-2.6.36/net-fix-header-size-check-for-gso-case-in-recvmsg-af_packet.patch
queue-2.6.36/net-ax25-fix-information-leak-to-userland.patch
queue-2.6.36/sparc-kill-prom-devops_-32-64-.c.patch
queue-2.6.36/filter-fix-sk_filter-rcu-handling.patch
queue-2.6.36/cls_cgroup-fix-crash-on-module-unload.patch
queue-2.6.36/sparc-pass-buffer-pointer-all-the-way-down-to-prom_-get-put-char.patch
queue-2.6.36/af_unix-limit-unix_tot_inflight.patch
queue-2.6.36/tcp-increase-tcp_maxseg-socket-option-minimum.patch
queue-2.6.36/ifb-goto-resched-directly-if-error-happens-and-dp-tq-isn-t-empty.patch
queue-2.6.36/tcp-make-tcp_maxseg-minimum-more-correct.patch
queue-2.6.36/x25-decrement-netdev-reference-counts-on-unload.patch
queue-2.6.36/llc-fix-a-device-refcount-imbalance.patch
queue-2.6.36/tcp-bug-fix-in-initialization-of-receive-window.patch
queue-2.6.36/tehuti-firmware-filename-is-tehuti-bdx.bin.patch
queue-2.6.36/af_unix-limit-recursion-level.patch
queue-2.6.36/net-packet-fix-information-leak-to-userland.patch
queue-2.6.36/tcp-avoid-a-possible-divide-by-zero.patch
queue-2.6.36/sparc64-unexport-prom_service_exists.patch
queue-2.6.36/sparc-leon-removed-constant-timer-initialization-as-if-hz-100-now-it-reflects-the-value-of-hz.patch
queue-2.6.36/8139cp-fix-checksum-broken.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to