2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* IPv6 output functions
|
2007-02-09 14:24:49 +00:00
|
|
|
* Linux INET6 implementation
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
|
|
|
|
* Authors:
|
2007-02-09 14:24:49 +00:00
|
|
|
* Pedro Roque <roque@di.fc.ul.pt>
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
|
|
|
|
* Based on linux/net/ipv4/ip_output.c
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
|
* as published by the Free Software Foundation; either version
|
|
|
|
|
* 2 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* Changes:
|
|
|
|
|
* A.N.Kuznetsov : airthmetics in fragmentation.
|
|
|
|
|
* extension headers are implemented.
|
|
|
|
|
* route changes now work.
|
|
|
|
|
* ip6_forward does not confuse sniffers.
|
|
|
|
|
* etc.
|
|
|
|
|
*
|
|
|
|
|
* H. von Brand : Added missing #include <linux/string.h>
|
|
|
|
|
* Imran Patel : frag id should be in NBO
|
|
|
|
|
* Kazunori MIYAZAWA @USAGI
|
|
|
|
|
* : add ip6_append_data and related functions
|
|
|
|
|
* for datagram xmit
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/errno.h>
|
2008-01-12 03:15:08 +00:00
|
|
|
#include <linux/kernel.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/socket.h>
|
|
|
|
|
#include <linux/net.h>
|
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
|
#include <linux/if_arp.h>
|
|
|
|
|
#include <linux/in6.h>
|
|
|
|
|
#include <linux/tcp.h>
|
|
|
|
|
#include <linux/route.h>
|
2006-05-28 06:05:54 +00:00
|
|
|
#include <linux/module.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
#include <linux/netfilter.h>
|
|
|
|
|
#include <linux/netfilter_ipv6.h>
|
|
|
|
|
|
|
|
|
|
#include <net/sock.h>
|
|
|
|
|
#include <net/snmp.h>
|
|
|
|
|
|
|
|
|
|
#include <net/ipv6.h>
|
|
|
|
|
#include <net/ndisc.h>
|
|
|
|
|
#include <net/protocol.h>
|
|
|
|
|
#include <net/ip6_route.h>
|
|
|
|
|
#include <net/addrconf.h>
|
|
|
|
|
#include <net/rawv6.h>
|
|
|
|
|
#include <net/icmp.h>
|
|
|
|
|
#include <net/xfrm.h>
|
|
|
|
|
#include <net/checksum.h>
|
2008-04-03 00:22:53 +00:00
|
|
|
#include <linux/mroute6.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-01-12 03:15:08 +00:00
|
|
|
int __ip6_local_out(struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
int len;
|
|
|
|
|
|
|
|
|
|
len = skb->len - sizeof(struct ipv6hdr);
|
|
|
|
|
if (len > IPV6_MAXPLEN)
|
|
|
|
|
len = 0;
|
|
|
|
|
ipv6_hdr(skb)->payload_len = htons(len);
|
|
|
|
|
|
2010-03-23 03:09:07 +00:00
|
|
|
return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
|
|
|
|
|
skb_dst(skb)->dev, dst_output);
|
2008-01-12 03:15:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int ip6_local_out(struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
err = __ip6_local_out(skb);
|
|
|
|
|
if (likely(err == 1))
|
|
|
|
|
err = dst_output(skb);
|
|
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(ip6_local_out);
|
|
|
|
|
|
2010-04-13 13:28:11 +00:00
|
|
|
static int ip6_finish_output2(struct sk_buff *skb)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2009-06-02 05:19:30 +00:00
|
|
|
struct dst_entry *dst = skb_dst(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct net_device *dev = dst->dev;
|
2011-07-14 14:53:20 +00:00
|
|
|
struct neighbour *neigh;
|
2013-01-17 12:54:00 +00:00
|
|
|
struct in6_addr *nexthop;
|
|
|
|
|
int ret;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
skb->protocol = htons(ETH_P_IPV6);
|
|
|
|
|
skb->dev = dev;
|
|
|
|
|
|
2007-04-26 00:54:47 +00:00
|
|
|
if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
|
2009-06-02 05:19:30 +00:00
|
|
|
struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-01-07 04:37:01 +00:00
|
|
|
if (!(dev->flags & IFF_LOOPBACK) && sk_mc_loop(skb->sk) &&
|
ipv6: ip6mr: support multiple tables
This patch adds support for multiple independant multicast routing instances,
named "tables".
Userspace multicast routing daemons can bind to a specific table instance by
issuing a setsockopt call using a new option MRT6_TABLE. The table number is
stored in the raw socket data and affects all following ip6mr setsockopt(),
getsockopt() and ioctl() calls. By default, a single table (RT6_TABLE_DFLT)
is created with a default routing rule pointing to it. Newly created pim6reg
devices have the table number appended ("pim6regX"), with the exception of
devices created in the default table, which are named just "pim6reg" for
compatibility reasons.
Packets are directed to a specific table instance using routing rules,
similar to how regular routing rules work. Currently iif, oif and mark
are supported as keys, source and destination addresses could be supported
additionally.
Example usage:
- bind pimd/xorp/... to a specific table:
uint32_t table = 123;
setsockopt(fd, SOL_IPV6, MRT6_TABLE, &table, sizeof(table));
- create routing rules directing packets to the new table:
# ip -6 mrule add iif eth0 lookup 123
# ip -6 mrule add oif eth0 lookup 123
Signed-off-by: Patrick McHardy <kaber@trash.net>
2010-05-11 12:40:55 +00:00
|
|
|
((mroute6_socket(dev_net(dev), skb) &&
|
2008-12-11 00:07:08 +00:00
|
|
|
!(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
|
2008-04-03 00:22:53 +00:00
|
|
|
ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,
|
|
|
|
|
&ipv6_hdr(skb)->saddr))) {
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
|
|
|
|
|
|
/* Do not check for IFF_ALLMULTI; multicast routing
|
|
|
|
|
is not supported in any case.
|
|
|
|
|
*/
|
|
|
|
|
if (newskb)
|
2010-03-23 03:09:07 +00:00
|
|
|
NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING,
|
|
|
|
|
newskb, NULL, newskb->dev,
|
2012-06-12 10:16:35 +00:00
|
|
|
dev_loopback_xmit);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-04-26 00:54:47 +00:00
|
|
|
if (ipv6_hdr(skb)->hop_limit == 0) {
|
2008-10-08 17:54:51 +00:00
|
|
|
IP6_INC_STATS(dev_net(dev), idev,
|
|
|
|
|
IPSTATS_MIB_OUTDISCARDS);
|
2005-04-16 22:20:36 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-27 09:45:02 +00:00
|
|
|
IP6_UPD_PO_STATS(dev_net(dev), idev, IPSTATS_MIB_OUTMCAST,
|
|
|
|
|
skb->len);
|
2013-02-10 02:33:35 +00:00
|
|
|
|
|
|
|
|
if (IPV6_ADDR_MC_SCOPE(&ipv6_hdr(skb)->daddr) <=
|
|
|
|
|
IPV6_ADDR_SCOPE_NODELOCAL &&
|
|
|
|
|
!(dev->flags & IFF_LOOPBACK)) {
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2013-01-17 12:54:00 +00:00
|
|
|
rcu_read_lock_bh();
|
2013-10-20 12:43:04 +00:00
|
|
|
nexthop = rt6_nexthop((struct rt6_info *)dst);
|
2013-01-17 12:54:00 +00:00
|
|
|
neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop);
|
|
|
|
|
if (unlikely(!neigh))
|
|
|
|
|
neigh = __neigh_create(&nd_tbl, nexthop, dst->dev, false);
|
|
|
|
|
if (!IS_ERR(neigh)) {
|
|
|
|
|
ret = dst_neigh_output(dst, neigh, skb);
|
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
rcu_read_unlock_bh();
|
2011-07-17 00:26:00 +00:00
|
|
|
|
2013-11-29 05:39:44 +00:00
|
|
|
IP6_INC_STATS(dev_net(dst->dev),
|
|
|
|
|
ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
|
2010-04-13 13:28:11 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -EINVAL;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2010-04-13 13:28:11 +00:00
|
|
|
static int ip6_finish_output(struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
|
2013-11-06 16:52:19 +00:00
|
|
|
dst_allfrag(skb_dst(skb)) ||
|
|
|
|
|
(IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))
|
2010-04-13 13:28:11 +00:00
|
|
|
return ip6_fragment(skb, ip6_finish_output2);
|
|
|
|
|
else
|
|
|
|
|
return ip6_finish_output2(skb);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
int ip6_output(struct sk_buff *skb)
|
|
|
|
|
{
|
2010-04-13 13:28:11 +00:00
|
|
|
struct net_device *dev = skb_dst(skb)->dev;
|
2009-06-02 05:19:30 +00:00
|
|
|
struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
|
2008-06-28 05:17:11 +00:00
|
|
|
if (unlikely(idev->cnf.disable_ipv6)) {
|
2010-04-13 13:28:11 +00:00
|
|
|
IP6_INC_STATS(dev_net(dev), idev,
|
2008-10-08 17:54:51 +00:00
|
|
|
IPSTATS_MIB_OUTDISCARDS);
|
2008-06-28 05:17:11 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-13 13:32:16 +00:00
|
|
|
return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, dev,
|
|
|
|
|
ip6_finish_output,
|
|
|
|
|
!(IP6CB(skb)->flags & IP6SKB_REROUTED));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2010-04-15 16:48:48 +00:00
|
|
|
* xmit an sk_buff (used by TCP, SCTP and DCCP)
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
|
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
|
2011-10-27 04:44:35 +00:00
|
|
|
struct ipv6_txoptions *opt, int tclass)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-10-08 17:54:51 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2006-03-23 09:17:25 +00:00
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
2011-03-12 21:22:43 +00:00
|
|
|
struct in6_addr *first_hop = &fl6->daddr;
|
2009-06-02 05:19:30 +00:00
|
|
|
struct dst_entry *dst = skb_dst(skb);
|
ipv6: Check available headroom in ip6_xmit() even without options
[ Upstream commit 66033f47ca60294a95fc85ec3a3cc909dab7b765 ]
Even if we send an IPv6 packet without options, MAX_HEADER might not be
enough to account for the additional headroom required by alignment of
hardware headers.
On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().
Those would be enough to append our 14 bytes header, but we're going to
align that to 16 bytes, and write 2 bytes out of the allocated slab in
neigh_hh_output().
KASan says:
[ 264.967848] ==================================================================
[ 264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
[ 264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
[ 264.967870]
[ 264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
[ 264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
[ 264.967887] Call Trace:
[ 264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)
[ 264.967903] [<00000000017e379c>] dump_stack+0x23c/0x290
[ 264.967912] [<00000000007bc594>] print_address_description+0xf4/0x290
[ 264.967919] [<00000000007bc8fc>] kasan_report+0x13c/0x240
[ 264.967927] [<000000000162f5e4>] ip6_finish_output2+0x1aec/0x1c70
[ 264.967935] [<000000000163f890>] ip6_finish_output+0x430/0x7f0
[ 264.967943] [<000000000163fe44>] ip6_output+0x1f4/0x580
[ 264.967953] [<000000000163882a>] ip6_xmit+0xfea/0x1ce8
[ 264.967963] [<00000000017396e2>] inet6_csk_xmit+0x282/0x3f8
[ 264.968033] [<000003ff805fb0ba>] l2tp_xmit_skb+0xe02/0x13e0 [l2tp_core]
[ 264.968037] [<000003ff80631192>] l2tp_eth_dev_xmit+0xda/0x150 [l2tp_eth]
[ 264.968041] [<0000000001220020>] dev_hard_start_xmit+0x268/0x928
[ 264.968069] [<0000000001330e8e>] sch_direct_xmit+0x7ae/0x1350
[ 264.968071] [<000000000122359c>] __dev_queue_xmit+0x2b7c/0x3478
[ 264.968075] [<00000000013d2862>] ip_finish_output2+0xce2/0x11a0
[ 264.968078] [<00000000013d9b14>] ip_finish_output+0x56c/0x8c8
[ 264.968081] [<00000000013ddd1e>] ip_output+0x226/0x4c0
[ 264.968083] [<00000000013dbd6c>] __ip_queue_xmit+0x894/0x1938
[ 264.968100] [<000003ff80bc3a5c>] sctp_packet_transmit+0x29d4/0x3648 [sctp]
[ 264.968116] [<000003ff80b7bf68>] sctp_outq_flush_ctrl.constprop.5+0x8d0/0xe50 [sctp]
[ 264.968131] [<000003ff80b7c716>] sctp_outq_flush+0x22e/0x7d8 [sctp]
[ 264.968146] [<000003ff80b35c68>] sctp_cmd_interpreter.isra.16+0x530/0x6800 [sctp]
[ 264.968161] [<000003ff80b3410a>] sctp_do_sm+0x222/0x648 [sctp]
[ 264.968177] [<000003ff80bbddac>] sctp_primitive_ASSOCIATE+0xbc/0xf8 [sctp]
[ 264.968192] [<000003ff80b93328>] __sctp_connect+0x830/0xc20 [sctp]
[ 264.968208] [<000003ff80bb11ce>] sctp_inet_connect+0x2e6/0x378 [sctp]
[ 264.968212] [<0000000001197942>] __sys_connect+0x21a/0x450
[ 264.968215] [<000000000119aff8>] sys_socketcall+0x3d0/0xb08
[ 264.968218] [<000000000184ea7a>] system_call+0x2a2/0x2c0
[...]
Just like ip_finish_output2() does for IPv4, check that we have enough
headroom in ip6_xmit(), and reallocate it if we don't.
This issue is older than git history.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-06 18:30:36 +00:00
|
|
|
unsigned int head_room;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct ipv6hdr *hdr;
|
2011-03-12 21:22:43 +00:00
|
|
|
u8 proto = fl6->flowi6_proto;
|
2005-04-16 22:20:36 +00:00
|
|
|
int seg_len = skb->len;
|
2009-08-09 08:12:48 +00:00
|
|
|
int hlimit = -1;
|
2005-04-16 22:20:36 +00:00
|
|
|
u32 mtu;
|
|
|
|
|
|
ipv6: Check available headroom in ip6_xmit() even without options
[ Upstream commit 66033f47ca60294a95fc85ec3a3cc909dab7b765 ]
Even if we send an IPv6 packet without options, MAX_HEADER might not be
enough to account for the additional headroom required by alignment of
hardware headers.
On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().
Those would be enough to append our 14 bytes header, but we're going to
align that to 16 bytes, and write 2 bytes out of the allocated slab in
neigh_hh_output().
KASan says:
[ 264.967848] ==================================================================
[ 264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
[ 264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
[ 264.967870]
[ 264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
[ 264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
[ 264.967887] Call Trace:
[ 264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)
[ 264.967903] [<00000000017e379c>] dump_stack+0x23c/0x290
[ 264.967912] [<00000000007bc594>] print_address_description+0xf4/0x290
[ 264.967919] [<00000000007bc8fc>] kasan_report+0x13c/0x240
[ 264.967927] [<000000000162f5e4>] ip6_finish_output2+0x1aec/0x1c70
[ 264.967935] [<000000000163f890>] ip6_finish_output+0x430/0x7f0
[ 264.967943] [<000000000163fe44>] ip6_output+0x1f4/0x580
[ 264.967953] [<000000000163882a>] ip6_xmit+0xfea/0x1ce8
[ 264.967963] [<00000000017396e2>] inet6_csk_xmit+0x282/0x3f8
[ 264.968033] [<000003ff805fb0ba>] l2tp_xmit_skb+0xe02/0x13e0 [l2tp_core]
[ 264.968037] [<000003ff80631192>] l2tp_eth_dev_xmit+0xda/0x150 [l2tp_eth]
[ 264.968041] [<0000000001220020>] dev_hard_start_xmit+0x268/0x928
[ 264.968069] [<0000000001330e8e>] sch_direct_xmit+0x7ae/0x1350
[ 264.968071] [<000000000122359c>] __dev_queue_xmit+0x2b7c/0x3478
[ 264.968075] [<00000000013d2862>] ip_finish_output2+0xce2/0x11a0
[ 264.968078] [<00000000013d9b14>] ip_finish_output+0x56c/0x8c8
[ 264.968081] [<00000000013ddd1e>] ip_output+0x226/0x4c0
[ 264.968083] [<00000000013dbd6c>] __ip_queue_xmit+0x894/0x1938
[ 264.968100] [<000003ff80bc3a5c>] sctp_packet_transmit+0x29d4/0x3648 [sctp]
[ 264.968116] [<000003ff80b7bf68>] sctp_outq_flush_ctrl.constprop.5+0x8d0/0xe50 [sctp]
[ 264.968131] [<000003ff80b7c716>] sctp_outq_flush+0x22e/0x7d8 [sctp]
[ 264.968146] [<000003ff80b35c68>] sctp_cmd_interpreter.isra.16+0x530/0x6800 [sctp]
[ 264.968161] [<000003ff80b3410a>] sctp_do_sm+0x222/0x648 [sctp]
[ 264.968177] [<000003ff80bbddac>] sctp_primitive_ASSOCIATE+0xbc/0xf8 [sctp]
[ 264.968192] [<000003ff80b93328>] __sctp_connect+0x830/0xc20 [sctp]
[ 264.968208] [<000003ff80bb11ce>] sctp_inet_connect+0x2e6/0x378 [sctp]
[ 264.968212] [<0000000001197942>] __sys_connect+0x21a/0x450
[ 264.968215] [<000000000119aff8>] sys_socketcall+0x3d0/0xb08
[ 264.968218] [<000000000184ea7a>] system_call+0x2a2/0x2c0
[...]
Just like ip_finish_output2() does for IPv4, check that we have enough
headroom in ip6_xmit(), and reallocate it if we don't.
This issue is older than git history.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-06 18:30:36 +00:00
|
|
|
head_room = sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dst->dev);
|
|
|
|
|
if (opt)
|
|
|
|
|
head_room += opt->opt_nflen + opt->opt_flen;
|
|
|
|
|
|
|
|
|
|
if (unlikely(skb_headroom(skb) < head_room)) {
|
|
|
|
|
struct sk_buff *skb2 = skb_realloc_headroom(skb, head_room);
|
|
|
|
|
if (!skb2) {
|
|
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
|
|
|
|
IPSTATS_MIB_OUTDISCARDS);
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -ENOBUFS;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
ipv6: Check available headroom in ip6_xmit() even without options
[ Upstream commit 66033f47ca60294a95fc85ec3a3cc909dab7b765 ]
Even if we send an IPv6 packet without options, MAX_HEADER might not be
enough to account for the additional headroom required by alignment of
hardware headers.
On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().
Those would be enough to append our 14 bytes header, but we're going to
align that to 16 bytes, and write 2 bytes out of the allocated slab in
neigh_hh_output().
KASan says:
[ 264.967848] ==================================================================
[ 264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
[ 264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
[ 264.967870]
[ 264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
[ 264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
[ 264.967887] Call Trace:
[ 264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)
[ 264.967903] [<00000000017e379c>] dump_stack+0x23c/0x290
[ 264.967912] [<00000000007bc594>] print_address_description+0xf4/0x290
[ 264.967919] [<00000000007bc8fc>] kasan_report+0x13c/0x240
[ 264.967927] [<000000000162f5e4>] ip6_finish_output2+0x1aec/0x1c70
[ 264.967935] [<000000000163f890>] ip6_finish_output+0x430/0x7f0
[ 264.967943] [<000000000163fe44>] ip6_output+0x1f4/0x580
[ 264.967953] [<000000000163882a>] ip6_xmit+0xfea/0x1ce8
[ 264.967963] [<00000000017396e2>] inet6_csk_xmit+0x282/0x3f8
[ 264.968033] [<000003ff805fb0ba>] l2tp_xmit_skb+0xe02/0x13e0 [l2tp_core]
[ 264.968037] [<000003ff80631192>] l2tp_eth_dev_xmit+0xda/0x150 [l2tp_eth]
[ 264.968041] [<0000000001220020>] dev_hard_start_xmit+0x268/0x928
[ 264.968069] [<0000000001330e8e>] sch_direct_xmit+0x7ae/0x1350
[ 264.968071] [<000000000122359c>] __dev_queue_xmit+0x2b7c/0x3478
[ 264.968075] [<00000000013d2862>] ip_finish_output2+0xce2/0x11a0
[ 264.968078] [<00000000013d9b14>] ip_finish_output+0x56c/0x8c8
[ 264.968081] [<00000000013ddd1e>] ip_output+0x226/0x4c0
[ 264.968083] [<00000000013dbd6c>] __ip_queue_xmit+0x894/0x1938
[ 264.968100] [<000003ff80bc3a5c>] sctp_packet_transmit+0x29d4/0x3648 [sctp]
[ 264.968116] [<000003ff80b7bf68>] sctp_outq_flush_ctrl.constprop.5+0x8d0/0xe50 [sctp]
[ 264.968131] [<000003ff80b7c716>] sctp_outq_flush+0x22e/0x7d8 [sctp]
[ 264.968146] [<000003ff80b35c68>] sctp_cmd_interpreter.isra.16+0x530/0x6800 [sctp]
[ 264.968161] [<000003ff80b3410a>] sctp_do_sm+0x222/0x648 [sctp]
[ 264.968177] [<000003ff80bbddac>] sctp_primitive_ASSOCIATE+0xbc/0xf8 [sctp]
[ 264.968192] [<000003ff80b93328>] __sctp_connect+0x830/0xc20 [sctp]
[ 264.968208] [<000003ff80bb11ce>] sctp_inet_connect+0x2e6/0x378 [sctp]
[ 264.968212] [<0000000001197942>] __sys_connect+0x21a/0x450
[ 264.968215] [<000000000119aff8>] sys_socketcall+0x3d0/0xb08
[ 264.968218] [<000000000184ea7a>] system_call+0x2a2/0x2c0
[...]
Just like ip_finish_output2() does for IPv4, check that we have enough
headroom in ip6_xmit(), and reallocate it if we don't.
This issue is older than git history.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-06 18:30:36 +00:00
|
|
|
if (skb->sk)
|
|
|
|
|
skb_set_owner_w(skb2, skb->sk);
|
|
|
|
|
consume_skb(skb);
|
|
|
|
|
skb = skb2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (opt) {
|
|
|
|
|
seg_len += opt->opt_nflen + opt->opt_flen;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (opt->opt_flen)
|
|
|
|
|
ipv6_push_frag_opts(skb, opt, &proto);
|
ipv6: Check available headroom in ip6_xmit() even without options
[ Upstream commit 66033f47ca60294a95fc85ec3a3cc909dab7b765 ]
Even if we send an IPv6 packet without options, MAX_HEADER might not be
enough to account for the additional headroom required by alignment of
hardware headers.
On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().
Those would be enough to append our 14 bytes header, but we're going to
align that to 16 bytes, and write 2 bytes out of the allocated slab in
neigh_hh_output().
KASan says:
[ 264.967848] ==================================================================
[ 264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
[ 264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
[ 264.967870]
[ 264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
[ 264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
[ 264.967887] Call Trace:
[ 264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)
[ 264.967903] [<00000000017e379c>] dump_stack+0x23c/0x290
[ 264.967912] [<00000000007bc594>] print_address_description+0xf4/0x290
[ 264.967919] [<00000000007bc8fc>] kasan_report+0x13c/0x240
[ 264.967927] [<000000000162f5e4>] ip6_finish_output2+0x1aec/0x1c70
[ 264.967935] [<000000000163f890>] ip6_finish_output+0x430/0x7f0
[ 264.967943] [<000000000163fe44>] ip6_output+0x1f4/0x580
[ 264.967953] [<000000000163882a>] ip6_xmit+0xfea/0x1ce8
[ 264.967963] [<00000000017396e2>] inet6_csk_xmit+0x282/0x3f8
[ 264.968033] [<000003ff805fb0ba>] l2tp_xmit_skb+0xe02/0x13e0 [l2tp_core]
[ 264.968037] [<000003ff80631192>] l2tp_eth_dev_xmit+0xda/0x150 [l2tp_eth]
[ 264.968041] [<0000000001220020>] dev_hard_start_xmit+0x268/0x928
[ 264.968069] [<0000000001330e8e>] sch_direct_xmit+0x7ae/0x1350
[ 264.968071] [<000000000122359c>] __dev_queue_xmit+0x2b7c/0x3478
[ 264.968075] [<00000000013d2862>] ip_finish_output2+0xce2/0x11a0
[ 264.968078] [<00000000013d9b14>] ip_finish_output+0x56c/0x8c8
[ 264.968081] [<00000000013ddd1e>] ip_output+0x226/0x4c0
[ 264.968083] [<00000000013dbd6c>] __ip_queue_xmit+0x894/0x1938
[ 264.968100] [<000003ff80bc3a5c>] sctp_packet_transmit+0x29d4/0x3648 [sctp]
[ 264.968116] [<000003ff80b7bf68>] sctp_outq_flush_ctrl.constprop.5+0x8d0/0xe50 [sctp]
[ 264.968131] [<000003ff80b7c716>] sctp_outq_flush+0x22e/0x7d8 [sctp]
[ 264.968146] [<000003ff80b35c68>] sctp_cmd_interpreter.isra.16+0x530/0x6800 [sctp]
[ 264.968161] [<000003ff80b3410a>] sctp_do_sm+0x222/0x648 [sctp]
[ 264.968177] [<000003ff80bbddac>] sctp_primitive_ASSOCIATE+0xbc/0xf8 [sctp]
[ 264.968192] [<000003ff80b93328>] __sctp_connect+0x830/0xc20 [sctp]
[ 264.968208] [<000003ff80bb11ce>] sctp_inet_connect+0x2e6/0x378 [sctp]
[ 264.968212] [<0000000001197942>] __sys_connect+0x21a/0x450
[ 264.968215] [<000000000119aff8>] sys_socketcall+0x3d0/0xb08
[ 264.968218] [<000000000184ea7a>] system_call+0x2a2/0x2c0
[...]
Just like ip_finish_output2() does for IPv4, check that we have enough
headroom in ip6_xmit(), and reallocate it if we don't.
This issue is older than git history.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-06 18:30:36 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (opt->opt_nflen)
|
|
|
|
|
ipv6_push_nfrag_opts(skb, opt, &proto, &first_hop);
|
|
|
|
|
}
|
|
|
|
|
|
2007-04-11 03:46:21 +00:00
|
|
|
skb_push(skb, sizeof(struct ipv6hdr));
|
|
|
|
|
skb_reset_network_header(skb);
|
2007-04-26 00:54:47 +00:00
|
|
|
hdr = ipv6_hdr(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Fill in the IPv6 header
|
|
|
|
|
*/
|
2011-10-27 04:44:35 +00:00
|
|
|
if (np)
|
2005-04-16 22:20:36 +00:00
|
|
|
hlimit = np->hop_limit;
|
|
|
|
|
if (hlimit < 0)
|
2008-03-10 10:00:30 +00:00
|
|
|
hlimit = ip6_dst_hoplimit(dst);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-01-13 05:01:39 +00:00
|
|
|
ip6_flow_hdr(hdr, tclass, fl6->flowlabel);
|
2005-09-08 01:19:03 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
hdr->payload_len = htons(seg_len);
|
|
|
|
|
hdr->nexthdr = proto;
|
|
|
|
|
hdr->hop_limit = hlimit;
|
|
|
|
|
|
2011-11-21 03:39:03 +00:00
|
|
|
hdr->saddr = fl6->saddr;
|
|
|
|
|
hdr->daddr = *first_hop;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-01-09 06:37:26 +00:00
|
|
|
skb->priority = sk->sk_priority;
|
2008-01-31 03:08:16 +00:00
|
|
|
skb->mark = sk->sk_mark;
|
2006-01-09 06:37:26 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
mtu = dst_mtu(dst);
|
2008-08-04 04:15:59 +00:00
|
|
|
if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) {
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
2009-04-27 09:45:02 +00:00
|
|
|
IPSTATS_MIB_OUT, skb->len);
|
2010-03-23 03:09:07 +00:00
|
|
|
return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
|
|
|
|
|
dst->dev, dst_output);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
skb->dev = dst->dev;
|
2013-02-05 01:48:05 +00:00
|
|
|
ipv6_local_error(sk, EMSGSIZE, fl6, mtu);
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_FRAGFAILS);
|
2005-04-16 22:20:36 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-22 13:05:40 +00:00
|
|
|
EXPORT_SYMBOL(ip6_xmit);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static int ip6_call_ra_chain(struct sk_buff *skb, int sel)
|
|
|
|
|
{
|
|
|
|
|
struct ip6_ra_chain *ra;
|
|
|
|
|
struct sock *last = NULL;
|
|
|
|
|
|
|
|
|
|
read_lock(&ip6_ra_lock);
|
|
|
|
|
for (ra = ip6_ra_chain; ra; ra = ra->next) {
|
|
|
|
|
struct sock *sk = ra->sk;
|
2005-08-10 02:44:42 +00:00
|
|
|
if (sk && ra->sel == sel &&
|
|
|
|
|
(!sk->sk_bound_dev_if ||
|
|
|
|
|
sk->sk_bound_dev_if == skb->dev->ifindex)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
if (last) {
|
|
|
|
|
struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
|
if (skb2)
|
|
|
|
|
rawv6_rcv(last, skb2);
|
|
|
|
|
}
|
|
|
|
|
last = sk;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (last) {
|
|
|
|
|
rawv6_rcv(last, skb);
|
|
|
|
|
read_unlock(&ip6_ra_lock);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
read_unlock(&ip6_ra_lock);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-22 21:41:44 +00:00
|
|
|
static int ip6_forward_proxy_check(struct sk_buff *skb)
|
|
|
|
|
{
|
2007-04-26 00:54:47 +00:00
|
|
|
struct ipv6hdr *hdr = ipv6_hdr(skb);
|
2006-09-22 21:41:44 +00:00
|
|
|
u8 nexthdr = hdr->nexthdr;
|
2011-12-01 01:05:51 +00:00
|
|
|
__be16 frag_off;
|
2006-09-22 21:41:44 +00:00
|
|
|
int offset;
|
|
|
|
|
|
|
|
|
|
if (ipv6_ext_hdr(nexthdr)) {
|
2011-12-01 01:05:51 +00:00
|
|
|
offset = ipv6_skip_exthdr(skb, sizeof(*hdr), &nexthdr, &frag_off);
|
2006-09-22 21:41:44 +00:00
|
|
|
if (offset < 0)
|
|
|
|
|
return 0;
|
|
|
|
|
} else
|
|
|
|
|
offset = sizeof(struct ipv6hdr);
|
|
|
|
|
|
|
|
|
|
if (nexthdr == IPPROTO_ICMPV6) {
|
|
|
|
|
struct icmp6hdr *icmp6;
|
|
|
|
|
|
2007-04-11 03:50:43 +00:00
|
|
|
if (!pskb_may_pull(skb, (skb_network_header(skb) +
|
|
|
|
|
offset + 1 - skb->data)))
|
2006-09-22 21:41:44 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2007-04-11 03:50:43 +00:00
|
|
|
icmp6 = (struct icmp6hdr *)(skb_network_header(skb) + offset);
|
2006-09-22 21:41:44 +00:00
|
|
|
|
|
|
|
|
switch (icmp6->icmp6_type) {
|
|
|
|
|
case NDISC_ROUTER_SOLICITATION:
|
|
|
|
|
case NDISC_ROUTER_ADVERTISEMENT:
|
|
|
|
|
case NDISC_NEIGHBOUR_SOLICITATION:
|
|
|
|
|
case NDISC_NEIGHBOUR_ADVERTISEMENT:
|
|
|
|
|
case NDISC_REDIRECT:
|
|
|
|
|
/* For reaction involving unicast neighbor discovery
|
|
|
|
|
* message destined to the proxied address, pass it to
|
|
|
|
|
* input function.
|
|
|
|
|
*/
|
|
|
|
|
return 1;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-22 21:42:18 +00:00
|
|
|
/*
|
|
|
|
|
* The proxying router can't forward traffic sent to a link-local
|
|
|
|
|
* address, so signal the sender and discard the packet. This
|
|
|
|
|
* behavior is clarified by the MIPv6 specification.
|
|
|
|
|
*/
|
|
|
|
|
if (ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) {
|
|
|
|
|
dst_link_failure(skb);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-22 21:41:44 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static inline int ip6_forward_finish(struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
return dst_output(skb);
|
|
|
|
|
}
|
|
|
|
|
|
net: ip, ipv6: handle gso skbs in forwarding path
commit fe6cc55f3a9a053482a76f5a6b2257cee51b4663 upstream.
Marcelo Ricardo Leitner reported problems when the forwarding link path
has a lower mtu than the incoming one if the inbound interface supports GRO.
Given:
Host <mtu1500> R1 <mtu1200> R2
Host sends tcp stream which is routed via R1 and R2. R1 performs GRO.
In this case, the kernel will fail to send ICMP fragmentation needed
messages (or pkt too big for ipv6), as GSO packets currently bypass dstmtu
checks in forward path. Instead, Linux tries to send out packets exceeding
the mtu.
When locking route MTU on Host (i.e., no ipv4 DF bit set), R1 does
not fragment the packets when forwarding, and again tries to send out
packets exceeding R1-R2 link mtu.
This alters the forwarding dstmtu checks to take the individual gso
segment lengths into account.
For ipv6, we send out pkt too big error for gso if the individual
segments are too big.
For ipv4, we either send icmp fragmentation needed, or, if the DF bit
is not set, perform software segmentation and let the output path
create fragments when the packet is leaving the machine.
It is not 100% correct as the error message will contain the headers of
the GRO skb instead of the original/segmented one, but it seems to
work fine in my (limited) tests.
Eric Dumazet suggested to simply shrink mss via ->gso_size to avoid
sofware segmentation.
However it turns out that skb_segment() assumes skb nr_frags is related
to mss size so we would BUG there. I don't want to mess with it considering
Herbert and Eric disagree on what the correct behavior should be.
Hannes Frederic Sowa notes that when we would shrink gso_size
skb_segment would then also need to deal with the case where
SKB_MAX_FRAGS would be exceeded.
This uses sofware segmentation in the forward path when we hit ipv4
non-DF packets and the outgoing link mtu is too small. Its not perfect,
but given the lack of bug reports wrt. GRO fwd being broken this is a
rare case anyway. Also its not like this could not be improved later
once the dust settles.
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-22 09:30:19 +00:00
|
|
|
static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
|
|
|
|
|
{
|
2014-05-04 22:03:34 +00:00
|
|
|
if (skb->len <= mtu)
|
net: ip, ipv6: handle gso skbs in forwarding path
commit fe6cc55f3a9a053482a76f5a6b2257cee51b4663 upstream.
Marcelo Ricardo Leitner reported problems when the forwarding link path
has a lower mtu than the incoming one if the inbound interface supports GRO.
Given:
Host <mtu1500> R1 <mtu1200> R2
Host sends tcp stream which is routed via R1 and R2. R1 performs GRO.
In this case, the kernel will fail to send ICMP fragmentation needed
messages (or pkt too big for ipv6), as GSO packets currently bypass dstmtu
checks in forward path. Instead, Linux tries to send out packets exceeding
the mtu.
When locking route MTU on Host (i.e., no ipv4 DF bit set), R1 does
not fragment the packets when forwarding, and again tries to send out
packets exceeding R1-R2 link mtu.
This alters the forwarding dstmtu checks to take the individual gso
segment lengths into account.
For ipv6, we send out pkt too big error for gso if the individual
segments are too big.
For ipv4, we either send icmp fragmentation needed, or, if the DF bit
is not set, perform software segmentation and let the output path
create fragments when the packet is leaving the machine.
It is not 100% correct as the error message will contain the headers of
the GRO skb instead of the original/segmented one, but it seems to
work fine in my (limited) tests.
Eric Dumazet suggested to simply shrink mss via ->gso_size to avoid
sofware segmentation.
However it turns out that skb_segment() assumes skb nr_frags is related
to mss size so we would BUG there. I don't want to mess with it considering
Herbert and Eric disagree on what the correct behavior should be.
Hannes Frederic Sowa notes that when we would shrink gso_size
skb_segment would then also need to deal with the case where
SKB_MAX_FRAGS would be exceeded.
This uses sofware segmentation in the forward path when we hit ipv4
non-DF packets and the outgoing link mtu is too small. Its not perfect,
but given the lack of bug reports wrt. GRO fwd being broken this is a
rare case anyway. Also its not like this could not be improved later
once the dust settles.
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-22 09:30:19 +00:00
|
|
|
return false;
|
|
|
|
|
|
2014-05-04 22:03:34 +00:00
|
|
|
/* ipv6 conntrack defrag sets max_frag_size + local_df */
|
net: ip, ipv6: handle gso skbs in forwarding path
commit fe6cc55f3a9a053482a76f5a6b2257cee51b4663 upstream.
Marcelo Ricardo Leitner reported problems when the forwarding link path
has a lower mtu than the incoming one if the inbound interface supports GRO.
Given:
Host <mtu1500> R1 <mtu1200> R2
Host sends tcp stream which is routed via R1 and R2. R1 performs GRO.
In this case, the kernel will fail to send ICMP fragmentation needed
messages (or pkt too big for ipv6), as GSO packets currently bypass dstmtu
checks in forward path. Instead, Linux tries to send out packets exceeding
the mtu.
When locking route MTU on Host (i.e., no ipv4 DF bit set), R1 does
not fragment the packets when forwarding, and again tries to send out
packets exceeding R1-R2 link mtu.
This alters the forwarding dstmtu checks to take the individual gso
segment lengths into account.
For ipv6, we send out pkt too big error for gso if the individual
segments are too big.
For ipv4, we either send icmp fragmentation needed, or, if the DF bit
is not set, perform software segmentation and let the output path
create fragments when the packet is leaving the machine.
It is not 100% correct as the error message will contain the headers of
the GRO skb instead of the original/segmented one, but it seems to
work fine in my (limited) tests.
Eric Dumazet suggested to simply shrink mss via ->gso_size to avoid
sofware segmentation.
However it turns out that skb_segment() assumes skb nr_frags is related
to mss size so we would BUG there. I don't want to mess with it considering
Herbert and Eric disagree on what the correct behavior should be.
Hannes Frederic Sowa notes that when we would shrink gso_size
skb_segment would then also need to deal with the case where
SKB_MAX_FRAGS would be exceeded.
This uses sofware segmentation in the forward path when we hit ipv4
non-DF packets and the outgoing link mtu is too small. Its not perfect,
but given the lack of bug reports wrt. GRO fwd being broken this is a
rare case anyway. Also its not like this could not be improved later
once the dust settles.
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-22 09:30:19 +00:00
|
|
|
if (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)
|
|
|
|
|
return true;
|
|
|
|
|
|
2014-05-04 22:03:34 +00:00
|
|
|
if (skb->local_df)
|
|
|
|
|
return false;
|
|
|
|
|
|
net: ip, ipv6: handle gso skbs in forwarding path
commit fe6cc55f3a9a053482a76f5a6b2257cee51b4663 upstream.
Marcelo Ricardo Leitner reported problems when the forwarding link path
has a lower mtu than the incoming one if the inbound interface supports GRO.
Given:
Host <mtu1500> R1 <mtu1200> R2
Host sends tcp stream which is routed via R1 and R2. R1 performs GRO.
In this case, the kernel will fail to send ICMP fragmentation needed
messages (or pkt too big for ipv6), as GSO packets currently bypass dstmtu
checks in forward path. Instead, Linux tries to send out packets exceeding
the mtu.
When locking route MTU on Host (i.e., no ipv4 DF bit set), R1 does
not fragment the packets when forwarding, and again tries to send out
packets exceeding R1-R2 link mtu.
This alters the forwarding dstmtu checks to take the individual gso
segment lengths into account.
For ipv6, we send out pkt too big error for gso if the individual
segments are too big.
For ipv4, we either send icmp fragmentation needed, or, if the DF bit
is not set, perform software segmentation and let the output path
create fragments when the packet is leaving the machine.
It is not 100% correct as the error message will contain the headers of
the GRO skb instead of the original/segmented one, but it seems to
work fine in my (limited) tests.
Eric Dumazet suggested to simply shrink mss via ->gso_size to avoid
sofware segmentation.
However it turns out that skb_segment() assumes skb nr_frags is related
to mss size so we would BUG there. I don't want to mess with it considering
Herbert and Eric disagree on what the correct behavior should be.
Hannes Frederic Sowa notes that when we would shrink gso_size
skb_segment would then also need to deal with the case where
SKB_MAX_FRAGS would be exceeded.
This uses sofware segmentation in the forward path when we hit ipv4
non-DF packets and the outgoing link mtu is too small. Its not perfect,
but given the lack of bug reports wrt. GRO fwd being broken this is a
rare case anyway. Also its not like this could not be improved later
once the dust settles.
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-22 09:30:19 +00:00
|
|
|
if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
int ip6_forward(struct sk_buff *skb)
|
|
|
|
|
{
|
2009-06-02 05:19:30 +00:00
|
|
|
struct dst_entry *dst = skb_dst(skb);
|
2007-04-26 00:54:47 +00:00
|
|
|
struct ipv6hdr *hdr = ipv6_hdr(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct inet6_skb_parm *opt = IP6CB(skb);
|
2008-03-25 12:47:49 +00:00
|
|
|
struct net *net = dev_net(dst->dev);
|
2010-02-26 12:34:49 +00:00
|
|
|
u32 mtu;
|
2007-02-09 14:24:49 +00:00
|
|
|
|
2008-07-20 05:35:03 +00:00
|
|
|
if (net->ipv6.devconf_all->forwarding == 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
goto error;
|
|
|
|
|
|
2008-06-19 23:22:28 +00:00
|
|
|
if (skb_warn_if_lro(skb))
|
|
|
|
|
goto drop;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
|
2008-10-08 17:54:51 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
|
2005-04-16 22:20:36 +00:00
|
|
|
goto drop;
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-12 08:34:08 +00:00
|
|
|
if (skb->pkt_type != PACKET_HOST)
|
|
|
|
|
goto drop;
|
|
|
|
|
|
2007-03-27 06:22:20 +00:00
|
|
|
skb_forward_csum(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We DO NOT make any processing on
|
|
|
|
|
* RA packets, pushing them to user level AS IS
|
|
|
|
|
* without ane WARRANTY that application will be able
|
|
|
|
|
* to interpret them. The reason is that we
|
|
|
|
|
* cannot make anything clever here.
|
|
|
|
|
*
|
|
|
|
|
* We are not end-node, so that if packet contains
|
|
|
|
|
* AH/ESP, we cannot make anything.
|
|
|
|
|
* Defragmentation also would be mistake, RA packets
|
|
|
|
|
* cannot be fragmented, because there is no warranty
|
|
|
|
|
* that different fragments will go along one path. --ANK
|
|
|
|
|
*/
|
2013-06-22 02:13:13 +00:00
|
|
|
if (unlikely(opt->flags & IP6SKB_ROUTERALERT)) {
|
|
|
|
|
if (ip6_call_ra_chain(skb, ntohs(opt->ra)))
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* check and decrement ttl
|
|
|
|
|
*/
|
|
|
|
|
if (hdr->hop_limit <= 1) {
|
|
|
|
|
/* Force OUTPUT device used as source address */
|
|
|
|
|
skb->dev = dst->dev;
|
2010-02-18 08:25:24 +00:00
|
|
|
icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 0);
|
2008-10-08 18:09:27 +00:00
|
|
|
IP6_INC_STATS_BH(net,
|
|
|
|
|
ip6_dst_idev(dst), IPSTATS_MIB_INHDRERRORS);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -ETIMEDOUT;
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-22 21:43:49 +00:00
|
|
|
/* XXX: idev->cnf.proxy_ndp? */
|
2011-05-26 06:19:11 +00:00
|
|
|
if ((net->ipv6.devconf_all->proxy_ndp == 1 &&
|
|
|
|
|
pneigh_lookup(&nd_tbl, net, &hdr->daddr, skb->dev, 0))
|
|
|
|
|
|| net->ipv6.devconf_all->proxy_ndp >= 2) {
|
2006-09-22 21:42:18 +00:00
|
|
|
int proxied = ip6_forward_proxy_check(skb);
|
|
|
|
|
if (proxied > 0)
|
2006-09-22 21:41:44 +00:00
|
|
|
return ip6_input(skb);
|
2006-09-22 21:42:18 +00:00
|
|
|
else if (proxied < 0) {
|
2008-10-08 17:54:51 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(dst),
|
|
|
|
|
IPSTATS_MIB_INDISCARDS);
|
2006-09-22 21:42:18 +00:00
|
|
|
goto drop;
|
|
|
|
|
}
|
2006-09-22 21:41:44 +00:00
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!xfrm6_route_forward(skb)) {
|
2008-10-08 17:54:51 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
|
2005-04-16 22:20:36 +00:00
|
|
|
goto drop;
|
|
|
|
|
}
|
2009-06-02 05:19:30 +00:00
|
|
|
dst = skb_dst(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/* IPv6 specs say nothing about it, but it is clear that we cannot
|
|
|
|
|
send redirects to source routed frames.
|
2007-08-24 10:08:55 +00:00
|
|
|
We don't send redirects to frames decapsulated from IPsec.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2012-01-27 23:32:19 +00:00
|
|
|
if (skb->dev == dst->dev && opt->srcrt == 0 && !skb_sec_path(skb)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
struct in6_addr *target = NULL;
|
2012-06-09 06:24:18 +00:00
|
|
|
struct inet_peer *peer;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct rt6_info *rt;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* incoming and outgoing devices are the same
|
|
|
|
|
* send a redirect.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
rt = (struct rt6_info *) dst;
|
2012-01-27 23:32:19 +00:00
|
|
|
if (rt->rt6i_flags & RTF_GATEWAY)
|
|
|
|
|
target = &rt->rt6i_gateway;
|
2005-04-16 22:20:36 +00:00
|
|
|
else
|
|
|
|
|
target = &hdr->daddr;
|
|
|
|
|
|
2012-07-10 10:58:16 +00:00
|
|
|
peer = inet_getpeer_v6(net->ipv6.peers, &rt->rt6i_dst.addr, 1);
|
2011-02-04 23:55:25 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Limit redirects both by destination (here)
|
|
|
|
|
and by source (inside ndisc_send_redirect)
|
|
|
|
|
*/
|
2012-06-09 06:24:18 +00:00
|
|
|
if (inet_peer_xrlim_allow(peer, 1*HZ))
|
2012-01-27 23:30:48 +00:00
|
|
|
ndisc_send_redirect(skb, target);
|
2012-07-10 10:58:16 +00:00
|
|
|
if (peer)
|
|
|
|
|
inet_putpeer(peer);
|
2007-05-09 20:53:44 +00:00
|
|
|
} else {
|
|
|
|
|
int addrtype = ipv6_addr_type(&hdr->saddr);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* This check is security critical. */
|
2008-06-25 07:55:26 +00:00
|
|
|
if (addrtype == IPV6_ADDR_ANY ||
|
|
|
|
|
addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
|
2007-05-09 20:53:44 +00:00
|
|
|
goto error;
|
|
|
|
|
if (addrtype & IPV6_ADDR_LINKLOCAL) {
|
|
|
|
|
icmpv6_send(skb, ICMPV6_DEST_UNREACH,
|
2010-02-18 08:25:24 +00:00
|
|
|
ICMPV6_NOT_NEIGHBOUR, 0);
|
2007-05-09 20:53:44 +00:00
|
|
|
goto error;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2010-02-26 12:34:49 +00:00
|
|
|
mtu = dst_mtu(dst);
|
|
|
|
|
if (mtu < IPV6_MIN_MTU)
|
|
|
|
|
mtu = IPV6_MIN_MTU;
|
|
|
|
|
|
net: ip, ipv6: handle gso skbs in forwarding path
commit fe6cc55f3a9a053482a76f5a6b2257cee51b4663 upstream.
Marcelo Ricardo Leitner reported problems when the forwarding link path
has a lower mtu than the incoming one if the inbound interface supports GRO.
Given:
Host <mtu1500> R1 <mtu1200> R2
Host sends tcp stream which is routed via R1 and R2. R1 performs GRO.
In this case, the kernel will fail to send ICMP fragmentation needed
messages (or pkt too big for ipv6), as GSO packets currently bypass dstmtu
checks in forward path. Instead, Linux tries to send out packets exceeding
the mtu.
When locking route MTU on Host (i.e., no ipv4 DF bit set), R1 does
not fragment the packets when forwarding, and again tries to send out
packets exceeding R1-R2 link mtu.
This alters the forwarding dstmtu checks to take the individual gso
segment lengths into account.
For ipv6, we send out pkt too big error for gso if the individual
segments are too big.
For ipv4, we either send icmp fragmentation needed, or, if the DF bit
is not set, perform software segmentation and let the output path
create fragments when the packet is leaving the machine.
It is not 100% correct as the error message will contain the headers of
the GRO skb instead of the original/segmented one, but it seems to
work fine in my (limited) tests.
Eric Dumazet suggested to simply shrink mss via ->gso_size to avoid
sofware segmentation.
However it turns out that skb_segment() assumes skb nr_frags is related
to mss size so we would BUG there. I don't want to mess with it considering
Herbert and Eric disagree on what the correct behavior should be.
Hannes Frederic Sowa notes that when we would shrink gso_size
skb_segment would then also need to deal with the case where
SKB_MAX_FRAGS would be exceeded.
This uses sofware segmentation in the forward path when we hit ipv4
non-DF packets and the outgoing link mtu is too small. Its not perfect,
but given the lack of bug reports wrt. GRO fwd being broken this is a
rare case anyway. Also its not like this could not be improved later
once the dust settles.
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-22 09:30:19 +00:00
|
|
|
if (ip6_pkt_too_big(skb, mtu)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Again, force OUTPUT device used as source address */
|
|
|
|
|
skb->dev = dst->dev;
|
2010-02-26 12:34:49 +00:00
|
|
|
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
|
2008-10-08 18:09:27 +00:00
|
|
|
IP6_INC_STATS_BH(net,
|
|
|
|
|
ip6_dst_idev(dst), IPSTATS_MIB_INTOOBIGERRORS);
|
|
|
|
|
IP6_INC_STATS_BH(net,
|
|
|
|
|
ip6_dst_idev(dst), IPSTATS_MIB_FRAGFAILS);
|
2005-04-16 22:20:36 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (skb_cow(skb, dst->dev->hard_header_len)) {
|
2008-10-08 17:54:51 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTDISCARDS);
|
2005-04-16 22:20:36 +00:00
|
|
|
goto drop;
|
|
|
|
|
}
|
|
|
|
|
|
2007-04-26 00:54:47 +00:00
|
|
|
hdr = ipv6_hdr(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/* Mangling hops number delayed to point after skb COW */
|
2007-02-09 14:24:49 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
hdr->hop_limit--;
|
|
|
|
|
|
2008-10-08 18:09:27 +00:00
|
|
|
IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
|
2012-06-05 03:41:42 +00:00
|
|
|
IP6_ADD_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
|
2010-03-23 03:09:07 +00:00
|
|
|
return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
|
2007-11-20 02:53:30 +00:00
|
|
|
ip6_forward_finish);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
error:
|
2008-10-08 18:09:27 +00:00
|
|
|
IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_INADDRERRORS);
|
2005-04-16 22:20:36 +00:00
|
|
|
drop:
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
|
|
|
|
|
{
|
|
|
|
|
to->pkt_type = from->pkt_type;
|
|
|
|
|
to->priority = from->priority;
|
|
|
|
|
to->protocol = from->protocol;
|
2009-06-02 05:19:30 +00:00
|
|
|
skb_dst_drop(to);
|
|
|
|
|
skb_dst_set(to, dst_clone(skb_dst(from)));
|
2005-04-16 22:20:36 +00:00
|
|
|
to->dev = from->dev;
|
2006-11-09 23:19:14 +00:00
|
|
|
to->mark = from->mark;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_NET_SCHED
|
|
|
|
|
to->tc_index = from->tc_index;
|
|
|
|
|
#endif
|
2007-03-14 23:44:01 +00:00
|
|
|
nf_copy(to, from);
|
2012-10-29 16:23:10 +00:00
|
|
|
#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
|
2007-07-08 05:21:23 +00:00
|
|
|
to->nf_trace = from->nf_trace;
|
|
|
|
|
#endif
|
2006-06-09 07:29:17 +00:00
|
|
|
skb_copy_secmark(to, from);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
inetpeer: get rid of ip_id_count
[ Upstream commit 73f156a6e8c1074ac6327e0abd1169e95eb66463 ]
Ideally, we would need to generate IP ID using a per destination IP
generator.
linux kernels used inet_peer cache for this purpose, but this had a huge
cost on servers disabling MTU discovery.
1) each inet_peer struct consumes 192 bytes
2) inetpeer cache uses a binary tree of inet_peer structs,
with a nominal size of ~66000 elements under load.
3) lookups in this tree are hitting a lot of cache lines, as tree depth
is about 20.
4) If server deals with many tcp flows, we have a high probability of
not finding the inet_peer, allocating a fresh one, inserting it in
the tree with same initial ip_id_count, (cf secure_ip_id())
5) We garbage collect inet_peer aggressively.
IP ID generation do not have to be 'perfect'
Goal is trying to avoid duplicates in a short period of time,
so that reassembly units have a chance to complete reassembly of
fragments belonging to one message before receiving other fragments
with a recycled ID.
We simply use an array of generators, and a Jenkin hash using the dst IP
as a key.
ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
belongs (it is only used from this file)
secure_ip_id() and secure_ipv6_id() no longer are needed.
Rename ip_select_ident_more() to ip_select_ident_segs() to avoid
unnecessary decrement/increment of the number of segments.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-02 12:26:03 +00:00
|
|
|
static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
|
|
|
|
|
{
|
|
|
|
|
static u32 ip6_idents_hashrnd __read_mostly;
|
2019-04-18 21:07:11 +00:00
|
|
|
static u32 ip6_idents_hashrnd_extra __read_mostly;
|
inetpeer: get rid of ip_id_count
[ Upstream commit 73f156a6e8c1074ac6327e0abd1169e95eb66463 ]
Ideally, we would need to generate IP ID using a per destination IP
generator.
linux kernels used inet_peer cache for this purpose, but this had a huge
cost on servers disabling MTU discovery.
1) each inet_peer struct consumes 192 bytes
2) inetpeer cache uses a binary tree of inet_peer structs,
with a nominal size of ~66000 elements under load.
3) lookups in this tree are hitting a lot of cache lines, as tree depth
is about 20.
4) If server deals with many tcp flows, we have a high probability of
not finding the inet_peer, allocating a fresh one, inserting it in
the tree with same initial ip_id_count, (cf secure_ip_id())
5) We garbage collect inet_peer aggressively.
IP ID generation do not have to be 'perfect'
Goal is trying to avoid duplicates in a short period of time,
so that reassembly units have a chance to complete reassembly of
fragments belonging to one message before receiving other fragments
with a recycled ID.
We simply use an array of generators, and a Jenkin hash using the dst IP
as a key.
ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
belongs (it is only used from this file)
secure_ip_id() and secure_ipv6_id() no longer are needed.
Rename ip_select_ident_more() to ip_select_ident_segs() to avoid
unnecessary decrement/increment of the number of segments.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-02 12:26:03 +00:00
|
|
|
static bool hashrnd_initialized = false;
|
|
|
|
|
u32 hash, id;
|
|
|
|
|
|
|
|
|
|
if (unlikely(!hashrnd_initialized)) {
|
|
|
|
|
hashrnd_initialized = true;
|
|
|
|
|
get_random_bytes(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
|
2019-04-18 21:07:11 +00:00
|
|
|
get_random_bytes(&ip6_idents_hashrnd_extra, sizeof(ip6_idents_hashrnd_extra));
|
inetpeer: get rid of ip_id_count
[ Upstream commit 73f156a6e8c1074ac6327e0abd1169e95eb66463 ]
Ideally, we would need to generate IP ID using a per destination IP
generator.
linux kernels used inet_peer cache for this purpose, but this had a huge
cost on servers disabling MTU discovery.
1) each inet_peer struct consumes 192 bytes
2) inetpeer cache uses a binary tree of inet_peer structs,
with a nominal size of ~66000 elements under load.
3) lookups in this tree are hitting a lot of cache lines, as tree depth
is about 20.
4) If server deals with many tcp flows, we have a high probability of
not finding the inet_peer, allocating a fresh one, inserting it in
the tree with same initial ip_id_count, (cf secure_ip_id())
5) We garbage collect inet_peer aggressively.
IP ID generation do not have to be 'perfect'
Goal is trying to avoid duplicates in a short period of time,
so that reassembly units have a chance to complete reassembly of
fragments belonging to one message before receiving other fragments
with a recycled ID.
We simply use an array of generators, and a Jenkin hash using the dst IP
as a key.
ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
belongs (it is only used from this file)
secure_ip_id() and secure_ipv6_id() no longer are needed.
Rename ip_select_ident_more() to ip_select_ident_segs() to avoid
unnecessary decrement/increment of the number of segments.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-02 12:26:03 +00:00
|
|
|
}
|
|
|
|
|
hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd);
|
ip: make IP identifiers less predictable
[ Upstream commit 04ca6973f7c1a0d8537f2d9906a0cf8e69886d75 ]
In "Counting Packets Sent Between Arbitrary Internet Hosts", Jeffrey and
Jedidiah describe ways exploiting linux IP identifier generation to
infer whether two machines are exchanging packets.
With commit 73f156a6e8c1 ("inetpeer: get rid of ip_id_count"), we
changed IP id generation, but this does not really prevent this
side-channel technique.
This patch adds a random amount of perturbation so that IP identifiers
for a given destination [1] are no longer monotonically increasing after
an idle period.
Note that prandom_u32_max(1) returns 0, so if generator is used at most
once per jiffy, this patch inserts no hole in the ID suite and do not
increase collision probability.
This is jiffies based, so in the worst case (HZ=1000), the id can
rollover after ~65 seconds of idle time, which should be fine.
We also change the hash used in __ip_select_ident() to not only hash
on daddr, but also saddr and protocol, so that ICMP probes can not be
used to infer information for other protocols.
For IPv6, adds saddr into the hash as well, but not nexthdr.
If I ping the patched target, we can see ID are now hard to predict.
21:57:11.008086 IP (...)
A > target: ICMP echo request, seq 1, length 64
21:57:11.010752 IP (... id 2081 ...)
target > A: ICMP echo reply, seq 1, length 64
21:57:12.013133 IP (...)
A > target: ICMP echo request, seq 2, length 64
21:57:12.015737 IP (... id 3039 ...)
target > A: ICMP echo reply, seq 2, length 64
21:57:13.016580 IP (...)
A > target: ICMP echo request, seq 3, length 64
21:57:13.019251 IP (... id 3437 ...)
target > A: ICMP echo reply, seq 3, length 64
[1] TCP sessions uses a per flow ID generator not changed by this patch.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jeffrey Knockel <jeffk@cs.unm.edu>
Reported-by: Jedidiah R. Crandall <crandall@cs.unm.edu>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Hannes Frederic Sowa <hannes@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-07-26 06:58:10 +00:00
|
|
|
hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash);
|
2019-04-18 21:07:11 +00:00
|
|
|
hash = jhash_1word(hash, ip6_idents_hashrnd_extra);
|
ip: make IP identifiers less predictable
[ Upstream commit 04ca6973f7c1a0d8537f2d9906a0cf8e69886d75 ]
In "Counting Packets Sent Between Arbitrary Internet Hosts", Jeffrey and
Jedidiah describe ways exploiting linux IP identifier generation to
infer whether two machines are exchanging packets.
With commit 73f156a6e8c1 ("inetpeer: get rid of ip_id_count"), we
changed IP id generation, but this does not really prevent this
side-channel technique.
This patch adds a random amount of perturbation so that IP identifiers
for a given destination [1] are no longer monotonically increasing after
an idle period.
Note that prandom_u32_max(1) returns 0, so if generator is used at most
once per jiffy, this patch inserts no hole in the ID suite and do not
increase collision probability.
This is jiffies based, so in the worst case (HZ=1000), the id can
rollover after ~65 seconds of idle time, which should be fine.
We also change the hash used in __ip_select_ident() to not only hash
on daddr, but also saddr and protocol, so that ICMP probes can not be
used to infer information for other protocols.
For IPv6, adds saddr into the hash as well, but not nexthdr.
If I ping the patched target, we can see ID are now hard to predict.
21:57:11.008086 IP (...)
A > target: ICMP echo request, seq 1, length 64
21:57:11.010752 IP (... id 2081 ...)
target > A: ICMP echo reply, seq 1, length 64
21:57:12.013133 IP (...)
A > target: ICMP echo request, seq 2, length 64
21:57:12.015737 IP (... id 3039 ...)
target > A: ICMP echo reply, seq 2, length 64
21:57:13.016580 IP (...)
A > target: ICMP echo request, seq 3, length 64
21:57:13.019251 IP (... id 3437 ...)
target > A: ICMP echo reply, seq 3, length 64
[1] TCP sessions uses a per flow ID generator not changed by this patch.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jeffrey Knockel <jeffk@cs.unm.edu>
Reported-by: Jedidiah R. Crandall <crandall@cs.unm.edu>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Hannes Frederic Sowa <hannes@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-07-26 06:58:10 +00:00
|
|
|
|
inetpeer: get rid of ip_id_count
[ Upstream commit 73f156a6e8c1074ac6327e0abd1169e95eb66463 ]
Ideally, we would need to generate IP ID using a per destination IP
generator.
linux kernels used inet_peer cache for this purpose, but this had a huge
cost on servers disabling MTU discovery.
1) each inet_peer struct consumes 192 bytes
2) inetpeer cache uses a binary tree of inet_peer structs,
with a nominal size of ~66000 elements under load.
3) lookups in this tree are hitting a lot of cache lines, as tree depth
is about 20.
4) If server deals with many tcp flows, we have a high probability of
not finding the inet_peer, allocating a fresh one, inserting it in
the tree with same initial ip_id_count, (cf secure_ip_id())
5) We garbage collect inet_peer aggressively.
IP ID generation do not have to be 'perfect'
Goal is trying to avoid duplicates in a short period of time,
so that reassembly units have a chance to complete reassembly of
fragments belonging to one message before receiving other fragments
with a recycled ID.
We simply use an array of generators, and a Jenkin hash using the dst IP
as a key.
ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
belongs (it is only used from this file)
secure_ip_id() and secure_ipv6_id() no longer are needed.
Rename ip_select_ident_more() to ip_select_ident_segs() to avoid
unnecessary decrement/increment of the number of segments.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-02 12:26:03 +00:00
|
|
|
id = ip_idents_reserve(hash, 1);
|
|
|
|
|
fhdr->identification = htonl(id);
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-17 11:42:42 +00:00
|
|
|
int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct sk_buff *frag;
|
2009-06-02 05:19:30 +00:00
|
|
|
struct rt6_info *rt = (struct rt6_info*)skb_dst(skb);
|
2006-02-24 21:18:33 +00:00
|
|
|
struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct ipv6hdr *tmp_hdr;
|
|
|
|
|
struct frag_hdr *fh;
|
|
|
|
|
unsigned int mtu, hlen, left, len;
|
2011-11-18 02:20:04 +00:00
|
|
|
int hroom, troom;
|
2006-11-08 08:27:11 +00:00
|
|
|
__be32 frag_id = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
int ptr, offset = 0, err=0;
|
|
|
|
|
u8 *prevhdr, nexthdr = 0;
|
2009-06-02 05:19:30 +00:00
|
|
|
struct net *net = dev_net(skb_dst(skb)->dev);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-05-18 02:54:11 +00:00
|
|
|
err = ip6_find_1stfragopt(skb, &prevhdr);
|
|
|
|
|
if (err < 0)
|
ipv6: Prevent overrun when parsing v6 header options
The KASAN warning repoted below was discovered with a syzkaller
program. The reproducer is basically:
int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
send(s, &one_byte_of_data, 1, MSG_MORE);
send(s, &more_than_mtu_bytes_data, 2000, 0);
The socket() call sets the nexthdr field of the v6 header to
NEXTHDR_HOP, the first send call primes the payload with a non zero
byte of data, and the second send call triggers the fragmentation path.
The fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option. Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.
This fix makes ip6_find_1stfrag return an error if it detects
running out-of-bounds.
[ 42.361487] ==================================================================
[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
[ 42.366469]
[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
[ 42.368824] Call Trace:
[ 42.369183] dump_stack+0xb3/0x10b
[ 42.369664] print_address_description+0x73/0x290
[ 42.370325] kasan_report+0x252/0x370
[ 42.370839] ? ip6_fragment+0x11c8/0x3730
[ 42.371396] check_memory_region+0x13c/0x1a0
[ 42.371978] memcpy+0x23/0x50
[ 42.372395] ip6_fragment+0x11c8/0x3730
[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
[ 42.374263] ? ip6_forward+0x2e30/0x2e30
[ 42.374803] ip6_finish_output+0x584/0x990
[ 42.375350] ip6_output+0x1b7/0x690
[ 42.375836] ? ip6_finish_output+0x990/0x990
[ 42.376411] ? ip6_fragment+0x3730/0x3730
[ 42.376968] ip6_local_out+0x95/0x160
[ 42.377471] ip6_send_skb+0xa1/0x330
[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
[ 42.379633] ? _copy_from_user+0x84/0xe0
[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
[ 42.380878] ? ___sys_sendmsg+0x162/0x930
[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
[ 42.382074] ? sock_has_perm+0x1f6/0x290
[ 42.382614] ? ___sys_sendmsg+0x167/0x930
[ 42.383173] ? lock_downgrade+0x660/0x660
[ 42.383727] inet_sendmsg+0x123/0x500
[ 42.384226] ? inet_sendmsg+0x123/0x500
[ 42.384748] ? inet_recvmsg+0x540/0x540
[ 42.385263] sock_sendmsg+0xca/0x110
[ 42.385758] SYSC_sendto+0x217/0x380
[ 42.386249] ? SYSC_connect+0x310/0x310
[ 42.386783] ? __might_fault+0x110/0x1d0
[ 42.387324] ? lock_downgrade+0x660/0x660
[ 42.387880] ? __fget_light+0xa1/0x1f0
[ 42.388403] ? __fdget+0x18/0x20
[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
[ 42.389472] ? SyS_setsockopt+0x17f/0x260
[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
[ 42.390650] SyS_sendto+0x40/0x50
[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.391731] RIP: 0033:0x7fbbb711e383
[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
[ 42.397257]
[ 42.397411] Allocated by task 3789:
[ 42.397702] save_stack_trace+0x16/0x20
[ 42.398005] save_stack+0x46/0xd0
[ 42.398267] kasan_kmalloc+0xad/0xe0
[ 42.398548] kasan_slab_alloc+0x12/0x20
[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
[ 42.399654] __alloc_skb+0xf8/0x580
[ 42.400003] sock_wmalloc+0xab/0xf0
[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
[ 42.400813] ip6_append_data+0x1a8/0x2f0
[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
[ 42.401505] inet_sendmsg+0x123/0x500
[ 42.401860] sock_sendmsg+0xca/0x110
[ 42.402209] ___sys_sendmsg+0x7cb/0x930
[ 42.402582] __sys_sendmsg+0xd9/0x190
[ 42.402941] SyS_sendmsg+0x2d/0x50
[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.403718]
[ 42.403871] Freed by task 1794:
[ 42.404146] save_stack_trace+0x16/0x20
[ 42.404515] save_stack+0x46/0xd0
[ 42.404827] kasan_slab_free+0x72/0xc0
[ 42.405167] kfree+0xe8/0x2b0
[ 42.405462] skb_free_head+0x74/0xb0
[ 42.405806] skb_release_data+0x30e/0x3a0
[ 42.406198] skb_release_all+0x4a/0x60
[ 42.406563] consume_skb+0x113/0x2e0
[ 42.406910] skb_free_datagram+0x1a/0xe0
[ 42.407288] netlink_recvmsg+0x60d/0xe40
[ 42.407667] sock_recvmsg+0xd7/0x110
[ 42.408022] ___sys_recvmsg+0x25c/0x580
[ 42.408395] __sys_recvmsg+0xd6/0x190
[ 42.408753] SyS_recvmsg+0x2d/0x50
[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.409513]
[ 42.409665] The buggy address belongs to the object at ffff88000969e780
[ 42.409665] which belongs to the cache kmalloc-512 of size 512
[ 42.410846] The buggy address is located 24 bytes inside of
[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
[ 42.411941] The buggy address belongs to the page:
[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 42.413298] flags: 0x100000000008100(slab|head)
[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
[ 42.415074] page dumped because: kasan: bad access detected
[ 42.415604]
[ 42.415757] Memory state around the buggy address:
[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 42.418273] ^
[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419882] ==================================================================
Change-Id: Ie92389967e2f4168b00120fe86201e02916c098b
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Craig Gallek <kraig@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-16 18:36:23 +00:00
|
|
|
goto fail;
|
2017-05-18 02:54:11 +00:00
|
|
|
hlen = err;
|
2005-04-16 22:20:36 +00:00
|
|
|
nexthdr = *prevhdr;
|
|
|
|
|
|
2007-04-20 22:53:27 +00:00
|
|
|
mtu = ip6_skb_dst_mtu(skb);
|
2007-04-20 22:52:39 +00:00
|
|
|
|
|
|
|
|
/* We must not fragment if the socket is set to force MTU discovery
|
2010-02-26 12:34:49 +00:00
|
|
|
* or if the skb it not generated by a local socket.
|
2007-04-20 22:52:39 +00:00
|
|
|
*/
|
netfilter: nf_conntrack_ipv6: improve fragmentation handling
The IPv6 conntrack fragmentation currently has a couple of shortcomings.
Fragmentes are collected in PREROUTING/OUTPUT, are defragmented, the
defragmented packet is then passed to conntrack, the resulting conntrack
information is attached to each original fragment and the fragments then
continue their way through the stack.
Helper invocation occurs in the POSTROUTING hook, at which point only
the original fragments are available. The result of this is that
fragmented packets are never passed to helpers.
This patch improves the situation in the following way:
- If a reassembled packet belongs to a connection that has a helper
assigned, the reassembled packet is passed through the stack instead
of the original fragments.
- During defragmentation, the largest received fragment size is stored.
On output, the packet is refragmented if required. If the largest
received fragment size exceeds the outgoing MTU, a "packet too big"
message is generated, thus behaving as if the original fragments
were passed through the stack from an outside point of view.
- The ipv6_helper() hook function can't receive fragments anymore for
connections using a helper, so it is switched to use ipv6_skip_exthdr()
instead of the netfilter specific nf_ct_ipv6_skip_exthdr() and the
reassembled packets are passed to connection tracking helpers.
The result of this is that we can properly track fragmented packets, but
still generate ICMPv6 Packet too big messages if we would have before.
This patch is also required as a precondition for IPv6 NAT, where NAT
helpers might enlarge packets up to a point that they require
fragmentation. In that case we can't generate Packet too big messages
since the proper MTU can't be calculated in all cases (f.i. when
changing textual representation of a variable amount of addresses),
so the packet is transparently fragmented iff the original packet or
fragments would have fit the outgoing MTU.
IPVS parts by Jesper Dangaard Brouer <brouer@redhat.com>.
Signed-off-by: Patrick McHardy <kaber@trash.net>
2012-08-26 17:13:58 +00:00
|
|
|
if (unlikely(!skb->local_df && skb->len > mtu) ||
|
|
|
|
|
(IP6CB(skb)->frag_max_size &&
|
|
|
|
|
IP6CB(skb)->frag_max_size > mtu)) {
|
2012-05-18 21:51:44 +00:00
|
|
|
if (skb->sk && dst_allfrag(skb_dst(skb)))
|
|
|
|
|
sk_nocaps_add(skb->sk, NETIF_F_GSO_MASK);
|
|
|
|
|
|
2009-06-02 05:19:30 +00:00
|
|
|
skb->dev = skb_dst(skb)->dev;
|
2010-02-18 08:25:24 +00:00
|
|
|
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
2008-10-08 17:54:51 +00:00
|
|
|
IPSTATS_MIB_FRAGFAILS);
|
2007-04-20 22:52:39 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
}
|
|
|
|
|
|
2006-02-24 21:18:33 +00:00
|
|
|
if (np && np->frag_size < mtu) {
|
|
|
|
|
if (np->frag_size)
|
|
|
|
|
mtu = np->frag_size;
|
|
|
|
|
}
|
|
|
|
|
mtu -= hlen + sizeof(struct frag_hdr);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-08-23 07:13:46 +00:00
|
|
|
if (skb_has_frag_list(skb)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
int first_len = skb_pagelen(skb);
|
2010-09-21 08:47:45 +00:00
|
|
|
struct sk_buff *frag2;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (first_len - hlen > mtu ||
|
|
|
|
|
((first_len - hlen) & 7) ||
|
|
|
|
|
skb_cloned(skb))
|
|
|
|
|
goto slow_path;
|
|
|
|
|
|
2009-06-09 07:20:05 +00:00
|
|
|
skb_walk_frags(skb, frag) {
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Correct geometry. */
|
|
|
|
|
if (frag->len > mtu ||
|
|
|
|
|
((frag->len & 7) && frag->next) ||
|
|
|
|
|
skb_headroom(frag) < hlen)
|
2010-09-21 08:47:45 +00:00
|
|
|
goto slow_path_clean;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/* Partially cloned skb? */
|
|
|
|
|
if (skb_shared(frag))
|
2010-09-21 08:47:45 +00:00
|
|
|
goto slow_path_clean;
|
2005-05-19 05:52:33 +00:00
|
|
|
|
|
|
|
|
BUG_ON(frag->sk);
|
|
|
|
|
if (skb->sk) {
|
|
|
|
|
frag->sk = skb->sk;
|
|
|
|
|
frag->destructor = sock_wfree;
|
|
|
|
|
}
|
2010-09-21 08:47:45 +00:00
|
|
|
skb->truesize -= frag->truesize;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = 0;
|
|
|
|
|
offset = 0;
|
|
|
|
|
frag = skb_shinfo(skb)->frag_list;
|
2009-06-09 07:20:05 +00:00
|
|
|
skb_frag_list_init(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
/* BUILD HEADER */
|
|
|
|
|
|
2006-12-05 21:47:21 +00:00
|
|
|
*prevhdr = NEXTHDR_FRAGMENT;
|
2007-04-11 03:50:43 +00:00
|
|
|
tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!tmp_hdr) {
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
2008-10-08 17:54:51 +00:00
|
|
|
IPSTATS_MIB_FRAGFAILS);
|
2005-04-16 22:20:36 +00:00
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
__skb_pull(skb, hlen);
|
|
|
|
|
fh = (struct frag_hdr*)__skb_push(skb, sizeof(struct frag_hdr));
|
2007-04-11 03:46:21 +00:00
|
|
|
__skb_push(skb, hlen);
|
|
|
|
|
skb_reset_network_header(skb);
|
2007-04-11 03:50:43 +00:00
|
|
|
memcpy(skb_network_header(skb), tmp_hdr, hlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-07-22 04:25:58 +00:00
|
|
|
ipv6_select_ident(fh, rt);
|
2005-04-16 22:20:36 +00:00
|
|
|
fh->nexthdr = nexthdr;
|
|
|
|
|
fh->reserved = 0;
|
|
|
|
|
fh->frag_off = htons(IP6_MF);
|
|
|
|
|
frag_id = fh->identification;
|
|
|
|
|
|
|
|
|
|
first_len = skb_pagelen(skb);
|
|
|
|
|
skb->data_len = first_len - skb_headlen(skb);
|
|
|
|
|
skb->len = first_len;
|
2007-04-26 00:54:47 +00:00
|
|
|
ipv6_hdr(skb)->payload_len = htons(first_len -
|
|
|
|
|
sizeof(struct ipv6hdr));
|
2006-11-04 11:11:37 +00:00
|
|
|
|
2010-06-11 06:31:35 +00:00
|
|
|
dst_hold(&rt->dst);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
/* Prepare header of the next frame,
|
|
|
|
|
* before previous one went down. */
|
|
|
|
|
if (frag) {
|
|
|
|
|
frag->ip_summed = CHECKSUM_NONE;
|
2007-03-13 16:06:52 +00:00
|
|
|
skb_reset_transport_header(frag);
|
2005-04-16 22:20:36 +00:00
|
|
|
fh = (struct frag_hdr*)__skb_push(frag, sizeof(struct frag_hdr));
|
2007-04-11 03:46:21 +00:00
|
|
|
__skb_push(frag, hlen);
|
|
|
|
|
skb_reset_network_header(frag);
|
2007-04-11 03:50:43 +00:00
|
|
|
memcpy(skb_network_header(frag), tmp_hdr,
|
|
|
|
|
hlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
offset += skb->len - hlen - sizeof(struct frag_hdr);
|
|
|
|
|
fh->nexthdr = nexthdr;
|
|
|
|
|
fh->reserved = 0;
|
|
|
|
|
fh->frag_off = htons(offset);
|
|
|
|
|
if (frag->next != NULL)
|
|
|
|
|
fh->frag_off |= htons(IP6_MF);
|
|
|
|
|
fh->identification = frag_id;
|
2007-04-26 00:54:47 +00:00
|
|
|
ipv6_hdr(frag)->payload_len =
|
|
|
|
|
htons(frag->len -
|
|
|
|
|
sizeof(struct ipv6hdr));
|
2005-04-16 22:20:36 +00:00
|
|
|
ip6_copy_metadata(frag, skb);
|
|
|
|
|
}
|
2007-02-09 14:24:49 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
err = output(skb);
|
2006-08-02 20:41:21 +00:00
|
|
|
if(!err)
|
2010-06-11 06:31:35 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
|
2008-10-08 17:54:51 +00:00
|
|
|
IPSTATS_MIB_FRAGCREATES);
|
2006-08-02 20:41:21 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (err || !frag)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
skb = frag;
|
|
|
|
|
frag = skb->next;
|
|
|
|
|
skb->next = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2005-11-08 17:41:34 +00:00
|
|
|
kfree(tmp_hdr);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (err == 0) {
|
2010-06-11 06:31:35 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
|
2008-10-08 17:54:51 +00:00
|
|
|
IPSTATS_MIB_FRAGOKS);
|
2012-10-29 00:13:19 +00:00
|
|
|
ip6_rt_put(rt);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (frag) {
|
|
|
|
|
skb = frag->next;
|
|
|
|
|
kfree_skb(frag);
|
|
|
|
|
frag = skb;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-11 06:31:35 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
|
2008-10-08 17:54:51 +00:00
|
|
|
IPSTATS_MIB_FRAGFAILS);
|
2012-10-29 00:13:19 +00:00
|
|
|
ip6_rt_put(rt);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
2010-09-21 08:47:45 +00:00
|
|
|
|
|
|
|
|
slow_path_clean:
|
|
|
|
|
skb_walk_frags(skb, frag2) {
|
|
|
|
|
if (frag2 == frag)
|
|
|
|
|
break;
|
|
|
|
|
frag2->sk = NULL;
|
|
|
|
|
frag2->destructor = NULL;
|
|
|
|
|
skb->truesize += frag2->truesize;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
slow_path:
|
2012-05-18 11:02:15 +00:00
|
|
|
if ((skb->ip_summed == CHECKSUM_PARTIAL) &&
|
|
|
|
|
skb_checksum_help(skb))
|
|
|
|
|
goto fail;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
left = skb->len - hlen; /* Space per frame */
|
|
|
|
|
ptr = hlen; /* Where to start from */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Fragment the datagram.
|
|
|
|
|
*/
|
|
|
|
|
|
2011-11-18 02:20:04 +00:00
|
|
|
hroom = LL_RESERVED_SPACE(rt->dst.dev);
|
|
|
|
|
troom = rt->dst.dev->needed_tailroom;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Keep copying data until we run out.
|
|
|
|
|
*/
|
|
|
|
|
while(left > 0) {
|
2017-03-13 15:24:28 +00:00
|
|
|
u8 *fragnexthdr_offset;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
len = left;
|
|
|
|
|
/* IF: it doesn't fit, use 'mtu' - the data space left */
|
|
|
|
|
if (len > mtu)
|
|
|
|
|
len = mtu;
|
2011-03-31 01:57:33 +00:00
|
|
|
/* IF: we are not sending up to and including the packet end
|
2005-04-16 22:20:36 +00:00
|
|
|
then align the next start on an eight byte boundary */
|
|
|
|
|
if (len < left) {
|
|
|
|
|
len &= ~7;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Allocate buffer.
|
|
|
|
|
*/
|
|
|
|
|
|
2011-11-18 02:20:04 +00:00
|
|
|
if ((frag = alloc_skb(len + hlen + sizeof(struct frag_hdr) +
|
|
|
|
|
hroom + troom, GFP_ATOMIC)) == NULL) {
|
2005-08-10 03:50:53 +00:00
|
|
|
NETDEBUG(KERN_INFO "IPv6: frag: no memory for new fragment!\n");
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
2006-11-04 11:11:37 +00:00
|
|
|
IPSTATS_MIB_FRAGFAILS);
|
2005-04-16 22:20:36 +00:00
|
|
|
err = -ENOMEM;
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up data on packet
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
ip6_copy_metadata(frag, skb);
|
2011-11-18 02:20:04 +00:00
|
|
|
skb_reserve(frag, hroom);
|
2005-04-16 22:20:36 +00:00
|
|
|
skb_put(frag, len + hlen + sizeof(struct frag_hdr));
|
2007-04-11 03:45:18 +00:00
|
|
|
skb_reset_network_header(frag);
|
2007-03-13 16:06:52 +00:00
|
|
|
fh = (struct frag_hdr *)(skb_network_header(frag) + hlen);
|
2007-04-11 04:21:55 +00:00
|
|
|
frag->transport_header = (frag->network_header + hlen +
|
|
|
|
|
sizeof(struct frag_hdr));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Charge the memory for the fragment to any owner
|
|
|
|
|
* it might possess
|
|
|
|
|
*/
|
|
|
|
|
if (skb->sk)
|
|
|
|
|
skb_set_owner_w(frag, skb->sk);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copy the packet header into the new buffer.
|
|
|
|
|
*/
|
2007-03-27 21:55:52 +00:00
|
|
|
skb_copy_from_linear_data(skb, skb_network_header(frag), hlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-03-13 15:24:28 +00:00
|
|
|
fragnexthdr_offset = skb_network_header(frag);
|
|
|
|
|
fragnexthdr_offset += prevhdr - skb_network_header(skb);
|
|
|
|
|
*fragnexthdr_offset = NEXTHDR_FRAGMENT;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* Build fragment header.
|
|
|
|
|
*/
|
|
|
|
|
fh->nexthdr = nexthdr;
|
|
|
|
|
fh->reserved = 0;
|
2005-10-03 21:19:15 +00:00
|
|
|
if (!frag_id) {
|
2011-07-22 04:25:58 +00:00
|
|
|
ipv6_select_ident(fh, rt);
|
2005-04-16 22:20:36 +00:00
|
|
|
frag_id = fh->identification;
|
|
|
|
|
} else
|
|
|
|
|
fh->identification = frag_id;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copy a block of the IP datagram.
|
|
|
|
|
*/
|
[IPV6]: Fix kernel panic while send SCTP data with IP fragments
If ICMP6 message with "Packet Too Big" is received after send SCTP DATA,
kernel panic will occur when SCTP DATA is send again.
This is because of a bad dest address when call to skb_copy_bits().
The messages sequence is like this:
Endpoint A Endpoint B
<------- SCTP DATA (size=1432)
ICMP6 message ------->
(Packet Too Big pmtu=1280)
<------- Resend SCTP DATA (size=1432)
------------kernel panic---------------
printing eip:
c05be62a
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
CPU: 0
EIP: 0060:[<c05be62a>] Not tainted VLI
EFLAGS: 00010282 (2.6.23-rc2 #1)
EIP is at skb_copy_bits+0x4f/0x1ef
eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880
esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc
ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068
Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000)
Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880
d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521
000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4
Call Trace:
[<c0405e1d>] show_trace_log_lvl+0x1a/0x2f
[<c0405ecd>] show_stack_log_lvl+0x9b/0xa3
[<c040608d>] show_registers+0x1b8/0x289
[<c0406271>] die+0x113/0x246
[<c0625dbc>] do_page_fault+0x4ad/0x57e
[<c0624642>] error_code+0x72/0x78
[<d09bc521>] ip6_output+0x8e5/0xab2 [ipv6]
[<d09bcec1>] ip6_xmit+0x2ea/0x3a3 [ipv6]
[<d0a3f2ca>] sctp_v6_xmit+0x248/0x253 [sctp]
[<d0a3c934>] sctp_packet_transmit+0x53f/0x5ae [sctp]
[<d0a34bf8>] sctp_outq_flush+0x555/0x587 [sctp]
[<d0a34d3c>] sctp_retransmit+0xf8/0x10f [sctp]
[<d0a3d183>] sctp_icmp_frag_needed+0x57/0x5b [sctp]
[<d0a3ece2>] sctp_v6_err+0xcd/0x148 [sctp]
[<d09cf1ce>] icmpv6_notify+0xe6/0x167 [ipv6]
[<d09d009a>] icmpv6_rcv+0x7d7/0x849 [ipv6]
[<d09be240>] ip6_input+0x1dc/0x310 [ipv6]
[<d09be965>] ipv6_rcv+0x294/0x2df [ipv6]
[<c05c3789>] netif_receive_skb+0x2d2/0x335
[<c05c5733>] process_backlog+0x7f/0xd0
[<c05c58f6>] net_rx_action+0x96/0x17e
[<c042e722>] __do_softirq+0x64/0xcd
[<c0406f37>] do_softirq+0x5c/0xac
=======================
Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 <f3> a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01
EIP: [<c05be62a>] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc
Kernel panic - not syncing: Fatal exception in interrupt
Arnaldo says:
====================
Thanks! I'm to blame for this one, problem was introduced in:
b0e380b1d8a8e0aca215df97702f99815f05c094
@@ -761,7 +762,7 @@ slow_path:
/*
* Copy a block of the IP datagram.
*/
- if (skb_copy_bits(skb, ptr, frag->h.raw, len))
+ if (skb_copy_bits(skb, ptr, skb_transport_header(skb),
len))
BUG();
left -= len;
====================
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-22 03:59:08 +00:00
|
|
|
if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len))
|
2005-04-16 22:20:36 +00:00
|
|
|
BUG();
|
|
|
|
|
left -= len;
|
|
|
|
|
|
|
|
|
|
fh->frag_off = htons(offset);
|
|
|
|
|
if (left > 0)
|
|
|
|
|
fh->frag_off |= htons(IP6_MF);
|
2007-04-26 00:54:47 +00:00
|
|
|
ipv6_hdr(frag)->payload_len = htons(frag->len -
|
|
|
|
|
sizeof(struct ipv6hdr));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
ptr += len;
|
|
|
|
|
offset += len;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Put this fragment into the sending queue.
|
|
|
|
|
*/
|
|
|
|
|
err = output(frag);
|
|
|
|
|
if (err)
|
|
|
|
|
goto fail;
|
2006-08-02 20:41:21 +00:00
|
|
|
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
2008-10-08 17:54:51 +00:00
|
|
|
IPSTATS_MIB_FRAGCREATES);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
2006-11-04 11:11:37 +00:00
|
|
|
IPSTATS_MIB_FRAGOKS);
|
2012-04-24 10:17:59 +00:00
|
|
|
consume_skb(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
|
|
|
|
|
|
fail:
|
2009-06-02 05:19:30 +00:00
|
|
|
IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
|
2006-11-04 11:11:37 +00:00
|
|
|
IPSTATS_MIB_FRAGFAILS);
|
2007-02-09 14:24:49 +00:00
|
|
|
kfree_skb(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2011-04-22 04:53:02 +00:00
|
|
|
static inline int ip6_rt_check(const struct rt6key *rt_key,
|
|
|
|
|
const struct in6_addr *fl_addr,
|
|
|
|
|
const struct in6_addr *addr_cache)
|
2006-08-24 00:19:18 +00:00
|
|
|
{
|
2010-09-22 20:43:57 +00:00
|
|
|
return (rt_key->plen != 128 || !ipv6_addr_equal(fl_addr, &rt_key->addr)) &&
|
|
|
|
|
(addr_cache == NULL || !ipv6_addr_equal(fl_addr, addr_cache));
|
2006-08-24 00:19:18 +00:00
|
|
|
}
|
|
|
|
|
|
2006-07-31 03:19:33 +00:00
|
|
|
static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
|
|
|
|
|
struct dst_entry *dst,
|
2011-04-22 04:53:02 +00:00
|
|
|
const struct flowi6 *fl6)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2006-07-31 03:19:33 +00:00
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
2013-06-26 11:15:07 +00:00
|
|
|
struct rt6_info *rt;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-07-31 03:19:33 +00:00
|
|
|
if (!dst)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2013-06-26 11:15:07 +00:00
|
|
|
if (dst->ops->family != AF_INET6) {
|
|
|
|
|
dst_release(dst);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rt = (struct rt6_info *)dst;
|
2006-07-31 03:19:33 +00:00
|
|
|
/* Yes, checking route validity in not connected
|
|
|
|
|
* case is not very simple. Take into account,
|
|
|
|
|
* that we do not support routing by source, TOS,
|
|
|
|
|
* and MSG_DONTROUTE --ANK (980726)
|
|
|
|
|
*
|
2006-08-24 00:19:18 +00:00
|
|
|
* 1. ip6_rt_check(): If route was host route,
|
|
|
|
|
* check that cached destination is current.
|
2006-07-31 03:19:33 +00:00
|
|
|
* If it is network route, we still may
|
|
|
|
|
* check its validity using saved pointer
|
|
|
|
|
* to the last used address: daddr_cache.
|
|
|
|
|
* We do not want to save whole address now,
|
|
|
|
|
* (because main consumer of this service
|
|
|
|
|
* is tcp, which has not this problem),
|
|
|
|
|
* so that the last trick works only on connected
|
|
|
|
|
* sockets.
|
|
|
|
|
* 2. oif also should be the same.
|
|
|
|
|
*/
|
2011-03-12 21:22:43 +00:00
|
|
|
if (ip6_rt_check(&rt->rt6i_dst, &fl6->daddr, np->daddr_cache) ||
|
2006-08-30 00:15:09 +00:00
|
|
|
#ifdef CONFIG_IPV6_SUBTREES
|
2011-03-12 21:22:43 +00:00
|
|
|
ip6_rt_check(&rt->rt6i_src, &fl6->saddr, np->saddr_cache) ||
|
2006-08-30 00:15:09 +00:00
|
|
|
#endif
|
2011-03-12 21:22:43 +00:00
|
|
|
(fl6->flowi6_oif && fl6->flowi6_oif != dst->dev->ifindex)) {
|
2006-07-31 03:19:33 +00:00
|
|
|
dst_release(dst);
|
|
|
|
|
dst = NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2006-07-31 03:19:33 +00:00
|
|
|
out:
|
|
|
|
|
return dst;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ip6_dst_lookup_tail(struct sock *sk,
|
2011-03-12 21:22:43 +00:00
|
|
|
struct dst_entry **dst, struct flowi6 *fl6)
|
2006-07-31 03:19:33 +00:00
|
|
|
{
|
2008-03-25 17:26:21 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2011-07-18 06:09:49 +00:00
|
|
|
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
|
|
|
|
|
struct neighbour *n;
|
2012-07-03 05:43:47 +00:00
|
|
|
struct rt6_info *rt;
|
2011-07-18 06:09:49 +00:00
|
|
|
#endif
|
|
|
|
|
int err;
|
2006-07-31 03:19:33 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (*dst == NULL)
|
2011-03-12 21:22:43 +00:00
|
|
|
*dst = ip6_route_output(net, sk, fl6);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if ((err = (*dst)->error))
|
|
|
|
|
goto out_err_release;
|
|
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
if (ipv6_addr_any(&fl6->saddr)) {
|
2011-04-13 21:10:57 +00:00
|
|
|
struct rt6_info *rt = (struct rt6_info *) *dst;
|
|
|
|
|
err = ip6_route_get_saddr(net, rt, &fl6->daddr,
|
|
|
|
|
sk ? inet6_sk(sk)->srcprefs : 0,
|
|
|
|
|
&fl6->saddr);
|
2005-07-27 18:45:17 +00:00
|
|
|
if (err)
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out_err_release;
|
|
|
|
|
}
|
|
|
|
|
|
2007-04-26 00:08:10 +00:00
|
|
|
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
|
2008-09-09 20:51:35 +00:00
|
|
|
/*
|
|
|
|
|
* Here if the dst entry we've looked up
|
|
|
|
|
* has a neighbour entry that is in the INCOMPLETE
|
|
|
|
|
* state and the src address from the flow is
|
|
|
|
|
* marked as OPTIMISTIC, we release the found
|
|
|
|
|
* dst entry and replace it instead with the
|
|
|
|
|
* dst entry of the nexthop router
|
|
|
|
|
*/
|
2012-07-06 07:19:05 +00:00
|
|
|
rt = (struct rt6_info *) *dst;
|
2013-01-17 12:53:55 +00:00
|
|
|
rcu_read_lock_bh();
|
2013-10-20 12:43:04 +00:00
|
|
|
n = __ipv6_neigh_lookup_noref(rt->dst.dev, rt6_nexthop(rt));
|
2013-01-17 12:53:55 +00:00
|
|
|
err = n && !(n->nud_state & NUD_VALID) ? -EINVAL : 0;
|
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
|
|
|
|
|
|
if (err) {
|
2008-09-09 20:51:35 +00:00
|
|
|
struct inet6_ifaddr *ifp;
|
2011-03-12 21:22:43 +00:00
|
|
|
struct flowi6 fl_gw6;
|
2008-09-09 20:51:35 +00:00
|
|
|
int redirect;
|
|
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
ifp = ipv6_get_ifaddr(net, &fl6->saddr,
|
2008-09-09 20:51:35 +00:00
|
|
|
(*dst)->dev, 1);
|
|
|
|
|
|
|
|
|
|
redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
|
|
|
|
|
if (ifp)
|
|
|
|
|
in6_ifa_put(ifp);
|
|
|
|
|
|
|
|
|
|
if (redirect) {
|
|
|
|
|
/*
|
|
|
|
|
* We need to get the dst entry for the
|
|
|
|
|
* default router instead
|
|
|
|
|
*/
|
|
|
|
|
dst_release(*dst);
|
2011-03-12 21:22:43 +00:00
|
|
|
memcpy(&fl_gw6, fl6, sizeof(struct flowi6));
|
|
|
|
|
memset(&fl_gw6.daddr, 0, sizeof(struct in6_addr));
|
|
|
|
|
*dst = ip6_route_output(net, sk, &fl_gw6);
|
2008-09-09 20:51:35 +00:00
|
|
|
if ((err = (*dst)->error))
|
|
|
|
|
goto out_err_release;
|
2007-04-26 00:08:10 +00:00
|
|
|
}
|
2008-09-09 20:51:35 +00:00
|
|
|
}
|
2007-04-26 00:08:10 +00:00
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
out_err_release:
|
2007-12-06 06:31:47 +00:00
|
|
|
if (err == -ENETUNREACH)
|
2008-10-08 18:09:27 +00:00
|
|
|
IP6_INC_STATS_BH(net, NULL, IPSTATS_MIB_OUTNOROUTES);
|
2005-04-16 22:20:36 +00:00
|
|
|
dst_release(*dst);
|
|
|
|
|
*dst = NULL;
|
|
|
|
|
return err;
|
|
|
|
|
}
|
2005-11-30 00:28:56 +00:00
|
|
|
|
2006-07-31 03:19:33 +00:00
|
|
|
/**
|
|
|
|
|
* ip6_dst_lookup - perform route lookup on flow
|
|
|
|
|
* @sk: socket which provides route info
|
|
|
|
|
* @dst: pointer to dst_entry * for result
|
2011-03-12 21:22:43 +00:00
|
|
|
* @fl6: flow to lookup
|
2006-07-31 03:19:33 +00:00
|
|
|
*
|
|
|
|
|
* This function performs a route lookup on the given flow.
|
|
|
|
|
*
|
|
|
|
|
* It returns zero on success, or a standard errno code on error.
|
|
|
|
|
*/
|
2011-03-12 21:22:43 +00:00
|
|
|
int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi6 *fl6)
|
2006-07-31 03:19:33 +00:00
|
|
|
{
|
|
|
|
|
*dst = NULL;
|
2011-03-12 21:22:43 +00:00
|
|
|
return ip6_dst_lookup_tail(sk, dst, fl6);
|
2006-07-31 03:19:33 +00:00
|
|
|
}
|
2005-12-14 07:23:20 +00:00
|
|
|
EXPORT_SYMBOL_GPL(ip6_dst_lookup);
|
|
|
|
|
|
2006-07-31 03:19:33 +00:00
|
|
|
/**
|
2011-03-01 21:19:07 +00:00
|
|
|
* ip6_dst_lookup_flow - perform route lookup on flow with ipsec
|
|
|
|
|
* @sk: socket which provides route info
|
2011-03-12 21:22:43 +00:00
|
|
|
* @fl6: flow to lookup
|
2011-03-01 21:19:07 +00:00
|
|
|
* @final_dst: final destination address for ipsec lookup
|
2011-03-01 22:32:04 +00:00
|
|
|
* @can_sleep: we are in a sleepable context
|
2011-03-01 21:19:07 +00:00
|
|
|
*
|
|
|
|
|
* This function performs a route lookup on the given flow.
|
|
|
|
|
*
|
|
|
|
|
* It returns a valid dst pointer on success, or a pointer encoded
|
|
|
|
|
* error code.
|
|
|
|
|
*/
|
2011-03-12 21:22:43 +00:00
|
|
|
struct dst_entry *ip6_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
|
2011-03-01 21:19:07 +00:00
|
|
|
const struct in6_addr *final_dst,
|
2011-03-01 22:32:04 +00:00
|
|
|
bool can_sleep)
|
2011-03-01 21:19:07 +00:00
|
|
|
{
|
|
|
|
|
struct dst_entry *dst = NULL;
|
|
|
|
|
int err;
|
|
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
err = ip6_dst_lookup_tail(sk, &dst, fl6);
|
2011-03-01 21:19:07 +00:00
|
|
|
if (err)
|
|
|
|
|
return ERR_PTR(err);
|
|
|
|
|
if (final_dst)
|
2011-11-21 03:39:03 +00:00
|
|
|
fl6->daddr = *final_dst;
|
2011-03-01 22:59:04 +00:00
|
|
|
if (can_sleep)
|
2011-03-12 21:22:43 +00:00
|
|
|
fl6->flowi6_flags |= FLOWI_FLAG_CAN_SLEEP;
|
2011-03-01 22:59:04 +00:00
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
|
2011-03-01 21:19:07 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(ip6_dst_lookup_flow);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ip6_sk_dst_lookup_flow - perform socket cached route lookup on flow
|
2006-07-31 03:19:33 +00:00
|
|
|
* @sk: socket which provides the dst cache and route info
|
2011-03-12 21:22:43 +00:00
|
|
|
* @fl6: flow to lookup
|
2011-03-01 21:19:07 +00:00
|
|
|
* @final_dst: final destination address for ipsec lookup
|
2011-03-01 22:32:04 +00:00
|
|
|
* @can_sleep: we are in a sleepable context
|
2006-07-31 03:19:33 +00:00
|
|
|
*
|
|
|
|
|
* This function performs a route lookup on the given flow with the
|
|
|
|
|
* possibility of using the cached route in the socket if it is valid.
|
|
|
|
|
* It will take the socket dst lock when operating on the dst cache.
|
|
|
|
|
* As a result, this function can only be used in process context.
|
|
|
|
|
*
|
2011-03-01 21:19:07 +00:00
|
|
|
* It returns a valid dst pointer on success, or a pointer encoded
|
|
|
|
|
* error code.
|
2006-07-31 03:19:33 +00:00
|
|
|
*/
|
2011-03-12 21:22:43 +00:00
|
|
|
struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
|
2011-03-01 21:19:07 +00:00
|
|
|
const struct in6_addr *final_dst,
|
2011-03-01 22:32:04 +00:00
|
|
|
bool can_sleep)
|
2006-07-31 03:19:33 +00:00
|
|
|
{
|
2011-03-01 21:19:07 +00:00
|
|
|
struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
|
|
|
|
|
int err;
|
2006-07-31 03:19:33 +00:00
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
dst = ip6_sk_dst_check(sk, dst, fl6);
|
2011-03-01 21:19:07 +00:00
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
err = ip6_dst_lookup_tail(sk, &dst, fl6);
|
2011-03-01 21:19:07 +00:00
|
|
|
if (err)
|
|
|
|
|
return ERR_PTR(err);
|
|
|
|
|
if (final_dst)
|
2011-11-21 03:39:03 +00:00
|
|
|
fl6->daddr = *final_dst;
|
2011-03-01 22:59:04 +00:00
|
|
|
if (can_sleep)
|
2011-03-12 21:22:43 +00:00
|
|
|
fl6->flowi6_flags |= FLOWI_FLAG_CAN_SLEEP;
|
2011-03-01 22:59:04 +00:00
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
|
2006-07-31 03:19:33 +00:00
|
|
|
}
|
2011-03-01 21:19:07 +00:00
|
|
|
EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
|
2006-07-31 03:19:33 +00:00
|
|
|
|
2005-11-30 00:28:56 +00:00
|
|
|
static inline int ip6_ufo_append_data(struct sock *sk,
|
2005-10-18 22:46:41 +00:00
|
|
|
int getfrag(void *from, char *to, int offset, int len,
|
|
|
|
|
int odd, struct sk_buff *skb),
|
|
|
|
|
void *from, int length, int hh_len, int fragheaderlen,
|
2011-07-22 04:25:58 +00:00
|
|
|
int transhdrlen, int mtu,unsigned int flags,
|
|
|
|
|
struct rt6_info *rt)
|
2005-10-18 22:46:41 +00:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
struct sk_buff *skb;
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
/* There is support for UDP large send offload by network
|
|
|
|
|
* device, so create one single skb packet containing complete
|
|
|
|
|
* udp datagram
|
|
|
|
|
*/
|
|
|
|
|
if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
|
2013-09-21 04:27:00 +00:00
|
|
|
struct frag_hdr fhdr;
|
|
|
|
|
|
2005-10-18 22:46:41 +00:00
|
|
|
skb = sock_alloc_send_skb(sk,
|
|
|
|
|
hh_len + fragheaderlen + transhdrlen + 20,
|
|
|
|
|
(flags & MSG_DONTWAIT), &err);
|
|
|
|
|
if (skb == NULL)
|
2011-10-28 04:26:00 +00:00
|
|
|
return err;
|
2005-10-18 22:46:41 +00:00
|
|
|
|
|
|
|
|
/* reserve space for Hardware header */
|
|
|
|
|
skb_reserve(skb, hh_len);
|
|
|
|
|
|
|
|
|
|
/* create space for UDP/IP header */
|
|
|
|
|
skb_put(skb,fragheaderlen + transhdrlen);
|
|
|
|
|
|
|
|
|
|
/* initialize network header pointer */
|
2007-04-11 03:45:18 +00:00
|
|
|
skb_reset_network_header(skb);
|
2005-10-18 22:46:41 +00:00
|
|
|
|
|
|
|
|
/* initialize protocol header pointer */
|
2007-04-11 04:21:55 +00:00
|
|
|
skb->transport_header = skb->network_header + fragheaderlen;
|
2005-10-18 22:46:41 +00:00
|
|
|
|
2006-08-29 23:44:56 +00:00
|
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
2005-10-18 22:46:41 +00:00
|
|
|
skb->csum = 0;
|
|
|
|
|
|
2009-07-09 08:09:58 +00:00
|
|
|
/* Specify the length of each IPv6 datagram fragment.
|
|
|
|
|
* It has to be a multiple of 8.
|
|
|
|
|
*/
|
|
|
|
|
skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
|
|
|
|
|
sizeof(struct frag_hdr)) & ~7;
|
2006-06-30 20:37:03 +00:00
|
|
|
skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
|
2011-07-22 04:25:58 +00:00
|
|
|
ipv6_select_ident(&fhdr, rt);
|
2005-10-18 22:46:41 +00:00
|
|
|
skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
|
|
|
|
|
__skb_queue_tail(&sk->sk_write_queue, skb);
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-21 04:27:00 +00:00
|
|
|
return skb_append_datato_frags(sk, skb, getfrag, from,
|
|
|
|
|
(length - transhdrlen));
|
2005-10-18 22:46:41 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-02-05 23:15:50 +00:00
|
|
|
static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
|
|
|
|
|
gfp_t gfp)
|
|
|
|
|
{
|
|
|
|
|
return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
|
|
|
|
|
gfp_t gfp)
|
|
|
|
|
{
|
|
|
|
|
return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-02 06:04:05 +00:00
|
|
|
static void ip6_append_data_mtu(unsigned int *mtu,
|
2012-05-26 01:30:53 +00:00
|
|
|
int *maxfraglen,
|
|
|
|
|
unsigned int fragheaderlen,
|
|
|
|
|
struct sk_buff *skb,
|
2013-07-02 06:04:05 +00:00
|
|
|
struct rt6_info *rt,
|
ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ]
In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
transport),the ipsec header need to be added in the first fragment, so the mtu
will decrease to reserve space for it, then the second fragment come, the mtu
should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74
said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
equal with the first fragment's. and cannot turn back.
when I test through ping6 -c1 -s5000 $ip (mtu=1280):
...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
...frag (1232|1216)
...frag (2448|1216)
...frag (3664|1216)
...frag (4880|164)
which should be:
...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
...frag (1232|1232)
...frag (2464|1232)
...frag (3696|1232)
...frag (4928|116)
so delete the min() when change back the mtu.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-17 04:51:01 +00:00
|
|
|
unsigned int orig_mtu)
|
2012-05-26 01:30:53 +00:00
|
|
|
{
|
|
|
|
|
if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
|
|
|
|
|
if (skb == NULL) {
|
|
|
|
|
/* first fragment, reserve header_len */
|
ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ]
In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
transport),the ipsec header need to be added in the first fragment, so the mtu
will decrease to reserve space for it, then the second fragment come, the mtu
should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74
said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
equal with the first fragment's. and cannot turn back.
when I test through ping6 -c1 -s5000 $ip (mtu=1280):
...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
...frag (1232|1216)
...frag (2448|1216)
...frag (3664|1216)
...frag (4880|164)
which should be:
...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
...frag (1232|1232)
...frag (2464|1232)
...frag (3696|1232)
...frag (4928|116)
so delete the min() when change back the mtu.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-17 04:51:01 +00:00
|
|
|
*mtu = orig_mtu - rt->dst.header_len;
|
2012-05-26 01:30:53 +00:00
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* this fragment is not first, the headers
|
|
|
|
|
* space is regarded as data space.
|
|
|
|
|
*/
|
ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ]
In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
transport),the ipsec header need to be added in the first fragment, so the mtu
will decrease to reserve space for it, then the second fragment come, the mtu
should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74
said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
equal with the first fragment's. and cannot turn back.
when I test through ping6 -c1 -s5000 $ip (mtu=1280):
...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
...frag (1232|1216)
...frag (2448|1216)
...frag (3664|1216)
...frag (4880|164)
which should be:
...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
...frag (1232|1232)
...frag (2464|1232)
...frag (3696|1232)
...frag (4928|116)
so delete the min() when change back the mtu.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-17 04:51:01 +00:00
|
|
|
*mtu = orig_mtu;
|
2012-05-26 01:30:53 +00:00
|
|
|
}
|
|
|
|
|
*maxfraglen = ((*mtu - fragheaderlen) & ~7)
|
|
|
|
|
+ fragheaderlen - sizeof(struct frag_hdr);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2005-09-08 01:19:03 +00:00
|
|
|
int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
|
|
|
|
|
int offset, int len, int odd, struct sk_buff *skb),
|
|
|
|
|
void *from, int length, int transhdrlen,
|
2011-03-12 21:22:43 +00:00
|
|
|
int hlimit, int tclass, struct ipv6_txoptions *opt, struct flowi6 *fl6,
|
2010-04-23 11:26:08 +00:00
|
|
|
struct rt6_info *rt, unsigned int flags, int dontfrag)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
2011-05-06 22:02:07 +00:00
|
|
|
struct inet_cork *cork;
|
2012-05-26 01:30:53 +00:00
|
|
|
struct sk_buff *skb, *skb_prev = NULL;
|
ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ]
In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
transport),the ipsec header need to be added in the first fragment, so the mtu
will decrease to reserve space for it, then the second fragment come, the mtu
should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74
said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
equal with the first fragment's. and cannot turn back.
when I test through ping6 -c1 -s5000 $ip (mtu=1280):
...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
...frag (1232|1216)
...frag (2448|1216)
...frag (3664|1216)
...frag (4880|164)
which should be:
...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
...frag (1232|1232)
...frag (2464|1232)
...frag (3696|1232)
...frag (4928|116)
so delete the min() when change back the mtu.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-17 04:51:01 +00:00
|
|
|
unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu;
|
2005-04-16 22:20:36 +00:00
|
|
|
int exthdrlen;
|
2011-10-11 01:43:33 +00:00
|
|
|
int dst_exthdrlen;
|
2005-04-16 22:20:36 +00:00
|
|
|
int hh_len;
|
|
|
|
|
int copy;
|
|
|
|
|
int err;
|
|
|
|
|
int offset = 0;
|
2011-02-28 20:32:11 +00:00
|
|
|
__u8 tx_flags = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (flags&MSG_PROBE)
|
|
|
|
|
return 0;
|
2011-05-06 22:02:07 +00:00
|
|
|
cork = &inet->cork.base;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (skb_queue_empty(&sk->sk_write_queue)) {
|
|
|
|
|
/*
|
|
|
|
|
* setup for corking
|
|
|
|
|
*/
|
|
|
|
|
if (opt) {
|
2009-02-05 23:15:50 +00:00
|
|
|
if (WARN_ON(np->cork.opt))
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
2009-02-05 23:15:50 +00:00
|
|
|
|
2013-05-17 04:53:13 +00:00
|
|
|
np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
|
2009-02-05 23:15:50 +00:00
|
|
|
if (unlikely(np->cork.opt == NULL))
|
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
|
|
|
|
np->cork.opt->tot_len = opt->tot_len;
|
|
|
|
|
np->cork.opt->opt_flen = opt->opt_flen;
|
|
|
|
|
np->cork.opt->opt_nflen = opt->opt_nflen;
|
|
|
|
|
|
|
|
|
|
np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt,
|
|
|
|
|
sk->sk_allocation);
|
|
|
|
|
if (opt->dst0opt && !np->cork.opt->dst0opt)
|
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
|
|
|
|
np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt,
|
|
|
|
|
sk->sk_allocation);
|
|
|
|
|
if (opt->dst1opt && !np->cork.opt->dst1opt)
|
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
|
|
|
|
np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt,
|
|
|
|
|
sk->sk_allocation);
|
|
|
|
|
if (opt->hopopt && !np->cork.opt->hopopt)
|
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
|
|
|
|
np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt,
|
|
|
|
|
sk->sk_allocation);
|
|
|
|
|
if (opt->srcrt && !np->cork.opt->srcrt)
|
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* need source address above miyazawa*/
|
|
|
|
|
}
|
2010-06-11 06:31:35 +00:00
|
|
|
dst_hold(&rt->dst);
|
2011-05-06 22:02:07 +00:00
|
|
|
cork->dst = &rt->dst;
|
2011-03-12 21:22:43 +00:00
|
|
|
inet->cork.fl.u.ip6 = *fl6;
|
2005-04-16 22:20:36 +00:00
|
|
|
np->cork.hop_limit = hlimit;
|
2005-09-08 01:19:03 +00:00
|
|
|
np->cork.tclass = tclass;
|
2012-05-26 01:30:53 +00:00
|
|
|
if (rt->dst.flags & DST_XFRM_TUNNEL)
|
|
|
|
|
mtu = np->pmtudisc == IPV6_PMTUDISC_PROBE ?
|
2018-03-06 10:13:54 +00:00
|
|
|
READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
|
2012-05-26 01:30:53 +00:00
|
|
|
else
|
|
|
|
|
mtu = np->pmtudisc == IPV6_PMTUDISC_PROBE ?
|
2018-03-06 10:13:54 +00:00
|
|
|
READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
|
2006-03-21 06:44:52 +00:00
|
|
|
if (np->frag_size < mtu) {
|
2006-02-24 21:18:33 +00:00
|
|
|
if (np->frag_size)
|
|
|
|
|
mtu = np->frag_size;
|
|
|
|
|
}
|
2018-01-10 17:45:10 +00:00
|
|
|
if (mtu < IPV6_MIN_MTU)
|
|
|
|
|
return -EINVAL;
|
2011-05-06 22:02:07 +00:00
|
|
|
cork->fragsize = mtu;
|
2010-06-11 06:31:35 +00:00
|
|
|
if (dst_allfrag(rt->dst.path))
|
2011-05-06 22:02:07 +00:00
|
|
|
cork->flags |= IPCORK_ALLFRAG;
|
|
|
|
|
cork->length = 0;
|
2013-01-16 12:47:40 +00:00
|
|
|
exthdrlen = (opt ? opt->opt_flen : 0);
|
2005-04-16 22:20:36 +00:00
|
|
|
length += exthdrlen;
|
|
|
|
|
transhdrlen += exthdrlen;
|
2013-01-16 12:47:40 +00:00
|
|
|
dst_exthdrlen = rt->dst.header_len - rt->rt6i_nfheader_len;
|
2005-04-16 22:20:36 +00:00
|
|
|
} else {
|
2011-05-06 22:02:07 +00:00
|
|
|
rt = (struct rt6_info *)cork->dst;
|
2011-03-12 21:22:43 +00:00
|
|
|
fl6 = &inet->cork.fl.u.ip6;
|
2009-02-05 23:15:50 +00:00
|
|
|
opt = np->cork.opt;
|
2005-04-16 22:20:36 +00:00
|
|
|
transhdrlen = 0;
|
|
|
|
|
exthdrlen = 0;
|
2011-10-11 01:43:33 +00:00
|
|
|
dst_exthdrlen = 0;
|
2011-05-06 22:02:07 +00:00
|
|
|
mtu = cork->fragsize;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ]
In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
transport),the ipsec header need to be added in the first fragment, so the mtu
will decrease to reserve space for it, then the second fragment come, the mtu
should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74
said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
equal with the first fragment's. and cannot turn back.
when I test through ping6 -c1 -s5000 $ip (mtu=1280):
...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
...frag (1232|1216)
...frag (2448|1216)
...frag (3664|1216)
...frag (4880|164)
which should be:
...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
...frag (1232|1232)
...frag (2464|1232)
...frag (3696|1232)
...frag (4928|116)
so delete the min() when change back the mtu.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-17 04:51:01 +00:00
|
|
|
orig_mtu = mtu;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-06-11 06:31:35 +00:00
|
|
|
hh_len = LL_RESERVED_SPACE(rt->dst.dev);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-12-21 04:41:12 +00:00
|
|
|
fragheaderlen = sizeof(struct ipv6hdr) + rt->rt6i_nfheader_len +
|
2007-11-14 05:33:32 +00:00
|
|
|
(opt ? opt->opt_nflen : 0);
|
2005-04-16 22:20:36 +00:00
|
|
|
maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr);
|
|
|
|
|
|
|
|
|
|
if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
|
2011-05-06 22:02:07 +00:00
|
|
|
if (cork->length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
|
2011-03-12 21:22:43 +00:00
|
|
|
ipv6_local_error(sk, EMSGSIZE, fl6, mtu-exthdrlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EMSGSIZE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-28 20:32:11 +00:00
|
|
|
/* For UDP, check if TX timestamp is enabled */
|
2013-04-14 08:08:13 +00:00
|
|
|
if (sk->sk_type == SOCK_DGRAM)
|
|
|
|
|
sock_tx_timestamp(sk, &tx_flags);
|
2011-02-28 20:32:11 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* Let's try using as much space as possible.
|
|
|
|
|
* Use MTU if total length of the message fits into the MTU.
|
|
|
|
|
* Otherwise, we need to reserve fragment header and
|
|
|
|
|
* fragment alignment (= 8-15 octects, in total).
|
|
|
|
|
*
|
|
|
|
|
* Note that we may need to "move" the data from the tail of
|
2007-02-09 14:24:49 +00:00
|
|
|
* of the buffer to the new fragment when we split
|
2005-04-16 22:20:36 +00:00
|
|
|
* the message.
|
|
|
|
|
*
|
2007-02-09 14:24:49 +00:00
|
|
|
* FIXME: It may be fragmented into multiple chunks
|
2005-04-16 22:20:36 +00:00
|
|
|
* at once if non-fragmentable extension headers
|
|
|
|
|
* are too large.
|
2007-02-09 14:24:49 +00:00
|
|
|
* --yoshfuji
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
|
|
|
|
|
2013-09-21 04:27:00 +00:00
|
|
|
if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
|
|
|
|
|
sk->sk_protocol == IPPROTO_RAW)) {
|
|
|
|
|
ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
|
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
}
|
2010-04-23 11:26:09 +00:00
|
|
|
|
2013-09-21 04:27:00 +00:00
|
|
|
skb = skb_peek_tail(&sk->sk_write_queue);
|
|
|
|
|
cork->length += length;
|
2017-08-10 16:29:19 +00:00
|
|
|
if ((skb && skb_has_frags(skb)) ||
|
|
|
|
|
(((length + fragheaderlen) > mtu) &&
|
|
|
|
|
(skb_queue_len(&sk->sk_write_queue) <= 1) &&
|
2013-09-21 04:27:00 +00:00
|
|
|
(sk->sk_protocol == IPPROTO_UDP) &&
|
udp: avoid ufo handling on IP payload compression packets
commit 4b3b45edba9222e518a1ec72df841eba3609fe34 upstream.
commit c146066ab802 ("ipv4: Don't use ufo handling on later transformed
packets") and commit f89c56ce710a ("ipv6: Don't use ufo handling on
later transformed packets") added a check that 'rt->dst.header_len' isn't
zero in order to skip UFO, but it doesn't include IPcomp in transport mode
where it equals zero.
Packets, after payload compression, may not require further fragmentation,
and if original length exceeds MTU, later compressed packets will be
transmitted incorrectly. This can be reproduced with LTP udp_ipsec.sh test
on veth device with enabled UFO, MTU is 1500 and UDP payload is 2000:
* IPv4 case, offset is wrong + unnecessary fragmentation
udp_ipsec.sh -p comp -m transport -s 2000 &
tcpdump -ni ltp_ns_veth2
...
IP (tos 0x0, ttl 64, id 45203, offset 0, flags [+],
proto Compressed IP (108), length 49)
10.0.0.2 > 10.0.0.1: IPComp(cpi=0x1000)
IP (tos 0x0, ttl 64, id 45203, offset 1480, flags [none],
proto UDP (17), length 21) 10.0.0.2 > 10.0.0.1: ip-proto-17
* IPv6 case, sending small fragments
udp_ipsec.sh -6 -p comp -m transport -s 2000 &
tcpdump -ni ltp_ns_veth2
...
IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
payload length: 37) fd00::2 > fd00::1: IPComp(cpi=0x1000)
IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
payload length: 21) fd00::2 > fd00::1: IPComp(cpi=0x1000)
Fix it by checking 'rt->dst.xfrm' pointer to 'xfrm_state' struct, skip UFO
if xfrm is set. So the new check will include both cases: IPcomp and IPsec.
Fixes: c146066ab802 ("ipv4: Don't use ufo handling on later transformed packets")
Fixes: f89c56ce710a ("ipv6: Don't use ufo handling on later transformed packets")
Change-Id: Ia9e6b6fb41dcfcc8a29be44a7cae8111a257f0cb
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2017-03-09 10:56:46 +00:00
|
|
|
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
|
2017-08-10 16:29:19 +00:00
|
|
|
(sk->sk_type == SOCK_DGRAM))) {
|
2013-09-21 04:27:00 +00:00
|
|
|
err = ip6_ufo_append_data(sk, getfrag, from, length,
|
|
|
|
|
hh_len, fragheaderlen,
|
|
|
|
|
transhdrlen, mtu, flags, rt);
|
|
|
|
|
if (err)
|
|
|
|
|
goto error;
|
|
|
|
|
return 0;
|
2005-10-18 22:46:41 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-09-21 04:27:00 +00:00
|
|
|
if (!skb)
|
2005-04-16 22:20:36 +00:00
|
|
|
goto alloc_new_skb;
|
|
|
|
|
|
|
|
|
|
while (length > 0) {
|
|
|
|
|
/* Check if the remaining data fits into current packet. */
|
2011-05-06 22:02:07 +00:00
|
|
|
copy = (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - skb->len;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (copy < length)
|
|
|
|
|
copy = maxfraglen - skb->len;
|
|
|
|
|
|
|
|
|
|
if (copy <= 0) {
|
|
|
|
|
char *data;
|
|
|
|
|
unsigned int datalen;
|
|
|
|
|
unsigned int fraglen;
|
|
|
|
|
unsigned int fraggap;
|
|
|
|
|
unsigned int alloclen;
|
|
|
|
|
alloc_new_skb:
|
|
|
|
|
/* There's no room in the current skb */
|
2012-05-26 01:30:53 +00:00
|
|
|
if (skb)
|
|
|
|
|
fraggap = skb->len - maxfraglen;
|
2005-04-16 22:20:36 +00:00
|
|
|
else
|
|
|
|
|
fraggap = 0;
|
2012-05-26 01:30:53 +00:00
|
|
|
/* update mtu and maxfraglen if necessary */
|
|
|
|
|
if (skb == NULL || skb_prev == NULL)
|
|
|
|
|
ip6_append_data_mtu(&mtu, &maxfraglen,
|
2013-07-02 06:04:05 +00:00
|
|
|
fragheaderlen, skb, rt,
|
ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ]
In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
transport),the ipsec header need to be added in the first fragment, so the mtu
will decrease to reserve space for it, then the second fragment come, the mtu
should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74
said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
equal with the first fragment's. and cannot turn back.
when I test through ping6 -c1 -s5000 $ip (mtu=1280):
...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
...frag (1232|1216)
...frag (2448|1216)
...frag (3664|1216)
...frag (4880|164)
which should be:
...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
...frag (1232|1232)
...frag (2464|1232)
...frag (3696|1232)
...frag (4928|116)
so delete the min() when change back the mtu.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-17 04:51:01 +00:00
|
|
|
orig_mtu);
|
2012-05-26 01:30:53 +00:00
|
|
|
|
|
|
|
|
skb_prev = skb;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If remaining data exceeds the mtu,
|
|
|
|
|
* we know we need more fragment(s).
|
|
|
|
|
*/
|
|
|
|
|
datalen = length + fraggap;
|
|
|
|
|
|
2012-05-26 01:30:53 +00:00
|
|
|
if (datalen > (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
|
|
|
|
|
datalen = maxfraglen - fragheaderlen - rt->dst.trailer_len;
|
2005-04-16 22:20:36 +00:00
|
|
|
if ((flags & MSG_MORE) &&
|
2010-06-11 06:31:35 +00:00
|
|
|
!(rt->dst.dev->features&NETIF_F_SG))
|
2005-04-16 22:20:36 +00:00
|
|
|
alloclen = mtu;
|
|
|
|
|
else
|
|
|
|
|
alloclen = datalen + fragheaderlen;
|
|
|
|
|
|
2011-10-11 01:43:33 +00:00
|
|
|
alloclen += dst_exthdrlen;
|
|
|
|
|
|
2012-05-26 01:30:53 +00:00
|
|
|
if (datalen != length + fraggap) {
|
|
|
|
|
/*
|
|
|
|
|
* this is not the last fragment, the trailer
|
|
|
|
|
* space is regarded as data space.
|
|
|
|
|
*/
|
|
|
|
|
datalen += rt->dst.trailer_len;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
alloclen += rt->dst.trailer_len;
|
|
|
|
|
fraglen = datalen + fragheaderlen;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We just reserve space for fragment header.
|
2007-02-09 14:24:49 +00:00
|
|
|
* Note: this may be overallocation if the message
|
2005-04-16 22:20:36 +00:00
|
|
|
* (without MSG_MORE) fits into the MTU.
|
|
|
|
|
*/
|
|
|
|
|
alloclen += sizeof(struct frag_hdr);
|
|
|
|
|
|
2017-05-19 21:17:48 +00:00
|
|
|
copy = datalen - transhdrlen - fraggap;
|
|
|
|
|
if (copy < 0) {
|
|
|
|
|
err = -EINVAL;
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
if (transhdrlen) {
|
|
|
|
|
skb = sock_alloc_send_skb(sk,
|
|
|
|
|
alloclen + hh_len,
|
|
|
|
|
(flags & MSG_DONTWAIT), &err);
|
|
|
|
|
} else {
|
|
|
|
|
skb = NULL;
|
|
|
|
|
if (atomic_read(&sk->sk_wmem_alloc) <=
|
|
|
|
|
2 * sk->sk_sndbuf)
|
|
|
|
|
skb = sock_wmalloc(sk,
|
|
|
|
|
alloclen + hh_len, 1,
|
|
|
|
|
sk->sk_allocation);
|
|
|
|
|
if (unlikely(skb == NULL))
|
|
|
|
|
err = -ENOBUFS;
|
2011-02-28 20:32:11 +00:00
|
|
|
else {
|
|
|
|
|
/* Only the initial fragment
|
|
|
|
|
* is time stamped.
|
|
|
|
|
*/
|
|
|
|
|
tx_flags = 0;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
if (skb == NULL)
|
|
|
|
|
goto error;
|
|
|
|
|
/*
|
|
|
|
|
* Fill in the control structures
|
|
|
|
|
*/
|
2014-09-30 12:50:55 +00:00
|
|
|
|
|
|
|
|
/* offload UDP checksum in case the packet is not
|
|
|
|
|
* a fragment (length <= mtu && transhdrlen) and the
|
|
|
|
|
* device supports it in its features.
|
|
|
|
|
*/
|
|
|
|
|
if ((rt->dst.dev->features &
|
|
|
|
|
NETIF_F_IPV6_UDP_CSUM) &&
|
|
|
|
|
(length <= mtu) && transhdrlen &&
|
|
|
|
|
(sk->sk_protocol == IPPROTO_UDP)) {
|
|
|
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
|
|
|
} else {
|
|
|
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
|
skb->csum = 0;
|
|
|
|
|
}
|
2012-03-19 22:36:10 +00:00
|
|
|
/* reserve for fragmentation and ipsec header */
|
|
|
|
|
skb_reserve(skb, hh_len + sizeof(struct frag_hdr) +
|
|
|
|
|
dst_exthdrlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-02-28 20:32:11 +00:00
|
|
|
if (sk->sk_type == SOCK_DGRAM)
|
|
|
|
|
skb_shinfo(skb)->tx_flags = tx_flags;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* Find where to start putting bytes
|
|
|
|
|
*/
|
2012-03-19 22:36:10 +00:00
|
|
|
data = skb_put(skb, fraglen);
|
|
|
|
|
skb_set_network_header(skb, exthdrlen);
|
|
|
|
|
data += fragheaderlen;
|
2007-04-11 04:21:55 +00:00
|
|
|
skb->transport_header = (skb->network_header +
|
|
|
|
|
fragheaderlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (fraggap) {
|
|
|
|
|
skb->csum = skb_copy_and_csum_bits(
|
|
|
|
|
skb_prev, maxfraglen,
|
|
|
|
|
data + transhdrlen, fraggap, 0);
|
|
|
|
|
skb_prev->csum = csum_sub(skb_prev->csum,
|
|
|
|
|
skb->csum);
|
|
|
|
|
data += fraggap;
|
2006-08-14 03:12:58 +00:00
|
|
|
pskb_trim_unique(skb_prev, maxfraglen);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2017-05-19 21:17:48 +00:00
|
|
|
if (copy > 0 &&
|
|
|
|
|
getfrag(from, data + transhdrlen, offset,
|
|
|
|
|
copy, fraggap, skb) < 0) {
|
2005-04-16 22:20:36 +00:00
|
|
|
err = -EFAULT;
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += copy;
|
|
|
|
|
length -= datalen - fraggap;
|
|
|
|
|
transhdrlen = 0;
|
|
|
|
|
exthdrlen = 0;
|
2011-10-11 01:43:33 +00:00
|
|
|
dst_exthdrlen = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Put the packet on the pending queue
|
|
|
|
|
*/
|
|
|
|
|
__skb_queue_tail(&sk->sk_write_queue, skb);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (copy > length)
|
|
|
|
|
copy = length;
|
|
|
|
|
|
2018-05-17 17:13:29 +00:00
|
|
|
if (!(rt->dst.dev->features&NETIF_F_SG) &&
|
|
|
|
|
skb_tailroom(skb) >= copy) {
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned int off;
|
|
|
|
|
|
|
|
|
|
off = skb->len;
|
|
|
|
|
if (getfrag(from, skb_put(skb, copy),
|
|
|
|
|
offset, copy, off, skb) < 0) {
|
|
|
|
|
__skb_trim(skb, off);
|
|
|
|
|
err = -EFAULT;
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
int i = skb_shinfo(skb)->nr_frags;
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
struct page_frag *pfrag = sk_page_frag(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
err = -ENOMEM;
|
|
|
|
|
if (!sk_page_frag_refill(sk, pfrag))
|
2005-04-16 22:20:36 +00:00
|
|
|
goto error;
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
|
|
|
|
|
if (!skb_can_coalesce(skb, i, pfrag->page,
|
|
|
|
|
pfrag->offset)) {
|
|
|
|
|
err = -EMSGSIZE;
|
|
|
|
|
if (i == MAX_SKB_FRAGS)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
__skb_fill_page_desc(skb, i, pfrag->page,
|
|
|
|
|
pfrag->offset, 0);
|
|
|
|
|
skb_shinfo(skb)->nr_frags = ++i;
|
|
|
|
|
get_page(pfrag->page);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
copy = min_t(int, copy, pfrag->size - pfrag->offset);
|
2011-10-18 21:00:24 +00:00
|
|
|
if (getfrag(from,
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
page_address(pfrag->page) + pfrag->offset,
|
|
|
|
|
offset, copy, skb->len, skb) < 0)
|
|
|
|
|
goto error_efault;
|
|
|
|
|
|
|
|
|
|
pfrag->offset += copy;
|
|
|
|
|
skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy);
|
2005-04-16 22:20:36 +00:00
|
|
|
skb->len += copy;
|
|
|
|
|
skb->data_len += copy;
|
2008-01-23 06:39:26 +00:00
|
|
|
skb->truesize += copy;
|
|
|
|
|
atomic_add(copy, &sk->sk_wmem_alloc);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
offset += copy;
|
|
|
|
|
length -= copy;
|
|
|
|
|
}
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
|
|
|
|
|
error_efault:
|
|
|
|
|
err = -EFAULT;
|
2005-04-16 22:20:36 +00:00
|
|
|
error:
|
2011-05-06 22:02:07 +00:00
|
|
|
cork->length -= length;
|
2008-10-08 17:54:51 +00:00
|
|
|
IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
2012-04-29 21:48:53 +00:00
|
|
|
EXPORT_SYMBOL_GPL(ip6_append_data);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-11-06 05:04:31 +00:00
|
|
|
static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
|
|
|
|
|
{
|
2009-02-05 23:15:50 +00:00
|
|
|
if (np->cork.opt) {
|
|
|
|
|
kfree(np->cork.opt->dst0opt);
|
|
|
|
|
kfree(np->cork.opt->dst1opt);
|
|
|
|
|
kfree(np->cork.opt->hopopt);
|
|
|
|
|
kfree(np->cork.opt->srcrt);
|
|
|
|
|
kfree(np->cork.opt);
|
|
|
|
|
np->cork.opt = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-06 22:02:07 +00:00
|
|
|
if (inet->cork.base.dst) {
|
|
|
|
|
dst_release(inet->cork.base.dst);
|
|
|
|
|
inet->cork.base.dst = NULL;
|
|
|
|
|
inet->cork.base.flags &= ~IPCORK_ALLFRAG;
|
2007-11-06 05:04:31 +00:00
|
|
|
}
|
|
|
|
|
memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
int ip6_push_pending_frames(struct sock *sk)
|
|
|
|
|
{
|
|
|
|
|
struct sk_buff *skb, *tmp_skb;
|
|
|
|
|
struct sk_buff **tail_skb;
|
|
|
|
|
struct in6_addr final_dst_buf, *final_dst = &final_dst_buf;
|
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
|
struct ipv6_pinfo *np = inet6_sk(sk);
|
2008-10-08 17:54:51 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct ipv6hdr *hdr;
|
|
|
|
|
struct ipv6_txoptions *opt = np->cork.opt;
|
2011-05-06 22:02:07 +00:00
|
|
|
struct rt6_info *rt = (struct rt6_info *)inet->cork.base.dst;
|
2011-03-12 21:22:43 +00:00
|
|
|
struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
|
|
|
|
|
unsigned char proto = fl6->flowi6_proto;
|
2005-04-16 22:20:36 +00:00
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
|
|
if ((skb = __skb_dequeue(&sk->sk_write_queue)) == NULL)
|
|
|
|
|
goto out;
|
|
|
|
|
tail_skb = &(skb_shinfo(skb)->frag_list);
|
|
|
|
|
|
|
|
|
|
/* move skb->data to ip header from ext header */
|
2007-04-11 03:50:43 +00:00
|
|
|
if (skb->data < skb_network_header(skb))
|
2007-03-11 01:16:10 +00:00
|
|
|
__skb_pull(skb, skb_network_offset(skb));
|
2005-04-16 22:20:36 +00:00
|
|
|
while ((tmp_skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) {
|
2007-03-16 20:26:39 +00:00
|
|
|
__skb_pull(tmp_skb, skb_network_header_len(skb));
|
2005-04-16 22:20:36 +00:00
|
|
|
*tail_skb = tmp_skb;
|
|
|
|
|
tail_skb = &(tmp_skb->next);
|
|
|
|
|
skb->len += tmp_skb->len;
|
|
|
|
|
skb->data_len += tmp_skb->len;
|
|
|
|
|
skb->truesize += tmp_skb->truesize;
|
|
|
|
|
tmp_skb->destructor = NULL;
|
|
|
|
|
tmp_skb->sk = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-13 02:07:27 +00:00
|
|
|
/* Allow local fragmentation. */
|
2008-02-15 07:49:37 +00:00
|
|
|
if (np->pmtudisc < IPV6_PMTUDISC_DO)
|
2008-02-13 02:07:27 +00:00
|
|
|
skb->local_df = 1;
|
|
|
|
|
|
2011-11-21 03:39:03 +00:00
|
|
|
*final_dst = fl6->daddr;
|
2007-03-16 20:26:39 +00:00
|
|
|
__skb_pull(skb, skb_network_header_len(skb));
|
2005-04-16 22:20:36 +00:00
|
|
|
if (opt && opt->opt_flen)
|
|
|
|
|
ipv6_push_frag_opts(skb, opt, &proto);
|
|
|
|
|
if (opt && opt->opt_nflen)
|
|
|
|
|
ipv6_push_nfrag_opts(skb, opt, &proto, &final_dst);
|
|
|
|
|
|
2007-04-11 03:46:21 +00:00
|
|
|
skb_push(skb, sizeof(struct ipv6hdr));
|
|
|
|
|
skb_reset_network_header(skb);
|
2007-04-26 00:54:47 +00:00
|
|
|
hdr = ipv6_hdr(skb);
|
2007-02-09 14:24:49 +00:00
|
|
|
|
2013-01-13 05:01:39 +00:00
|
|
|
ip6_flow_hdr(hdr, np->cork.tclass, fl6->flowlabel);
|
2005-04-16 22:20:36 +00:00
|
|
|
hdr->hop_limit = np->cork.hop_limit;
|
|
|
|
|
hdr->nexthdr = proto;
|
2011-11-21 03:39:03 +00:00
|
|
|
hdr->saddr = fl6->saddr;
|
|
|
|
|
hdr->daddr = *final_dst;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-01-09 06:37:26 +00:00
|
|
|
skb->priority = sk->sk_priority;
|
2008-01-31 03:08:16 +00:00
|
|
|
skb->mark = sk->sk_mark;
|
2006-01-09 06:37:26 +00:00
|
|
|
|
2010-06-11 06:31:35 +00:00
|
|
|
skb_dst_set(skb, dst_clone(&rt->dst));
|
2009-04-27 09:45:02 +00:00
|
|
|
IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
|
2007-09-16 23:52:35 +00:00
|
|
|
if (proto == IPPROTO_ICMPV6) {
|
2009-06-02 05:19:30 +00:00
|
|
|
struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
|
2007-09-16 23:52:35 +00:00
|
|
|
|
2014-03-31 18:14:10 +00:00
|
|
|
ICMP6MSGOUT_INC_STATS(net, idev, icmp6_hdr(skb)->icmp6_type);
|
|
|
|
|
ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
|
2007-09-16 23:52:35 +00:00
|
|
|
}
|
|
|
|
|
|
2008-01-12 03:15:08 +00:00
|
|
|
err = ip6_local_out(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (err) {
|
|
|
|
|
if (err > 0)
|
ip: Report qdisc packet drops
Christoph Lameter pointed out that packet drops at qdisc level where not
accounted in SNMP counters. Only if application sets IP_RECVERR, drops
are reported to user (-ENOBUFS errors) and SNMP counters updated.
IP_RECVERR is used to enable extended reliable error message passing,
but these are not needed to update system wide SNMP stats.
This patch changes things a bit to allow SNMP counters to be updated,
regardless of IP_RECVERR being set or not on the socket.
Example after an UDP tx flood
# netstat -s
...
IP:
1487048 outgoing packets dropped
...
Udp:
...
SndbufErrors: 1487048
send() syscalls, do however still return an OK status, to not
break applications.
Note : send() manual page explicitly says for -ENOBUFS error :
"The output queue for a network interface was full.
This generally indicates that the interface has stopped sending,
but may be caused by transient congestion.
(Normally, this does not occur in Linux. Packets are just silently
dropped when a device queue overflows.) "
This is not true for IP_RECVERR enabled sockets : a send() syscall
that hit a qdisc drop returns an ENOBUFS error.
Many thanks to Christoph, David, and last but not least, Alexey !
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-03 01:05:33 +00:00
|
|
|
err = net_xmit_errno(err);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (err)
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out:
|
2007-11-06 05:04:31 +00:00
|
|
|
ip6_cork_release(inet, np);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
|
error:
|
2009-09-02 01:37:16 +00:00
|
|
|
IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
|
|
|
|
}
|
2012-04-29 21:48:53 +00:00
|
|
|
EXPORT_SYMBOL_GPL(ip6_push_pending_frames);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
void ip6_flush_pending_frames(struct sock *sk)
|
|
|
|
|
{
|
|
|
|
|
struct sk_buff *skb;
|
|
|
|
|
|
|
|
|
|
while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL) {
|
2009-06-02 05:19:30 +00:00
|
|
|
if (skb_dst(skb))
|
|
|
|
|
IP6_INC_STATS(sock_net(sk), ip6_dst_idev(skb_dst(skb)),
|
2007-09-11 09:31:43 +00:00
|
|
|
IPSTATS_MIB_OUTDISCARDS);
|
2005-04-16 22:20:36 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-06 05:04:31 +00:00
|
|
|
ip6_cork_release(inet_sk(sk), inet6_sk(sk));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2012-04-29 21:48:53 +00:00
|
|
|
EXPORT_SYMBOL_GPL(ip6_flush_pending_frames);
|
