[3.5.y.z,extended,stable] Patch "tcp: fix tcp_md5_hash_skb_data()" has been added to staging queue

Submitted by Luis Henriques on June 24, 2013, 8:19 a.m.


Message ID 1372061941-4939-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques June 24, 2013, 8:19 a.m.
This is a note to let you know that I have just added a patch titled

    tcp: fix tcp_md5_hash_skb_data()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 6a9cea32241bea7641bf3ad80909657464938fbc Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Mon, 13 May 2013 21:25:52 +0000
Subject: [PATCH] tcp: fix tcp_md5_hash_skb_data()

commit 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e upstream.

TCP md5 communications fail [1] for some devices, because sg/crypto code
assume page offsets are below PAGE_SIZE.

This was discovered using mlx4 driver [2], but I suspect loopback
might trigger the same bug now we use order-3 pages in tcp_sendmsg()

[1] Failure is giving following messages.

huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
exited with 00000101?

[2] mlx4 driver uses order-2 pages to allocate RX frags

Reported-by: Matt Schnall <mischnal@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Bernhard Beck <bbeck@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
 net/ipv4/tcp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)


Patch hide | download patch | download mbox

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1a763b7..75936ee 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3294,8 +3294,11 @@  int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,

 	for (i = 0; i < shi->nr_frags; ++i) {
 		const struct skb_frag_struct *f = &shi->frags[i];
-		struct page *page = skb_frag_page(f);
-		sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
+		unsigned int offset = f->page_offset;
+		struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
+		sg_set_page(&sg, page, skb_frag_size(f),
+			    offset_in_page(offset));
 		if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
 			return 1;