From patchwork Tue Feb 11 10:38:26 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Erik Hugne <erik.hugne@ericsson.com>
X-Patchwork-Id: 319222
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 39A5E2C00A2
	for <patchwork-incoming@ozlabs.org>;
	Tue, 11 Feb 2014 21:53:39 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751571AbaBKKxe (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 11 Feb 2014 05:53:34 -0500
Received: from sessmg20.ericsson.net ([193.180.251.50]:64702 "EHLO
	sessmg20.mgmt.ericsson.se" rhost-flags-OK-OK-OK-FAIL)
	by vger.kernel.org with ESMTP id S1750969AbaBKKxd (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 11 Feb 2014 05:53:33 -0500
X-Greylist: delayed 901 seconds by postgrey-1.27 at vger.kernel.org;
	Tue, 11 Feb 2014 05:53:32 EST
X-AuditID: c1b4fb32-b7f4c8e0000012f5-89-52f9fda60a9c
Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.253.124])
	by sessmg20.mgmt.ericsson.se (Symantec Mail Security) with SMTP id
	A8.3B.04853.6ADF9F25; Tue, 11 Feb 2014 11:38:30 +0100 (CET)
Received: from eerihug-hybrid.rnd.ki.sw.ericsson.se (147.214.213.166) by
	ESESSHC011.ericsson.se (153.88.183.51) with Microsoft SMTP Server
	(TLS) id 14.2.347.0; Tue, 11 Feb 2014 11:38:29 +0100
From: <erik.hugne@ericsson.com>
To: <netdev@vger.kernel.org>, <jon.maloy@ericsson.com>
CC: <ying.xue@windriver.com>, <paul.gortmaker@windriver.com>,
	<tipc-discussion@lists.sourceforge.net>,
	Erik Hugne <erik.hugne@ericsson.com>
Subject: [PATCH net] tipc: fix message corruption bug for deferred packets
Date: Tue, 11 Feb 2014 11:38:26 +0100
Message-ID: <1392115106-16178-1-git-send-email-erik.hugne@ericsson.com>
X-Mailer: git-send-email 1.7.9.5
MIME-Version: 1.0
X-Originating-IP: [147.214.213.166]
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFvrHJMWRmVeSWpSXmKPExsUyM+Jvje6yvz+DDPZ0qVocWyBmcW3vcWaL
	LeezLB5fv87swOKxe8FnJo/Pm+Q81m/ZyhTAHMVlk5Kak1mWWqRvl8CVcXNbO1vBBOGK1vMr
	WBsYL/B3MXJySAiYSMxZt4URwhaTuHBvPVsXIxeHkMAJRon3ayZCOYcZJe707QKrYhOQlzi/
	6DYTiC0iYCaxdN8TVhCbWaCXUaL3UjqILSzgJbFhw3N2EJtFQFVi69cGMJtXwF1i/c15QHM4
	gLYpSMyZZAMRFpQ4OfMJC8QYCYmDL14wg9hCAioS91/OZoc4Tlni8+WXTBMY+WchaZmFpGUB
	I9MqRsni1OLi3HQjA73c9NwSvdSizOTi4vw8veLUTYzAMDy45bfRDsaTe+wPMUpzsCiJ815n
	rQkSEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnVwMic8GZatv3PKFW265/3iprbe2qarLoz4ZKN
	5pLlT8ReuomLb6woD9y5ed8t9X/nbybsXLb/3L0FtTsPzDHaExJ/bNqe2jDbGYfmdjtfdxKr
	CVkyf1JW1bn4qycSJQUT/L/vnpd3ZU3yvOBSGU9Ozd8MzvtNhSYbb7l8633vW1mxWxuuFnZ3
	H/umxFKckWioxVxUnAgA+sC7fBECAAA=
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Erik Hugne <erik.hugne@ericsson.com>

If a packet received on a link is out-of-sequence, it will be
placed on a deferred queue and later reinserted in the receive
path once the preceding packets have been processed. The problem
with this is that it will be subject to the buffer adjustment from
link_recv_buf_validate twice. The second adjustment for 20 bytes
header space will corrupt the packet.

We solve this by tagging the deferred packets and bail out from
receive buffer validation for packets that have already been
subjected to this.

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
---

This was found in a 12 node cluster with hundreds to thousands of
publications on each node. When a node came alive after a reboot,
each node redistributed their publications in 5-10 NAME_DISTRIBUTOR
messages. The bundled publications where sometimes corrupted on the
receiver side. It was always the last 20 bytes of the payload, and
further tracing showed that the corruption was isolated to messages
that had once been deferred. However the corruption applies to
_all_ deferred traffic.

 net/tipc/core.h |    1 +
 net/tipc/link.c |    7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/net/tipc/core.h b/net/tipc/core.h
index 1ff477b..5569d96 100644
--- a/net/tipc/core.h
+++ b/net/tipc/core.h
@@ -192,6 +192,7 @@ static inline void k_term_timer(struct timer_list *timer)
 
 struct tipc_skb_cb {
 	void *handle;
+	bool deferred;
 };
 
 #define TIPC_SKB_CB(__skb) ((struct tipc_skb_cb *)&((__skb)->cb[0]))
diff --git a/net/tipc/link.c b/net/tipc/link.c
index d4b5de4..da6018b 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1391,6 +1391,12 @@ static int link_recv_buf_validate(struct sk_buff *buf)
 	u32 hdr_size;
 	u32 min_hdr_size;
 
+	/* If this packet comes from the defer queue, the skb has already
+	 * been validated
+	 */
+	if (unlikely(TIPC_SKB_CB(buf)->deferred))
+		return 1;
+
 	if (unlikely(buf->len < MIN_H_SIZE))
 		return 0;
 
@@ -1703,6 +1709,7 @@ static void link_handle_out_of_seq_msg(struct tipc_link *l_ptr,
 				&l_ptr->newest_deferred_in, buf)) {
 		l_ptr->deferred_inqueue_sz++;
 		l_ptr->stats.deferred_recv++;
+		TIPC_SKB_CB(buf)->deferred = true;
 		if ((l_ptr->deferred_inqueue_sz % 16) == 1)
 			tipc_link_send_proto_msg(l_ptr, STATE_MSG, 0, 0, 0, 0, 0);
 	} else