From: Eric Dumazet <[email protected]>
While stress testing MTU probing, we had crashes in list_del() that we
root-caused
to the fact that tcp_fragment() is unconditionally inserting the freshly
allocated
skb into tsorted_sent_queue list.
But this list is supposed to contain skbs that were sent.
This was mostly harmless until MTU probing was enabled.
Fortunately we can use the tcp_queue enum added later (but in same linux
version)
for rtx-rb-tree to fix the bug.
Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK
recovery")
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Yuchung Cheng <[email protected]>
Cc: Neal Cardwell <[email protected]>
Cc: Soheil Hassas Yeganeh <[email protected]>
Cc: Alexei Starovoitov <[email protected]>
Cc: Priyaranjan Jha <[email protected]>
---
net/ipv4/tcp_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index
a85e8a282d173983e35a2a1e3135ca2a63f1699e..36a3e7c909caacd981b84d1d8820a33d922f5a4e
100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1395,7 +1395,8 @@ int tcp_fragment(struct sock *sk, enum tcp_queue
tcp_queue,
/* Link BUFF into the send queue. */
__skb_header_release(buff);
tcp_insert_write_queue_after(skb, buff, sk, tcp_queue);
- list_add(&buff->tcp_tsorted_anchor, &skb->tcp_tsorted_anchor);
+ if (tcp_queue == TCP_FRAG_IN_RTX_QUEUE)
+ list_add(&buff->tcp_tsorted_anchor, &skb->tcp_tsorted_anchor);
return 0;
}
