tcp: fix possible deadlock in tcp_send_fin()

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / ipv4 / tcp_output.c

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 6b554c37e08beff4ed78e1d215c05355ec418a04..546371973b9a5fcfbfaf2c379987d6ce76b66113 100644 (file)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2571,6 +2571,21 @@ begin_fwd:
        }
 }
 
+/* We allow to exceed memory limits for FIN packets to expedite
+ * connection tear down and (memory) recovery.
+ * Otherwise tcp_send_fin() could loop forever.
+ */
+static void sk_forced_wmem_schedule(struct sock *sk, int size)
+{
+       int amt, status;
+
+       if (size <= sk->sk_forward_alloc)
+               return;
+       amt = sk_mem_pages(size);
+       sk->sk_forward_alloc += amt * SK_MEM_QUANTUM;
+       sk_memory_allocated_add(sk, amt, &status);
+}
+
 /* Send a fin.  The caller locks the socket for us.  This cannot be
  * allowed to fail queueing a FIN frame under any circumstances.
  */
@@ -2593,11 +2608,14 @@ void tcp_send_fin(struct sock *sk)
        } else {
                /* Socket is locked, keep trying until memory is available. */
                for (;;) {
-                       skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
+                       skb = alloc_skb_fclone(MAX_TCP_HEADER,
+                                              sk->sk_allocation);
                        if (skb)
                                break;
                        yield();
                }
+               skb_reserve(skb, MAX_TCP_HEADER);
+               sk_forced_wmem_schedule(sk, skb->truesize);
                /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */
                tcp_init_nondata_skb(skb, tp->write_seq,
                                     TCPHDR_ACK | TCPHDR_FIN);
@@ -2772,6 +2790,8 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
        }
 #endif
 
+       /* Do not fool tcpdump (if any), clean our debris */
+       skb->tstamp.tv64 = 0;
        return skb;
 }
 EXPORT_SYMBOL(tcp_make_synack);
@@ -2871,9 +2891,9 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        struct tcp_fastopen_request *fo = tp->fastopen_req;
-       int syn_loss = 0, space, i, err = 0, iovlen = fo->data->msg_iovlen;
-       struct sk_buff *syn_data = NULL, *data;
+       int syn_loss = 0, space, err = 0;
        unsigned long last_syn_loss = 0;
+       struct sk_buff *syn_data;
 
        tp->rx_opt.mss_clamp = tp->advmss;  /* If MSS is not cached */
        tcp_fastopen_cache_get(sk, &tp->rx_opt.mss_clamp, &fo->cookie,
@@ -2904,42 +2924,39 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
        /* limit to order-0 allocations */
        space = min_t(size_t, space, SKB_MAX_HEAD(MAX_TCP_HEADER));
 
-       syn_data = skb_copy_expand(syn, MAX_TCP_HEADER, space,
-                                  sk->sk_allocation);
-       if (syn_data == NULL)
+       syn_data = sk_stream_alloc_skb(sk, space, sk->sk_allocation);
+       if (!syn_data)
                goto fallback;
+       syn_data->ip_summed = CHECKSUM_PARTIAL;
+       memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+       skb_shinfo(syn_data)->gso_segs = 1;
+       if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
+                                        fo->data->msg_iov, 0, space))) {
+               kfree_skb(syn_data);
+               goto fallback;
+       }
 
-       for (i = 0; i < iovlen && syn_data->len < space; ++i) {
-               struct iovec *iov = &fo->data->msg_iov[i];
-               unsigned char __user *from = iov->iov_base;
-               int len = iov->iov_len;
-
-               if (syn_data->len + len > space)
-                       len = space - syn_data->len;
-               else if (i + 1 == iovlen)
-                       /* No more data pending in inet_wait_for_connect() */
-                       fo->data = NULL;
+       /* No more data pending in inet_wait_for_connect() */
+       if (space == fo->size)
+               fo->data = NULL;
+       fo->copied = space;
 
-               if (skb_add_data(syn_data, from, len))
-                       goto fallback;
-       }
+       tcp_connect_queue_skb(sk, syn_data);
 
-       /* Queue a data-only packet after the regular SYN for retransmission */
-       data = pskb_copy(syn_data, sk->sk_allocation);
-       if (data == NULL)
-               goto fallback;
-       TCP_SKB_CB(data)->seq++;
-       TCP_SKB_CB(data)->tcp_flags &= ~TCPHDR_SYN;
-       TCP_SKB_CB(data)->tcp_flags = (TCPHDR_ACK|TCPHDR_PSH);
-       tcp_connect_queue_skb(sk, data);
-       fo->copied = data->len;
+       err = tcp_transmit_skb(sk, syn_data, 1, sk->sk_allocation);
 
-       if (tcp_transmit_skb(sk, syn_data, 0, sk->sk_allocation) == 0) {
+       /* Now full SYN+DATA was cloned and sent (or not),
+        * remove the SYN from the original skb (syn_data)
+        * we keep in write queue in case of a retransmit, as we
+        * also have the SYN packet (with no data) in the same queue.
+        */
+       TCP_SKB_CB(syn_data)->seq++;
+       TCP_SKB_CB(syn_data)->tcp_flags = TCPHDR_ACK | TCPHDR_PSH;
+       if (!err) {
                tp->syn_data = (fo->copied > 0);
                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENACTIVE);
                goto done;
        }
-       syn_data = NULL;
 
 fallback:
        /* Send a regular SYN with Fast Open cookie request option */
@@ -2948,7 +2965,6 @@ fallback:
        err = tcp_transmit_skb(sk, syn, 1, sk->sk_allocation);
        if (err)
                tp->syn_fastopen = 0;
-       kfree_skb(syn_data);
 done:
        fo->cookie.len = -1;  /* Exclude Fast Open option for SYN retries */
        return err;
@@ -2968,13 +2984,10 @@ int tcp_connect(struct sock *sk)
                return 0;
        }
 
-       buff = alloc_skb_fclone(MAX_TCP_HEADER + 15, sk->sk_allocation);
-       if (unlikely(buff == NULL))
+       buff = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
+       if (unlikely(!buff))
                return -ENOBUFS;
 
-       /* Reserve space for headers. */
-       skb_reserve(buff, MAX_TCP_HEADER);
-
        tcp_init_nondata_skb(buff, tp->write_seq++, TCPHDR_SYN);
        tp->retrans_stamp = TCP_SKB_CB(buff)->when = tcp_time_stamp;
        tcp_connect_queue_skb(sk, buff);