tipc: pskb_copy() buffers when sending on more than one bearer
authorGerlando Falauto <gerlando.falauto@keymile.com>
Wed, 1 May 2013 12:04:46 +0000 (12:04 +0000)
committerDavid S. Miller <davem@davemloft.net>
Fri, 3 May 2013 20:08:58 +0000 (16:08 -0400)
When sending packets, TIPC bearers use skb_clone() before writing their
hardware header. This will however NOT copy the data buffer.
So when the same packet is sent over multiple bearers (to reach multiple
nodes), the same socket buffer data will be treated by multiple
tipc_media drivers which will write their own hardware header through
dev_hard_header().
Most of the time this is not a problem, because by the time the
packet is processed by the second media, it has already been sent over
the first one. However, when the first transmission is delayed (e.g.
because of insufficient bandwidth or through a shaper), the next bearer
will overwrite the hardware header, resulting in the packet being sent:
a) with the wrong source address, when bearers of the same type,
e.g. ethernet, are involved
b) with a completely corrupt header, or even dropped, when bearers of
different types are involved.

So when the same socket buffer is to be sent multiple times, send a
pskb_copy() instead (from the second instance on), and release it
afterwards (the bearer will skb_clone() it anyway).

Signed-off-by: Gerlando Falauto <gerlando.falauto@keymile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/bcast.c

index d9d848d488ee9ba135b67296ab61df5c05fade83..e5f3da507823678240df70fa26404b8d7ae00d36 100644 (file)
@@ -611,6 +611,7 @@ static int tipc_bcbearer_send(struct sk_buff *buf,
                struct tipc_bearer *p = bcbearer->bpairs[bp_index].primary;
                struct tipc_bearer *s = bcbearer->bpairs[bp_index].secondary;
                struct tipc_bearer *b = p;
+               struct sk_buff *tbuf;
 
                if (!p)
                        break; /* No more bearers to try */
@@ -626,7 +627,17 @@ static int tipc_bcbearer_send(struct sk_buff *buf,
                if (bcbearer->remains_new.count == bcbearer->remains.count)
                        continue; /* Nothing added by bearer pair */
 
-               tipc_bearer_send(b, buf, &b->bcast_addr);
+               if (bp_index == 0) {
+                       /* Use original buffer for first bearer */
+                       tipc_bearer_send(b, buf, &b->bcast_addr);
+               } else {
+                       /* Avoid concurrent buffer access */
+                       tbuf = pskb_copy(buf, GFP_ATOMIC);
+                       if (!tbuf)
+                               break;
+                       tipc_bearer_send(b, tbuf, &b->bcast_addr);
+                       kfree_skb(tbuf); /* Bearer keeps a clone */
+               }
 
                /* Swap bearers for next packet */
                if (s) {