Commit 39c36094 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

net: fix inet_getid() and ipv6_select_ident() bugs

I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery
is disabled.
Note how GSO/TSO packets do not have monotonically incrementing ID.

06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396)
06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212)
06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972)
06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292)
06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764)

It appears I introduced this bug in linux-3.1.

inet_getid() must return the old value of peer->ip_id_count,
not the new one.

Lets revert this part, and remove the prevention of
a null identification field in IPv6 Fragment Extension Header,
which is dubious and not even done properly.

Fixes: 87c48fa3 ("ipv6: make fragment identifications less predictable")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fc0d6e9c
...@@ -177,16 +177,9 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) ...@@ -177,16 +177,9 @@ static inline void inet_peer_refcheck(const struct inet_peer *p)
/* can be called with or without local BH being disabled */ /* can be called with or without local BH being disabled */
static inline int inet_getid(struct inet_peer *p, int more) static inline int inet_getid(struct inet_peer *p, int more)
{ {
int old, new;
more++; more++;
inet_peer_refcheck(p); inet_peer_refcheck(p);
do { return atomic_add_return(more, &p->ip_id_count) - more;
old = atomic_read(&p->ip_id_count);
new = old + more;
if (!new)
new = 1;
} while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
return new;
} }
#endif /* _NET_INETPEER_H */ #endif /* _NET_INETPEER_H */
...@@ -12,7 +12,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) ...@@ -12,7 +12,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
{ {
static atomic_t ipv6_fragmentation_id; static atomic_t ipv6_fragmentation_id;
struct in6_addr addr; struct in6_addr addr;
int old, new; int ident;
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
struct inet_peer *peer; struct inet_peer *peer;
...@@ -26,15 +26,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) ...@@ -26,15 +26,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
return; return;
} }
#endif #endif
do { ident = atomic_inc_return(&ipv6_fragmentation_id);
old = atomic_read(&ipv6_fragmentation_id);
new = old + 1;
if (!new)
new = 1;
} while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
addr = rt->rt6i_dst.addr; addr = rt->rt6i_dst.addr;
addr.s6_addr32[0] ^= (__force __be32)new; addr.s6_addr32[0] ^= (__force __be32)ident;
fhdr->identification = htonl(secure_ipv6_id(addr.s6_addr32)); fhdr->identification = htonl(secure_ipv6_id(addr.s6_addr32));
} }
EXPORT_SYMBOL(ipv6_select_ident); EXPORT_SYMBOL(ipv6_select_ident);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment