net: fix inet_getid() and ipv6_select_ident() bugs

[ Upstream commit 39c36094d78c39e038c1e499b2364e13bce36f54 ]

I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery
is disabled.
Note how GSO/TSO packets do not have monotonically incrementing ID.

06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396)
06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212)
06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972)
06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292)
06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764)

It appears I introduced this bug in linux-3.1.

inet_getid() must return the old value of peer->ip_id_count,
not the new one.

Lets revert this part, and remove the prevention of
a null identification field in IPv6 Fragment Extension Header,
which is dubious and not even done properly.

Fixes: 87c48fa3b463 ("ipv6: make fragment identifications less predictable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
index 2040bff945d4562e0c0129d078a26a0a1be34672..2d643649f0f8b250a3e4beb8b24a393a5edccbcb 100644 (file)
--- a/include/net/inetpeer.h
+++ b/include/net/inetpeer.h
@@ -114,16 +114,9 @@ static inline void inet_peer_refcheck(const struct inet_peer *p)
 /* can be called with or without local BH being disabled */
 static inline int inet_getid(struct inet_peer *p, int more)
 {
-       int old, new;
        more++;
        inet_peer_refcheck(p);
-       do {
-               old = atomic_read(&p->ip_id_count);
-               new = old + more;
-               if (!new)
-                       new = 1;
-       } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
-       return new;
+       return atomic_add_return(more, &p->ip_id_count) - more;
 }
 
 #endif /* _NET_INETPEER_H */

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 5a2d819d82621241056be37b5701b29717b06c30..077b9a3f8d2592bedfd7e3aa2417557aa786a6f6 100644 (file)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -611,7 +611,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
 {
        static atomic_t ipv6_fragmentation_id;
-       int old, new;
+       int ident;
 
        if (rt && !(rt->dst.flags & DST_NOPEER)) {
                struct inet_peer *peer;
@@ -624,13 +624,8 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
                        return;
                }
        }
-       do {
-               old = atomic_read(&ipv6_fragmentation_id);
-               new = old + 1;
-               if (!new)
-                       new = 1;
-       } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
-       fhdr->identification = htonl(new);
+       ident = atomic_inc_return(&ipv6_fragmentation_id);
+       fhdr->identification = htonl(ident);
 }
 
 int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))