| From foo@baz Tue Aug 8 16:51:58 PDT 2017 |
| From: Stefano Brivio <sbrivio@redhat.com> |
| Date: Mon, 24 Jul 2017 23:14:28 +0200 |
| Subject: ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment() |
| |
| From: Stefano Brivio <sbrivio@redhat.com> |
| |
| |
| [ Upstream commit afce615aaabfbaad02550e75c0bec106dafa1adf ] |
| |
| RFC 2465 defines ipv6IfStatsOutFragFails as: |
| |
| "The number of IPv6 datagrams that have been discarded |
| because they needed to be fragmented at this output |
| interface but could not be." |
| |
| The existing implementation, instead, would increase the counter |
| twice in case we fail to allocate room for single fragments: |
| once for the fragment, once for the datagram. |
| |
| This didn't look intentional though. In one of the two affected |
| affected failure paths, the double increase was simply a result |
| of a new 'goto fail' statement, introduced to avoid a skb leak. |
| The other path appears to be affected since at least 2.6.12-rc2. |
| |
| Reported-by: Sabrina Dubroca <sdubroca@redhat.com> |
| Fixes: 1d325d217c7f ("ipv6: ip6_fragment: fix headroom tests and skb leak") |
| Signed-off-by: Stefano Brivio <sbrivio@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv6/ip6_output.c | 4 ---- |
| 1 file changed, 4 deletions(-) |
| |
| --- a/net/ipv6/ip6_output.c |
| +++ b/net/ipv6/ip6_output.c |
| @@ -647,8 +647,6 @@ int ip6_fragment(struct net *net, struct |
| *prevhdr = NEXTHDR_FRAGMENT; |
| tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC); |
| if (!tmp_hdr) { |
| - IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), |
| - IPSTATS_MIB_FRAGFAILS); |
| err = -ENOMEM; |
| goto fail; |
| } |
| @@ -767,8 +765,6 @@ slow_path: |
| frag = alloc_skb(len + hlen + sizeof(struct frag_hdr) + |
| hroom + troom, GFP_ATOMIC); |
| if (!frag) { |
| - IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), |
| - IPSTATS_MIB_FRAGFAILS); |
| err = -ENOMEM; |
| goto fail; |
| } |