tcp: miscounts due to tcp_fragment pcount reset

It seems that trivial reset of pcount to one was not sufficient
in tcp_retransmit_skb. Multiple counters experience a positive
miscount when skb's pcount gets lowered without the necessary
adjustments (depending on skb's sacked bits which exactly), at
worst a packets_out miscount can crash at RTO if the write queue
is empty!

Triggering this requires mss change, so bidir tcp or mtu probe or
like.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Tested-by: Uwe Bugla <uwe.bugla@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index f1db89bb3aa71baed4f93c749c87828a21d5ab24..53300fa2359fd66067c2bd36569e20558db7a489 100644 (file)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1893,7 +1893,12 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
                if (tcp_fragment(sk, skb, cur_mss, cur_mss))
                        return -ENOMEM; /* We'll try again later. */
        } else {
-               tcp_init_tso_segs(sk, skb, cur_mss);
+               int oldpcount = tcp_skb_pcount(skb);
+
+               if (unlikely(oldpcount > 1)) {
+                       tcp_init_tso_segs(sk, skb, cur_mss);
+                       tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb));
+               }
        }
 
        tcp_retrans_try_collapse(sk, skb, cur_mss);