!14641 net: Fix CVE-2024-47684 (addfd0d3) · Commits · EulixOS / Software / Kernel

include/net/tcp.h

+25 −2

Original line number	Diff line number	Diff line
		@@ -796,6 +796,12 @@ static inline u32 tcp_skb_timestamp(const struct sk_buff *skb)
		return div_u64(skb->skb_mstamp, USEC_PER_SEC / TCP_TS_HZ);
		}

		/* provide the departure time in us unit */
		static inline u64 tcp_skb_timestamp_us(const struct sk_buff *skb)
		{
		return skb->skb_mstamp;
		}


		#define tcp_flag_byte(th) (((u_int8_t *)th)[13])

		@@ -2001,9 +2007,26 @@ static inline s64 tcp_rto_delta_us(const struct sock *sk)
		{
		const struct sk_buff *skb = tcp_rtx_queue_head(sk);
		u32 rto = inet_csk(sk)->icsk_rto;
		u64 rto_time_stamp_us = skb->skb_mstamp + jiffies_to_usecs(rto);

		if (likely(skb)) {
		u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);

		return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
		} else {
		WARN_ONCE(1,
		"rtx queue emtpy: "
		"out:%u sacked:%u lost:%u retrans:%u "
		"tlp_high_seq:%u sk_state:%u ca_state:%u "
		"advmss:%u mss_cache:%u pmtu:%u\n",
		tcp_sk(sk)->packets_out, tcp_sk(sk)->sacked_out,
		tcp_sk(sk)->lost_out, tcp_sk(sk)->retrans_out,
		tcp_sk(sk)->tlp_high_seq, sk->sk_state,
		inet_csk(sk)->icsk_ca_state,
		tcp_sk(sk)->advmss, tcp_sk(sk)->mss_cache,
		inet_csk(sk)->icsk_pmtu_cookie);
		return jiffies_to_usecs(rto);
		}

		}

		/*

net/ipv4/tcp_input.c

+6 −5

Original line number	Diff line number	Diff line
		@@ -1288,7 +1288,7 @@ static bool tcp_shifted_skb(struct sock sk, struct sk_buff prev,
		*/
		tcp_sacktag_one(sk, state, TCP_SKB_CB(skb)->sacked,
		start_seq, end_seq, dup_sack, pcount,
		skb->skb_mstamp);
		tcp_skb_timestamp_us(skb));
		tcp_rate_skb_delivered(sk, skb, state->rate);

		if (skb == tp->lost_skb_hint)
		@@ -1577,7 +1577,7 @@ static struct sk_buff tcp_sacktag_walk(struct sk_buff skb, struct sock *sk,
		TCP_SKB_CB(skb)->end_seq,
		dup_sack,
		tcp_skb_pcount(skb),
		skb->skb_mstamp);
		tcp_skb_timestamp_us(skb));
		tcp_rate_skb_delivered(sk, skb, state->rate);
		if (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED)
		list_del_init(&skb->tcp_tsorted_anchor);
		@@ -3127,7 +3127,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, u32 prior_fack,
		tp->retrans_out -= acked_pcount;
		flag \|= FLAG_RETRANS_DATA_ACKED;
		} else if (!(sacked & TCPCB_SACKED_ACKED)) {
		last_ackt = skb->skb_mstamp;
		last_ackt = tcp_skb_timestamp_us(skb);
		WARN_ON_ONCE(last_ackt == 0);
		if (!first_ackt)
		first_ackt = last_ackt;
		@@ -3145,7 +3145,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, u32 prior_fack,
		tp->delivered += acked_pcount;
		if (!tcp_skb_spurious_retrans(tp, skb))
		tcp_rack_advance(tp, sacked, scb->end_seq,
		skb->skb_mstamp);
		tcp_skb_timestamp_us(skb));
		}
		if (sacked & TCPCB_LOST)
		tp->lost_out -= acked_pcount;
		@@ -3240,7 +3240,8 @@ static int tcp_clean_rtx_queue(struct sock *sk, u32 prior_fack,
		tp->lost_cnt_hint -= min(tp->lost_cnt_hint, delta);
		}
		} else if (skb && rtt_update && sack_rtt_us >= 0 &&
		sack_rtt_us > tcp_stamp_us_delta(tp->tcp_mstamp, skb->skb_mstamp)) {
		sack_rtt_us > tcp_stamp_us_delta(tp->tcp_mstamp,
		tcp_skb_timestamp_us(skb))) {
		/* Do not re-arm RTO if the sack RTT is measured from data sent
		* after when the head was last (re)transmitted. Otherwise the
		* timeout may continue to extend in loss recovery.

net/ipv4/tcp_ipv4.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -554,7 +554,7 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
		icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);

		tcp_mstamp_refresh(tp);
		delta_us = (u32)(tp->tcp_mstamp - skb->skb_mstamp);
		delta_us = (u32)(tp->tcp_mstamp - tcp_skb_timestamp_us(skb));
		remaining = icsk->icsk_rto -
		usecs_to_jiffies(delta_us);

net/ipv4/tcp_output.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2046,7 +2046,7 @@ static bool tcp_tso_should_defer(struct sock sk, struct sk_buff skb,
		head = tcp_rtx_queue_head(sk);
		if (!head)
		goto send_now;
		age = tcp_stamp_us_delta(tp->tcp_mstamp, head->skb_mstamp);
		age = tcp_stamp_us_delta(tp->tcp_mstamp, tcp_skb_timestamp_us(head));
		/* If next ACK is likely to come too late (half srtt), do not defer */
		if (age < (tp->srtt_us >> 4))
		goto send_now;

net/ipv4/tcp_rate.c

+8 −7

Original line number	Diff line number	Diff line
		@@ -55,8 +55,10 @@ void tcp_rate_skb_sent(struct sock sk, struct sk_buff skb)
		* bandwidth estimate.
		*/
		if (!tp->packets_out) {
		tp->first_tx_mstamp = skb->skb_mstamp;
		tp->delivered_mstamp = skb->skb_mstamp;
		u64 tstamp_us = tcp_skb_timestamp_us(skb);

		tp->first_tx_mstamp = tstamp_us;
		tp->delivered_mstamp = tstamp_us;
		}

		TCP_SKB_CB(skb)->tx.first_tx_mstamp = tp->first_tx_mstamp;
		@@ -88,13 +90,12 @@ void tcp_rate_skb_delivered(struct sock sk, struct sk_buff skb,
		rs->is_app_limited = scb->tx.is_app_limited;
		rs->is_retrans = scb->sacked & TCPCB_RETRANS;

		/* Record send time of most recently ACKed packet: */
		tp->first_tx_mstamp = tcp_skb_timestamp_us(skb);
		/* Find the duration of the "send phase" of this window: */
		rs->interval_us = tcp_stamp_us_delta(
		skb->skb_mstamp,
		rs->interval_us = tcp_stamp_us_delta(tp->first_tx_mstamp,
		scb->tx.first_tx_mstamp);

		/* Record send time of most recently ACKed packet: */
		tp->first_tx_mstamp = skb->skb_mstamp;
		}
		/* Mark off the skb delivered once it's sacked to avoid being
		* used again when it's cumulatively acked. For acked packets