Merge branch 'tcp-fix-possible-crash-in-tcp_v4_err'

Eric Dumazet says:

====================
tcp: fix possible crash in tcp_v4_err()

soukjin bae reported a crash in tcp_v4_err() that we
root caused to a missing initialization.

Second patch adds a sanity check in tcp_v4_err() to avoid
future potential problems. Ignoring an ICMP message
is probably better than crashing a machine.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 4 insertions, 1 deletions

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index efc6fef692ff..ec3cea9d6828 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -536,12 +536,15 @@ int tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                 if (sock_owned_by_user(sk))
                         break;
 
+                skb = tcp_rtx_queue_head(sk);
+                if (WARN_ON_ONCE(!skb))
+                        break;
+
                 icsk->icsk_backoff--;
                 icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) :
                                                TCP_TIMEOUT_INIT;
                 icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
 
-                skb = tcp_rtx_queue_head(sk);
 
                 tcp_mstamp_refresh(tp);
                 delta_us = (u32)(tp->tcp_mstamp - tcp_skb_timestamp_us(skb));