diff options
| author | Eric Dumazet <edumazet@google.com> | 2017-10-18 17:20:30 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-10-20 20:44:05 -0400 |
| commit | ba233b34741a1dc88d1e94db7deeb7b079ef4b9a (patch) | |
| tree | e1ead62e71ec931b1abeb1740a5dd649b490665d /net/ipv4/tcp_output.c | |
| parent | 27188af5ab2f11dd6a4b548940db6464c8fcfe28 (diff) | |
tcp: fix tcp_send_syn_data()
syn_data was allocated by sk_stream_alloc_skb(), meaning
its destructor and _skb_refdst fields are mangled.
We need to call tcp_skb_tsorted_anchor_cleanup() before
calling kfree_skb() or kernel crashes.
Bug was reported by syzkaller bot.
Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK recovery")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_output.c')
| -rw-r--r-- | net/ipv4/tcp_output.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 53dc1267c85e..988733f289c8 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c | |||
| @@ -3383,6 +3383,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) | |||
| 3383 | int copied = copy_from_iter(skb_put(syn_data, space), space, | 3383 | int copied = copy_from_iter(skb_put(syn_data, space), space, |
| 3384 | &fo->data->msg_iter); | 3384 | &fo->data->msg_iter); |
| 3385 | if (unlikely(!copied)) { | 3385 | if (unlikely(!copied)) { |
| 3386 | tcp_skb_tsorted_anchor_cleanup(syn_data); | ||
| 3386 | kfree_skb(syn_data); | 3387 | kfree_skb(syn_data); |
| 3387 | goto fallback; | 3388 | goto fallback; |
| 3388 | } | 3389 | } |