From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:60182 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750816AbdBOAbl (ORCPT ); Tue, 14 Feb 2017 19:31:41 -0500 Subject: Patch "tcp: fix 0 divide in __tcp_select_window()" has been added to the 4.4-stable tree To: edumazet@google.com, davem@davemloft.net, dvyukov@google.com, gregkh@linuxfoundation.org, ncardwell@google.com Cc: , From: Date: Tue, 14 Feb 2017 16:31:41 -0800 Message-ID: <14871187016767@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled tcp: fix 0 divide in __tcp_select_window() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: tcp-fix-0-divide-in-__tcp_select_window.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Tue Feb 14 16:29:59 PST 2017 From: Eric Dumazet Date: Wed, 1 Feb 2017 08:33:53 -0800 Subject: tcp: fix 0 divide in __tcp_select_window() From: Eric Dumazet [ Upstream commit 06425c308b92eaf60767bc71d359f4cbc7a561f8 ] syszkaller fuzzer was able to trigger a divide by zero, when TCP window scaling is not enabled. SO_RCVBUF can be used not only to increase sk_rcvbuf, also to decrease it below current receive buffers utilization. If mss is negative or 0, just return a zero TCP window. Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Acked-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp_output.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2383,9 +2383,11 @@ u32 __tcp_select_window(struct sock *sk) int full_space = min_t(int, tp->window_clamp, allowed_space); int window; - if (mss > full_space) + if (unlikely(mss > full_space)) { mss = full_space; - + if (mss <= 0) + return 0; + } if (free_space < (full_space >> 1)) { icsk->icsk_ack.quick = 0; Patches currently in stable-queue which might be from edumazet@google.com are queue-4.4/ipv6-pointer-math-error-in-ip6_tnl_parse_tlv_enc_lim.patch queue-4.4/netlabel-out-of-bound-access-in-cipso_v4_validate.patch queue-4.4/packet-round-up-linear-to-header-len.patch queue-4.4/tun-read-vnet_hdr_sz-once.patch queue-4.4/ipv6-fix-ip6_tnl_parse_tlv_enc_lim.patch queue-4.4/l2tp-do-not-use-udp_ioctl.patch queue-4.4/tcp-fix-0-divide-in-__tcp_select_window.patch queue-4.4/can-fix-kernel-panic-at-security_sock_rcv_skb.patch queue-4.4/net-introduce-device-min_header_len.patch queue-4.4/macvtap-read-vnet_hdr_size-once.patch queue-4.4/tcp-avoid-infinite-loop-in-tcp_splice_read.patch queue-4.4/mlx4-invoke-softirqs-after-napi_reschedule.patch queue-4.4/ipv6-tcp-add-a-missing-tcp_v6_restore_cb.patch queue-4.4/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch queue-4.4/net-use-a-work-queue-to-defer-net_disable_timestamp-work.patch queue-4.4/ip6_gre-fix-ip6gre_err-invalid-reads.patch