From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:33626 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751635AbdBOBEN (ORCPT ); Tue, 14 Feb 2017 20:04:13 -0500 Subject: Patch "tcp: avoid infinite loop in tcp_splice_read()" has been added to the 4.9-stable tree To: edumazet@google.com, davem@davemloft.net, dvyukov@google.com, gregkh@linuxfoundation.org, w@1wt.eu Cc: , From: Date: Tue, 14 Feb 2017 17:04:09 -0800 Message-ID: <1487120649186223@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled tcp: avoid infinite loop in tcp_splice_read() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: tcp-avoid-infinite-loop-in-tcp_splice_read.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Tue Feb 14 17:03:08 PST 2017 From: Eric Dumazet Date: Fri, 3 Feb 2017 14:59:38 -0800 Subject: tcp: avoid infinite loop in tcp_splice_read() From: Eric Dumazet [ Upstream commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82 ] Splicing from TCP socket is vulnerable when a packet with URG flag is received and stored into receive queue. __tcp_splice_read() returns 0, and sk_wait_data() immediately returns since there is the problematic skb in queue. This is a nice way to burn cpu (aka infinite loop) and trigger soft lockups. Again, this gem was found by syzkaller tool. Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.") Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Cc: Willy Tarreau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -772,6 +772,12 @@ ssize_t tcp_splice_read(struct socket *s ret = -EAGAIN; break; } + /* if __tcp_splice_read() got nothing while we have + * an skb in receive queue, we do not want to loop. + * This might happen with URG data. + */ + if (!skb_queue_empty(&sk->sk_receive_queue)) + break; sk_wait_data(sk, &timeo, NULL); if (signal_pending(current)) { ret = sock_intr_errno(timeo); Patches currently in stable-queue which might be from edumazet@google.com are queue-4.9/ipv6-pointer-math-error-in-ip6_tnl_parse_tlv_enc_lim.patch queue-4.9/netlabel-out-of-bound-access-in-cipso_v4_validate.patch queue-4.9/packet-round-up-linear-to-header-len.patch queue-4.9/tun-read-vnet_hdr_sz-once.patch queue-4.9/ipv6-fix-ip6_tnl_parse_tlv_enc_lim.patch queue-4.9/l2tp-do-not-use-udp_ioctl.patch queue-4.9/tcp-fix-0-divide-in-__tcp_select_window.patch queue-4.9/can-fix-kernel-panic-at-security_sock_rcv_skb.patch queue-4.9/net-introduce-device-min_header_len.patch queue-4.9/macvtap-read-vnet_hdr_size-once.patch queue-4.9/tcp-avoid-infinite-loop-in-tcp_splice_read.patch queue-4.9/mlx4-invoke-softirqs-after-napi_reschedule.patch queue-4.9/ipv6-tcp-add-a-missing-tcp_v6_restore_cb.patch queue-4.9/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch queue-4.9/net-use-a-work-queue-to-defer-net_disable_timestamp-work.patch queue-4.9/ip6_gre-fix-ip6gre_err-invalid-reads.patch