From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Jason Baron <jbaron@akamai.com>,
Vladimir Rutsky <rutsky@google.com>,
Soheil Hassas Yeganeh <soheil@google.com>,
Neal Cardwell <ncardwell@google.com>,
Christoph Paasch <cpaasch@apple.com>
Subject: [PATCH 4.14 57/59] tcp: Reset send_head when removing skb from write-queue
Date: Fri, 20 Sep 2019 00:04:12 +0200 [thread overview]
Message-ID: <20190919214808.366745641@linuxfoundation.org> (raw)
In-Reply-To: <20190919214755.852282682@linuxfoundation.org>
From: Christoph Paasch <cpaasch@apple.com>
syzkaller is not happy since commit fdfc5c8594c2 ("tcp: remove empty skb
from write queue in error cases"):
CPU: 1 PID: 13814 Comm: syz-executor.4 Not tainted 4.14.143 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
task: ffff888040105c00 task.stack: ffff8880649c0000
RIP: 0010:tcp_sendmsg_locked+0x6b4/0x4390 net/ipv4/tcp.c:1350
RSP: 0018:ffff8880649cf718 EFLAGS: 00010206
RAX: 0000000000000014 RBX: 000000000000001e RCX: ffffc90000717000
RDX: 0000000000000077 RSI: ffffffff82e760f7 RDI: 00000000000000a0
RBP: ffff8880649cfaa8 R08: 1ffff1100c939e7a R09: ffff8880401063c8
R10: 0000000000000003 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff888043d74750 R14: ffff888043d74500 R15: 000000000000001e
FS: 00007f0afcb6d700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ca22000 CR3: 0000000040496004 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcp_sendmsg+0x2a/0x40 net/ipv4/tcp.c:1533
inet_sendmsg+0x173/0x4e0 net/ipv4/af_inet.c:784
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc3/0x100 net/socket.c:656
SYSC_sendto+0x35d/0x5e0 net/socket.c:1766
do_syscall_64+0x241/0x680 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The problem is that we are removing an skb from the write-queue that
could have been referenced by the sk_send_head. Thus, we need to check
for the send_head's sanity after removing it.
This patch needs to be backported only to 4.14 and older (among those
that applied the backport of fdfc5c8594c2).
Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases")
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jason Baron <jbaron@akamai.com>
Cc: Vladimir Rutsky <rutsky@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -924,8 +924,7 @@ static void tcp_remove_empty_skb(struct
{
if (skb && !skb->len) {
tcp_unlink_write_queue(skb, sk);
- if (tcp_write_queue_empty(sk))
- tcp_chrono_stop(sk, TCP_CHRONO_BUSY);
+ tcp_check_send_head(sk, skb);
sk_wmem_free_skb(sk, skb);
}
}
next prev parent reply other threads:[~2019-09-19 22:29 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-19 22:03 [PATCH 4.14 00/59] 4.14.146-stable review Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 01/59] HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 02/59] Input: elan_i2c - remove Lenovo Legion Y7000 PnpID Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 03/59] powerpc/mm/radix: Use the right page size for vmemmap mapping Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 04/59] USB: usbcore: Fix slab-out-of-bounds bug during device reset Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 05/59] phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 06/59] media: tm6000: double free if usb disconnect while streaming Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 07/59] xen-netfront: do not assume sk_buff_head list is empty in error handling Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 08/59] net_sched: let qdisc_put() accept NULL pointer Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 09/59] KVM: coalesced_mmio: add bounds checking Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 10/59] firmware: google: check if size is valid when decoding VPD data Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 11/59] serial: sprd: correct the wrong sequence of arguments Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 12/59] tty/serial: atmel: reschedule TX after RX was started Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 13/59] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 14/59] nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 15/59] ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 16/59] s390/bpf: fix lcgr instruction encoding Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 17/59] ARM: OMAP2+: Fix omap4 errata warning on other SoCs Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 18/59] ARM: dts: dra74x: Fix iodelay configuration for mmc3 Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 19/59] s390/bpf: use 32-bit index for tail calls Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 20/59] fpga: altera-ps-spi: Fix getting of optional confd gpio Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 21/59] netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 22/59] NFSv4: Fix return values for nfs4_file_open() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 23/59] NFSv4: Fix return value in nfs_finish_open() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 24/59] NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 25/59] Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 26/59] qed: Add cleanup in qed_slowpath_start() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 27/59] ARM: 8874/1: mm: only adjust sections of valid mm structures Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 28/59] batman-adv: Only read OGM2 tvlv_len after buffer len check Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 29/59] r8152: Set memory to all 0xFFs on failed reg reads Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 30/59] x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 31/59] netfilter: nf_conntrack_ftp: Fix debug output Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 32/59] NFSv2: Fix eof handling Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 33/59] NFSv2: Fix write regression Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 34/59] kallsyms: Dont let kallsyms_lookup_size_offset() fail on retrieving the first symbol Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 35/59] cifs: set domainName when a domain-key is used in multiuser Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 36/59] cifs: Use kzfree() to zero out the password Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 37/59] ARM: 8901/1: add a criteria for pfn_valid of arm Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 38/59] sky2: Disable MSI on yet another ASUS boards (P6Xxxx) Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 39/59] i2c: designware: Synchronize IRQs when unregistering slave client Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 40/59] perf/x86/intel: Restrict period on Nehalem Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 41/59] perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 42/59] amd-xgbe: Fix error path in xgbe_mod_init() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 43/59] tools/power x86_energy_perf_policy: Fix "uninitialized variable" warnings at -O2 Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.14 44/59] tools/power x86_energy_perf_policy: Fix argument parsing Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 45/59] tools/power turbostat: fix buffer overrun Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 46/59] net: seeq: Fix the function used to release some memory in an error handling path Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 47/59] dmaengine: ti: dma-crossbar: Fix a memory leak bug Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 48/59] dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 49/59] x86/uaccess: Dont leak the AC flags into __get_user() argument evaluation Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 50/59] x86/hyper-v: Fix overflow bug in fill_gva_list() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 51/59] keys: Fix missing null pointer check in request_key_auth_describe() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 52/59] iommu/amd: Flush old domains in kdump kernel Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 53/59] iommu/amd: Fix race in increase_address_space() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 54/59] PCI: kirin: Fix section mismatch warning Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 55/59] floppy: fix usercopy direction Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 56/59] binfmt_elf: move brk out of mmap when doing direct loader exec Greg Kroah-Hartman
2019-09-19 22:04 ` Greg Kroah-Hartman [this message]
2019-09-19 22:04 ` [PATCH 4.14 58/59] tcp: Dont dequeue SYN/FIN-segments from write-queue Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.14 59/59] media: technisat-usb2: break out of loop at end of buffer Greg Kroah-Hartman
2019-09-20 3:19 ` [PATCH 4.14 00/59] 4.14.146-stable review kernelci.org bot
2019-09-20 8:47 ` Naresh Kamboju
2019-09-20 13:48 ` Jon Hunter
2019-09-20 13:48 ` Jon Hunter
2019-09-20 18:36 ` Guenter Roeck
2019-09-20 21:22 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190919214808.366745641@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cpaasch@apple.com \
--cc=edumazet@google.com \
--cc=jbaron@akamai.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ncardwell@google.com \
--cc=rutsky@google.com \
--cc=soheil@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.