From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net] tcp: clear tp->packets_out when purging write queue
Date: Mon, 16 Apr 2018 11:24:23 -0400 (EDT)
Message-ID: <20180416.112423.213965082126992047.davem@davemloft.net>
References: <20180415004446.73081-1-soheil.kdev@gmail.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, ycheng@google.com, ncardwell@google.com,
        subashab@codeaurora.org, hvtaifwkbgefbaei@gmail.com,
        soheil@google.com, edumazet@google.com
To: soheil.kdev@gmail.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:42632 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750708AbeDPPYZ (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 16 Apr 2018 11:24:25 -0400
In-Reply-To: <20180415004446.73081-1-soheil.kdev@gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Soheil Hassas Yeganeh <soheil.kdev@gmail.com>
Date: Sat, 14 Apr 2018 20:44:46 -0400

> From: Soheil Hassas Yeganeh <soheil@google.com>
> 
> Clear tp->packets_out when purging the write queue, otherwise
> tcp_rearm_rto() mistakenly assumes TCP write queue is not empty.
> This results in NULL pointer dereference.
> 
> Also, remove the redundant `tp->packets_out = 0` from
> tcp_disconnect(), since tcp_disconnect() calls
> tcp_write_queue_purge().
> 
> Fixes: a27fd7a8ed38 (tcp: purge write queue upon RST)
> Reported-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
> Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
> Tested-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
> Acked-by: Yuchung Cheng <ycheng@google.com>
> Acked-by: Neal Cardwell <ncardwell@google.com>

Applied and queued up for -stable, thanks.