[PATCH net] tcp: fix NULL ref in tail loss probe

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] tcp: fix NULL ref in tail loss probe
@ 2018-12-05 22:38 Yuchung Cheng
  2018-12-06  0:35 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Yuchung Cheng @ 2018-12-05 22:38 UTC (permalink / raw)
  To: davem; +Cc: gregkh, netdev, edumazet, ncardwell, rafael.tinoco, Yuchung Cheng

TCP loss probe timer may fire when the retranmission queue is empty but
has a non-zero tp->packets_out counter. tcp_send_loss_probe will call
tcp_rearm_rto which triggers NULL pointer reference by fetching the
retranmission queue head in its sub-routines.

Add a more detailed warning to help catch the root cause of the inflight
accounting inconsistency.

Reported-by: Rafael Tinoco <rafael.tinoco@linaro.org>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
---
 net/ipv4/tcp_output.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 68b5326f7321..9a1101095298 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2494,15 +2494,18 @@ void tcp_send_loss_probe(struct sock *sk)
 		goto rearm_timer;
 	}
 	skb = skb_rb_last(&sk->tcp_rtx_queue);
+	if (unlikely(!skb)) {
+		WARN_ONCE(tp->packets_out,
+			  "invalid inflight: %u state %u cwnd %u mss %d\n",
+			  tp->packets_out, sk->sk_state, tp->snd_cwnd, mss);
+		inet_csk(sk)->icsk_pending = 0;
+		return;
+	}
 
 	/* At most one outstanding TLP retransmission. */
 	if (tp->tlp_high_seq)
 		goto rearm_timer;
 
-	/* Retransmit last segment. */
-	if (WARN_ON(!skb))
-		goto rearm_timer;
-
 	if (skb_still_in_host_queue(sk, skb))
 		goto rearm_timer;
 
-- 
2.20.0.rc1.387.gf8505762e3-goog

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] tcp: fix NULL ref in tail loss probe
  2018-12-05 22:38 [PATCH net] tcp: fix NULL ref in tail loss probe Yuchung Cheng
@ 2018-12-06  0:35 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-12-06  0:35 UTC (permalink / raw)
  To: ycheng; +Cc: gregkh, netdev, edumazet, ncardwell, rafael.tinoco

From: Yuchung Cheng <ycheng@google.com>
Date: Wed,  5 Dec 2018 14:38:38 -0800

> TCP loss probe timer may fire when the retranmission queue is empty but
> has a non-zero tp->packets_out counter. tcp_send_loss_probe will call
> tcp_rearm_rto which triggers NULL pointer reference by fetching the
> retranmission queue head in its sub-routines.
> 
> Add a more detailed warning to help catch the root cause of the inflight
> accounting inconsistency.
> 
> Reported-by: Rafael Tinoco <rafael.tinoco@linaro.org>
> Signed-off-by: Yuchung Cheng <ycheng@google.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Neal Cardwell <ncardwell@google.com>

Applied, thanks for working to diagnose this so quickly.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-12-06  0:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-05 22:38 [PATCH net] tcp: fix NULL ref in tail loss probe Yuchung Cheng
2018-12-06  0:35 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).