UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

tcp: fix tcp_send_syn_data() 

syn_data was allocated by sk_stream_alloc_skb(), meaning
its destructor and _skb_refdst fields are mangled.

We need to call tcp_skb_tsorted_anchor_cleanup() before
calling kfree_skb() or kernel crashes.

Bug was reported by syzkaller bot.

Fixes: e2080072ed ("tcp: new list for sent but unacked skbs for RACK recovery")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2017-10-18 14:20:30 -07:00 committed by David S. Miller
parent 27188af5ab
commit ba233b3474
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
net/ipv4/tcp_output.c
View File

@ -3383,6 +3383,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
int copied = copy_from_iter(skb_put(syn_data, space), space, int copied = copy_from_iter(skb_put(syn_data, space), space,
&fo->data->msg_iter); &fo->data->msg_iter);
if (unlikely(!copied)) { if (unlikely(!copied)) {
tcp_skb_tsorted_anchor_cleanup(syn_data);
kfree_skb(syn_data); kfree_skb(syn_data);
goto fallback; goto fallback;
} }