tcp: fix tcp_send_syn_data()

edumazet · davem330 · commit ba233b34741a · 2017-10-21T01:44:05.000+01:00
syn_data was allocated by sk_stream_alloc_skb(), meaning its destructor and _skb_refdst fields are mangled. We need to call tcp_skb_tsorted_anchor_cleanup() before calling kfree_skb() or kernel crashes. Bug was reported by syzkaller bot. Fixes: e208007 ("tcp: new list for sent but unacked skbs for RACK recovery") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
@@ -3383,6 +3383,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
 		int copied = copy_from_iter(skb_put(syn_data, space), space,
 					    &fo->data->msg_iter);
 		if (unlikely(!copied)) {
+			tcp_skb_tsorted_anchor_cleanup(syn_data);
 			kfree_skb(syn_data);
 			goto fallback;
 		}

Original file line number	Diff line number	Diff line change
`@@ -3383,6 +3383,7 @@ static int tcp_send_syn_data(struct sock sk, struct sk_buff syn)`
`3383`	`3383`	`int copied = copy_from_iter(skb_put(syn_data, space), space,`
`3384`	`3384`	`&fo->data->msg_iter);`
`3385`	`3385`	`if (unlikely(!copied)) {`
	`3386`	`+ tcp_skb_tsorted_anchor_cleanup(syn_data);`
`3386`	`3387`	`kfree_skb(syn_data);`
`3387`	`3388`	`goto fallback;`
`3388`	`3389`	`}`