From: Eric Dumazet <edumazet@google.com>
Date: Wed, 18 Oct 2017 21:20:30 +0000 (-0700)
Subject: tcp: fix tcp_send_syn_data()
X-Git-Tag: v4.19~2168^2~382
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ba233b34741a1dc88d1e94db7deeb7b079ef4b9a;p=platform%2Fkernel%2Flinux-rpi.git

tcp: fix tcp_send_syn_data()

syn_data was allocated by sk_stream_alloc_skb(), meaning
its destructor and _skb_refdst fields are mangled.

We need to call tcp_skb_tsorted_anchor_cleanup() before
calling kfree_skb() or kernel crashes.

Bug was reported by syzkaller bot.

Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK recovery")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 53dc126..988733f 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3383,6 +3383,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
 		int copied = copy_from_iter(skb_put(syn_data, space), space,
 					    &fo->data->msg_iter);
 		if (unlikely(!copied)) {
+			tcp_skb_tsorted_anchor_cleanup(syn_data);
 			kfree_skb(syn_data);
 			goto fallback;
 		}