On Wed, Oct 18, 2017 at 2:20 PM, Eric Dumazet <eric.duma...@gmail.com> wrote:
>
> From: Eric Dumazet <eduma...@google.com>
>
> syn_data was allocated by sk_stream_alloc_skb(), meaning
> its destructor and _skb_refdst fields are mangled.
>
> We need to call tcp_skb_tsorted_anchor_cleanup() before
> calling kfree_skb() or kernel crashes.
>
> Bug was reported by syzkaller bot.
>
> Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK
> recovery")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
Acked-by: Yuchung Cheng <ych...@google.com>
Thanks for the fix!
> ---
> net/ipv4/tcp_output.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index
> 53dc1267c85e668d9a6d5d60d24e6101f7a9c56b..988733f289c8c43f3ed88a9ae1b7f272ab8de1a2
> 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -3383,6 +3383,7 @@ static int tcp_send_syn_data(struct sock *sk, struct
> sk_buff *syn)
> int copied = copy_from_iter(skb_put(syn_data, space), space,
> &fo->data->msg_iter);
> if (unlikely(!copied)) {
> + tcp_skb_tsorted_anchor_cleanup(syn_data);
> kfree_skb(syn_data);
> goto fallback;
> }
>
>
