Patchwork [3.5.y.z,extended,stable] Patch "tcp-repair: Handle zero-length data put in rcv queue" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Dec. 12, 2012, 5:11 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/205414/
State New
Headers show


Herton Ronaldo Krzesinski - Dec. 12, 2012, 5:11 a.m.
This is a note to let you know that I have just added a patch titled

    tcp-repair: Handle zero-length data put in rcv queue

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From e1a53383dd9310bd01d3439a382a47ac5d4b1fbf Mon Sep 17 00:00:00 2001
From: Pavel Emelyanov <>
Date: Mon, 29 Oct 2012 05:05:33 +0000
Subject: [PATCH] tcp-repair: Handle zero-length data put in rcv queue

commit c454e6111d1ef4268fe98e87087216e51c2718c3 upstream.

When sending data into a tcp socket in repair state we should check
for the amount of data being 0 explicitly. Otherwise we'll have an skb
with seq == end_seq in rcv queue, but tcp doesn't expect this to happen
(in particular a warn_on in tcp_recvmsg shoots).

Signed-off-by: Pavel Emelyanov <>
Reported-by: Giorgos Mavrikas <>
Signed-off-by: David S. Miller <>
[ herton: unfuzz patch for 3.5, place size check before
  tcp_try_rmem_schedule ]
Signed-off-by: Herton Ronaldo Krzesinski <>
 net/ipv4/tcp_input.c |    3 +++
 1 file changed, 3 insertions(+)



diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index ab30c96..4a3cac8 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4713,6 +4713,9 @@  int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
 	struct tcphdr *th;
 	bool fragstolen;

+	if (size == 0)
+		return 0;
 	if (tcp_try_rmem_schedule(sk, size + sizeof(*th)))
 		goto err;