Patchwork [3.5.y.z,extended,stable] Patch "tcp-repair: Handle zero-length data put in rcv queue" has been added to staging queue

login
register
mail settings
Submitter Herton Ronaldo Krzesinski
Date Dec. 12, 2012, 5:11 a.m.
Message ID <1355289085-31255-1-git-send-email-herton.krzesinski@canonical.com>
Download mbox | patch
Permalink /patch/205414/
State New
Headers show

Comments

Herton Ronaldo Krzesinski - Dec. 12, 2012, 5:11 a.m.
This is a note to let you know that I have just added a patch titled

    tcp-repair: Handle zero-length data put in rcv queue

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Herton

------

From e1a53383dd9310bd01d3439a382a47ac5d4b1fbf Mon Sep 17 00:00:00 2001
From: Pavel Emelyanov <xemul@parallels.com>
Date: Mon, 29 Oct 2012 05:05:33 +0000
Subject: [PATCH] tcp-repair: Handle zero-length data put in rcv queue

commit c454e6111d1ef4268fe98e87087216e51c2718c3 upstream.

When sending data into a tcp socket in repair state we should check
for the amount of data being 0 explicitly. Otherwise we'll have an skb
with seq == end_seq in rcv queue, but tcp doesn't expect this to happen
(in particular a warn_on in tcp_recvmsg shoots).

Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Reported-by: Giorgos Mavrikas <gmavrikas@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ herton: unfuzz patch for 3.5, place size check before
  tcp_try_rmem_schedule ]
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
---
 net/ipv4/tcp_input.c |    3 +++
 1 file changed, 3 insertions(+)

--
1.7.9.5

Patch

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index ab30c96..4a3cac8 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4713,6 +4713,9 @@  int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
 	struct tcphdr *th;
 	bool fragstolen;

+	if (size == 0)
+		return 0;
+
 	if (tcp_try_rmem_schedule(sk, size + sizeof(*th)))
 		goto err;