From patchwork Wed Oct 18 21:20:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 827827
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="hr9czocE"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3yHQ2Y3YP2z9t75
	for <patchwork-incoming@ozlabs.org>;
	Thu, 19 Oct 2017 08:20:37 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751091AbdJRVUf (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 18 Oct 2017 17:20:35 -0400
Received: from mail-io0-f194.google.com ([209.85.223.194]:44850 "EHLO
	mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750853AbdJRVUe (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 18 Oct 2017 17:20:34 -0400
Received: by mail-io0-f194.google.com with SMTP id m16so7779577iod.1
	for <netdev@vger.kernel.org>; Wed, 18 Oct 2017 14:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=Q2Zk6tYwzU2kzDzLbIszCA3Emh4wEzo7BL0vLxBmmMo=;
	b=hr9czocExEy8BESa0mp2VNaHLJKvfvsiUr/YzK8fZF5riPecAudU8tIjSenuqyev5o
	9Zc4A0f3dTcZr3YkTvjSAFLuw9RLZUTxSjpxTS/NX2opz2f1u1YUA95LeZkqH6+nmCn4
	rO2s6tyoAgA/pvJWbhnA/MF44sCTLtNJb/1I6+eoXMXRxwPEeEaLDzWUUYJFUJD3sbqv
	SDAMNCRQH+fGsBsNBef/lHjYGIkmFDFVCi8knDgKTFe7DFVe36sMQOii4LAAgCajLwQT
	hLHcrNaZZew71JDMQmW9AXrdKIPXpwYHkr7pLEjynRN2uy7qpBnwp33NyEbj/BdCsCSN
	+yVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=Q2Zk6tYwzU2kzDzLbIszCA3Emh4wEzo7BL0vLxBmmMo=;
	b=AKp21/a85jjsJiezMOfFLU+kfxZvc6eDOCWGAfPnmuzlPPNHkOe0MAYJ+ZhZ2pxPkl
	DyO9Mala3yc+K1J3bK2ZM5kCR7hjuVyLrW3XPSkcQTUBmGVXxdbFQjc5ma0bNf2ssy6W
	DdaBrYSGXFzvOnxNu7xNaCAO/hO/Gggd29n39sMYC5kceAaMNhfsHdCX2c1vtE2+HC7W
	WlbR0ScE2zl+loPBuyLywcXa6uNN2YhU5CpbvjxMm+PwIPWWEjKxMI8VFBz7OjpWws7T
	DiPWEsIdDFwzFFs3V7rI9ttvCr0Oz7pShynaIKc1p7hliucPcyuMwFWqrqBgl69lx1Wn
	g0cQ==
X-Gm-Message-State: AMCzsaVMu3AxhTDawwtZedU163ZPeC6PKl1SJC3xx0oLJJsFewviRHRU
	kxu57YyTy0IudgbAjeJmquc=
X-Google-Smtp-Source: 
 AOwi7QAQnenK8aQQxo0hQ2sW/3MgNpy/qvowu2fjKjoVqUxGpmgOdxzfKmRr4KODEz0DuAu2uLXZjw==
X-Received: by 10.107.12.141 with SMTP id 13mr24071800iom.1.1508361633750;
	Wed, 18 Oct 2017 14:20:33 -0700 (PDT)
Received: from ?IPv6:2620:15c:2c1:100:8c3b:83ae:17c4:e83?
	([2620:15c:2c1:100:8c3b:83ae:17c4:e83])
	by smtp.googlemail.com with ESMTPSA id
	8sm6360965iob.32.2017.10.18.14.20.31
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 18 Oct 2017 14:20:32 -0700 (PDT)
Message-ID: 
 <1508361630.31614.142.camel@edumazet-glaptop3.roam.corp.google.com>
Subject: [PATCH net-next] tcp: fix tcp_send_syn_data()
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>, Yuchung Cheng <ycheng@google.com>,
	Eric Dumazet <edumazet@google.com>
Date: Wed, 18 Oct 2017 14:20:30 -0700
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

syn_data was allocated by sk_stream_alloc_skb(), meaning
its destructor and _skb_refdst fields are mangled.

We need to call tcp_skb_tsorted_anchor_cleanup() before
calling kfree_skb() or kernel crashes.

Bug was reported by syzkaller bot.

Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK recovery")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
---
 net/ipv4/tcp_output.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 53dc1267c85e668d9a6d5d60d24e6101f7a9c56b..988733f289c8c43f3ed88a9ae1b7f272ab8de1a2 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3383,6 +3383,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
 		int copied = copy_from_iter(skb_put(syn_data, space), space,
 					    &fo->data->msg_iter);
 		if (unlikely(!copied)) {
+			tcp_skb_tsorted_anchor_cleanup(syn_data);
 			kfree_skb(syn_data);
 			goto fallback;
 		}