Commit b2b7af86 authored Dec 05, 2018 by Yuchung Cheng Committed by David S. Miller Dec 05, 2018

tcp: fix NULL ref in tail loss probe



TCP loss probe timer may fire when the retranmission queue is empty but
has a non-zero tp->packets_out counter. tcp_send_loss_probe will call
tcp_rearm_rto which triggers NULL pointer reference by fetching the
retranmission queue head in its sub-routines.

Add a more detailed warning to help catch the root cause of the inflight
accounting inconsistency.

Reported-by: Rafael Tinoco <rafael.tinoco@linaro.org>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 41727549

net/ipv4/tcp_output.c

+7 −4

Original line number	Diff line number	Diff line
		@@ -2497,15 +2497,18 @@ void tcp_send_loss_probe(struct sock *sk)
		goto rearm_timer;
		}
		skb = skb_rb_last(&sk->tcp_rtx_queue);
		if (unlikely(!skb)) {
		WARN_ONCE(tp->packets_out,
		"invalid inflight: %u state %u cwnd %u mss %d\n",
		tp->packets_out, sk->sk_state, tp->snd_cwnd, mss);
		inet_csk(sk)->icsk_pending = 0;
		return;
		}

		/* At most one outstanding TLP retransmission. */
		if (tp->tlp_high_seq)
		goto rearm_timer;

		/* Retransmit last segment. */
		if (WARN_ON(!skb))
		goto rearm_timer;

		if (skb_still_in_host_queue(sk, skb))
		goto rearm_timer;