Commit d2bdf738 authored Jun 29, 2021 by Kaustubh Pandey Committed by Gerrit - the friendly Code Review server Jun 28, 2021

net: tcp: check for NULL send head during MTU probe



skb_peek() can return NULL when the socket write queue is empty. This
causes problems when using tcp_for_write_queue_from_safe(), as this
macro
resolves down to "for (tmp = skb->next; ...", causing a NULL
dereference.
Fix this by indicating that the tcp send queue head can not be coalesced
as there is nothing in it. This fixes the following:
Unable to handle kernel NULL pointer dereference
pc : tcp_write_xmit+0xe1c/0x1210
lr : tcp_write_xmit+0x38/0x1210
Call trace:
 tcp_write_xmit+0xe1c/0x1210
 tcp_tsq_write+0x110/0x140
 tcp_tasklet_func+0x120/0x170
 tasklet_action_common+0xec/0x128
 tasklet_action+0x20/0x28

By ending the MTU probe because of the empty send head.

Change-Id: I0c3283c37ee69a4941c8d9e88519e586c7905d25
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: Kaustubh Pandey <kapandey@codeaurora.org>

parent 774e9013

net/ipv4/tcp_output.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -2071,6 +2071,9 @@ static bool tcp_can_coalesce_send_queue_head(struct sock *sk, int len)
		struct sk_buff skb, next;

		skb = tcp_send_head(sk);
		if (!skb)
		return false;

		tcp_for_write_queue_from_safe(skb, next, sk) {
		if (len <= skb->len)
		break;