c5251bc7fb
CVE-2010-4165: possible kernel oops from user MSS
57 lines
1.9 KiB
Diff
57 lines
1.9 KiB
Diff
From 34eef919139f6a7558b43576b12b40731f12f7d7 Mon Sep 17 00:00:00 2001
|
|
From: David S. Miller <davem@davemloft.net>
|
|
Date: Fri, 12 Nov 2010 13:35:00 -0800
|
|
Subject: tcp: Don't change unlocked socket state in tcp_v4_err().
|
|
|
|
|
|
From: David S. Miller <davem@davemloft.net>
|
|
|
|
[ Upstream commit 8f49c2703b33519aaaccc63f571b465b9d2b3a2d ]
|
|
|
|
Alexey Kuznetsov noticed a regression introduced by
|
|
commit f1ecd5d9e7366609d640ff4040304ea197fbc618
|
|
("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable")
|
|
|
|
The RTO and timer modification code added to tcp_v4_err()
|
|
doesn't check sock_owned_by_user(), which if true means we
|
|
don't have exclusive access to the socket and therefore cannot
|
|
modify it's critical state.
|
|
|
|
Just skip this new code block if sock_owned_by_user() is true
|
|
and eliminate the now superfluous sock_owned_by_user() code
|
|
block contained within.
|
|
|
|
Reported-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
CC: Damian Lukowski <damian@tvk.rwth-aachen.de>
|
|
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
---
|
|
net/ipv4/tcp_ipv4.c | 8 +++-----
|
|
1 file changed, 3 insertions(+), 5 deletions(-)
|
|
|
|
--- a/net/ipv4/tcp_ipv4.c
|
|
+++ b/net/ipv4/tcp_ipv4.c
|
|
@@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb
|
|
!icsk->icsk_backoff)
|
|
break;
|
|
|
|
+ if (sock_owned_by_user(sk))
|
|
+ break;
|
|
+
|
|
icsk->icsk_backoff--;
|
|
inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
|
|
icsk->icsk_backoff;
|
|
@@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb
|
|
if (remaining) {
|
|
inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
|
|
remaining, TCP_RTO_MAX);
|
|
- } else if (sock_owned_by_user(sk)) {
|
|
- /* RTO revert clocked out retransmission,
|
|
- * but socket is locked. Will defer. */
|
|
- inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
|
|
- HZ/20, TCP_RTO_MAX);
|
|
} else {
|
|
/* RTO revert clocked out retransmission.
|
|
* Will retransmit now */
|