releases/2.6.32.17/tcp-fix-crash-in-tcp_xmit_retransmit_queue.patch

   1 From 45e77d314585869dfe43c82679f7e08c9b35b898 Mon Sep 17 00:00:00 2001
   2 From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
   3 Date: Mon, 19 Jul 2010 01:16:18 +0000
   4 Subject: tcp: fix crash in tcp_xmit_retransmit_queue
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
  10
  11 commit 45e77d314585869dfe43c82679f7e08c9b35b898 upstream.
  12
  13 It can happen that there are no packets in queue while calling
  14 tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns
  15 NULL and that gets deref'ed to get sacked into a local var.
  16
  17 There is no work to do if no packets are outstanding so we just
  18 exit early.
  19
  20 This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out
  21 guard to make joining diff nicer).
  22
  23 Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
  24 Reported-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de>
  25 Tested-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de>
  26 Signed-off-by: David S. Miller <davem@davemloft.net>
  27 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  28
  29 ---
  30  net/ipv4/tcp_output.c |    3 +++
  31  1 file changed, 3 insertions(+)
  32
  33 --- a/net/ipv4/tcp_output.c
  34 +++ b/net/ipv4/tcp_output.c
  35 @@ -2037,6 +2037,9 @@ void tcp_xmit_retransmit_queue(struct so
  36         int mib_idx;
  37         int fwd_rexmitting = 0;
  38
  39 +       if (!tp->packets_out)
  40 +               return;
  41 +
  42         if (!tp->lost_out)
  43                 tp->retransmit_high = tp->snd_una;
  44