tcp: make tcp_read_sock() more robust

[ Upstream commit e3d5ea2c011ecb16fb94c56a659364e6b30fac94 ]

If recv_actor() returns an incorrect value, tcp_read_sock()
might loop forever.

Instead, issue a one time warning and make sure to make progress.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20220302161723.3910001-2-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index f48f1059b31a6089fd8808a03f8a854051c5ad10..ef68d55e094483dac36e7adcf26e45ebe96e812b 100644 (file)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1663,11 +1663,13 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,
                                if (!copied)
                                        copied = used;
                                break;
-                       } else if (used <= len) {
-                               seq += used;
-                               copied += used;
-                               offset += used;
                        }
+                       if (WARN_ON_ONCE(used > len))
+                               used = len;
+                       seq += used;
+                       copied += used;
+                       offset += used;
+
                        /* If recv_actor drops the lock (e.g. TCP splice
                         * receive) the skb pointer might be invalid when
                         * getting here: tcp_collapse might have deleted it