tcp: tcp_v4_err() should be more careful

[ Upstream commit 2c4cc9712364c051b1de2d175d5fbea6be948ebf ] ICMP handlers are not very often stressed, we should make them more resilient to bugs that might surface in the future. If there is no packet in retransmit queue, we should avoid a NULL deref. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: soukjin bae <soukjin.bae@samsung.com> Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Soheil Hassas Yeganeh <soheil@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Eric Dumazet <edumazet@google.com> 2019-02-15 13:36:21 -0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-02-23 09:05:59 +0100
commit: 209d8d25fdbc0320c6c177c75e379beb95f71dcc (patch)
tree: 1fac102ffe4c8c3cdb7484097dd868d23b865ce0 /net/ipv4/tcp_ipv4.c
parent: cb24fd565e550a4af1e6edefe243241521291f6a (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 1ea0c91ba994..82c1064ff4aa 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -464,14 +464,15 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 		if (sock_owned_by_user(sk))
 			break;
 
+		skb = tcp_write_queue_head(sk);
+		if (WARN_ON_ONCE(!skb))
+			break;
+
 		icsk->icsk_backoff--;
 		icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) :
 					       TCP_TIMEOUT_INIT;
 		icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
 
-		skb = tcp_write_queue_head(sk);
-		BUG_ON(!skb);
-
 		remaining = icsk->icsk_rto -
 			    min(icsk->icsk_rto,
 				tcp_time_stamp - tcp_skb_timestamp(skb));
author	Eric Dumazet <edumazet@google.com>	2019-02-15 13:36:21 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-02-23 09:05:59 +0100
commit	209d8d25fdbc0320c6c177c75e379beb95f71dcc (patch)
tree	1fac102ffe4c8c3cdb7484097dd868d23b865ce0 /net/ipv4/tcp_ipv4.c
parent	cb24fd565e550a4af1e6edefe243241521291f6a (diff)