Eric Dumazet 1c6a02e572 tcp: fix use after free in tcp_xmit_retransmit_queue() ... When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the tail of the write queue using tcp_add_write_queue_tail() Then it attempts to copy user data into this fresh skb. If the copy fails, we undo the work and remove the fresh skb. Unfortunately, this undo lacks the change done to tp->highest_sack and we can leave a dangling pointer (to a freed skb) Later, tcp_xmit_retransmit_queue() can dereference this pointer and access freed memory. For regular kernels where memory is not unmapped, this might cause SACK bugs because tcp_highest_sack_seq() is buggy, returning garbage instead of tp->snd_nxt, but with various debug features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel. This bug was found by Marco Grassi thanks to syzkaller. Change-Id: I264f97d30d0a623011d9ee811c63fa0e0c2149a2 Fixes: 6859d49475 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb") Reported-by: Marco Grassi <marco.gra@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Cc: Yuchung Cheng <ycheng@google.com> Cc: Neal Cardwell <ncardwell@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2016-10-31 23:36:25 +11:00
..
9p
bluetooth	Bluetooth: Introduce new security level	2013-03-15 17:08:18 -07:00
caif
irda
iucv	af_iucv: add shutdown for HS transport	2012-03-07 22:52:24 -08:00
netfilter	netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len	2016-10-29 23:12:10 +08:00
netns	net: support marking accepting TCP sockets	2014-05-12 22:43:02 -07:00
nfc	NFC: NCI code identation fixes	2012-03-06 15:16:25 -05:00
phonet
sctp	sctp: check cached dst before using it	2012-05-10 23:15:47 -04:00
tc_act
act_api.h
activity_stats.h	net: activity_stats: Add statistics for network transmission activity	2012-04-09 13:57:50 -07:00
addrconf.h	ipv6: clean up anycast when an interface is destroyed	2016-10-29 23:12:33 +08:00
af_ieee802154.h
af_rxrpc.h
af_unix.h	switch unix_sock to struct path	2012-03-20 21:29:41 -04:00
ah.h
arp.h	ipv4: Eliminate spurious argument to __ipv4_neigh_lookup	2012-02-15 17:48:35 -05:00
atmclip.h
ax25.h
ax88796.h
cfg80211-wext.h
cfg80211.h	cfg80211: add flags to define country IE processing rules	2014-02-10 15:57:17 -08:00
checksum.h
cipso_ipv4.h
cls_cgroup.h
compat.h	net: get rid of some pointless casts to sockaddr	2012-03-11 19:11:22 -07:00
datalink.h
dcbevent.h
dcbnl.h	net: dcb: getnumtcs()/setnumtcs() should return an int	2012-03-02 18:16:49 -08:00
dn.h	decnet: net/dn.h needs net/flow.h	2012-02-15 16:37:44 -05:00
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dsa.h
dsfield.h
dst.h	set fake_rtable's dst to NULL to avoid kernel Oops	2012-04-24 00:16:24 -04:00
dst_ops.h
esp.h
ethoc.h
fib_rules.h	net: core: Support UID-based routing.	2014-07-08 16:55:52 -07:00
flow.h	net: core: Support UID-based routing.	2014-07-08 16:55:52 -07:00
flow_keys.h
garp.h
gen_stats.h
genetlink.h
gre.h
icmp.h
ieee80211_radiotap.h
ieee802154.h
ieee802154_netdev.h
if_inet6.h
inet6_connection_sock.h
inet6_hashtables.h	ipv6: use a stronger hash for tcp	2013-09-25 17:01:33 +00:00
inet_common.h
inet_connection_sock.h
inet_ecn.h
inet_frag.h
inet_hashtables.h
inet_sock.h	net: support marking accepting TCP sockets	2014-05-12 22:43:02 -07:00
inet_timewait_sock.h
inetpeer.h	route: Remove redirect_genid	2012-03-08 00:30:32 -08:00
ip.h	ipv4: try to cache dst_entries which would cause a redirect	2016-10-29 23:12:10 +08:00
ip6_checksum.h
ip6_fib.h	ipv6: clean up rt6_clean_expires	2012-04-17 22:31:59 -04:00
ip6_route.h
ip6_tunnel.h
ip_fib.h
ip_vs.h	ipvs: kernel oops - do_ip_vs_get_ctl	2012-04-30 10:40:35 +02:00
ipcomp.h
ipconfig.h
ipip.h
ipv6.h	ipv6: add complete rcu protection around np->opt	2016-06-17 02:54:32 +00:00
ipx.h
iw_handler.h
lapb.h
lib80211.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
mac80211.h	mac80211: Convert WARN_ON to WARN_ON_ONCE	2012-04-09 15:54:48 -04:00
mip6.h
mld.h
ndisc.h
neighbour.h
net_namespace.h	proc: Usable inode numbers for the namespace file descriptors.	2015-07-13 11:18:01 -07:00
net_ratelimit.h
netdma.h
netevent.h
netlabel.h
netlink.h
netprio_cgroup.h	netprio_cgroup: fix wrong memory access when NETPRIO_CGROUP=m	2012-02-10 15:08:57 -05:00
netrom.h
nexthop.h
nl802154.h
p8022.h
ping.h	net: ipv6: Add IPv6 support to the ping socket.	2013-08-21 13:34:09 +09:00
pkt_cls.h
pkt_sched.h	net: sched: export an api to enable/disable flow on sch	2013-03-07 15:20:04 -08:00
protocol.h
psnap.h
raw.h
rawv6.h
red.h	net_sched: red: Make minor corrections to comments	2012-04-16 23:53:11 -04:00
regulatory.h
request_sock.h
rose.h
route.h	Handle 'sk' being NULL in UID-based routing.	2014-07-08 16:56:04 -07:00
rtnetlink.h	rtnetlink: Fix problem with buffer allocation	2012-02-21 16:56:45 -05:00
sch_generic.h	net: Make qdisc_skb_cb upper size bound explicit.	2012-02-09 13:50:34 -05:00
scm.h	af_netlink: force credentials passing [CVE-2012-3520]	2013-03-04 12:46:00 -08:00
secure_seq.h	net: defer net_secret[] initialization	2013-09-25 17:01:47 +00:00
slhc_vj.h
snmp.h
sock.h	net: add validation for the socket syscall protocol argument	2016-10-29 23:12:11 +08:00
stp.h
tcp.h	tcp: fix use after free in tcp_xmit_retransmit_queue()	2016-10-31 23:36:25 +11:00
tcp_memcontrol.h
tcp_states.h
timewait_sock.h	BUG: headers with BUG/BUG_ON etc. need linux/bug.h	2012-03-04 17:54:34 -05:00
transp_v6.h	net: ipv6: Add IPv6 support to the ping socket.	2013-08-21 13:34:09 +09:00
udp.h	BUG: headers with BUG/BUG_ON etc. need linux/bug.h	2012-03-04 17:54:34 -05:00
udplite.h	net: ipv4: Standardize prefixes for message logging	2012-03-12 17:05:21 -07:00
wext.h
wimax.h
wpan-phy.h	BUG: headers with BUG/BUG_ON etc. need linux/bug.h	2012-03-04 17:54:34 -05:00
x25.h
x25device.h
xfrm.h	xfrm: remove unneeded method typedef declaration in net/xfrm.h.	2012-02-25 20:19:24 -05:00