From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 03/84] dccp: purge write queue in dccp_destroy_sock()
Date: Mon, 28 Aug 2017 10:04:28 +0200 [thread overview]
Message-ID: <20170828080529.664303637@linuxfoundation.org> (raw)
In-Reply-To: <20170828080529.526391781@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7749d4ff88d31b0be17c8683143135adaaadc6a7 ]
syzkaller reported that DCCP could have a non empty
write queue at dismantle time.
WARNING: CPU: 1 PID: 2953 at net/core/stream.c:199 sk_stream_kill_queues+0x3ce/0x520 net/core/stream.c:199
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2953 Comm: syz-executor0 Not tainted 4.13.0-rc4+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
panic+0x1e4/0x417 kernel/panic.c:180
__warn+0x1c4/0x1d9 kernel/panic.c:541
report_bug+0x211/0x2d0 lib/bug.c:183
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:190
do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:273
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:310
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:846
RIP: 0010:sk_stream_kill_queues+0x3ce/0x520 net/core/stream.c:199
RSP: 0018:ffff8801d182f108 EFLAGS: 00010297
RAX: ffff8801d1144140 RBX: ffff8801d13cb280 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff85137b00 RDI: ffff8801d13cb280
RBP: ffff8801d182f148 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d13cb4d0
R13: ffff8801d13cb3b8 R14: ffff8801d13cb300 R15: ffff8801d13cb3b8
inet_csk_destroy_sock+0x175/0x3f0 net/ipv4/inet_connection_sock.c:835
dccp_close+0x84d/0xc10 net/dccp/proto.c:1067
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
sock_release+0x8d/0x1e0 net/socket.c:597
sock_close+0x16/0x20 net/socket.c:1126
__fput+0x327/0x7e0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:246
task_work_run+0x18a/0x260 kernel/task_work.c:116
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0xa32/0x1b10 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:969
get_signal+0x7e8/0x17e0 kernel/signal.c:2330
do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
exit_to_usermode_loop+0x21c/0x2d0 arch/x86/entry/common.c:157
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath+0x3a7/0x450 arch/x86/entry/common.c:263
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/proto.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -201,10 +201,7 @@ void dccp_destroy_sock(struct sock *sk)
{
struct dccp_sock *dp = dccp_sk(sk);
- /*
- * DCCP doesn't use sk_write_queue, just sk_send_head
- * for retransmissions
- */
+ __skb_queue_purge(&sk->sk_write_queue);
if (sk->sk_send_head != NULL) {
kfree_skb(sk->sk_send_head);
sk->sk_send_head = NULL;
next prev parent reply other threads:[~2017-08-28 8:10 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-28 8:04 [PATCH 4.9 00/84] 4.9.46-stable review Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 01/84] sparc64: remove unnecessary log message Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 02/84] af_key: do not use GFP_KERNEL in atomic contexts Greg Kroah-Hartman
2017-08-28 8:04 ` Greg Kroah-Hartman [this message]
2017-08-28 8:04 ` [PATCH 4.9 04/84] dccp: defer ccid_hc_tx_delete() at dismantle time Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 05/84] ipv4: fix NULL dereference in free_fib_info_rcu() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 06/84] net_sched/sfq: update hierarchical backlog when drop packet Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 07/84] net_sched: remove warning from qdisc_hash_add Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 08/84] bpf: fix bpf_trace_printk on 32 bit archs Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 09/84] openvswitch: fix skb_panic due to the incorrect actions attrlen Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 10/84] ptr_ring: use kmalloc_array() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 11/84] ipv4: better IP_MAX_MTU enforcement Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 12/84] nfp: fix infinite loop on umapping cleanup Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 13/84] sctp: fully initialize the IPv6 address in sctp_v6_to_addr() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 14/84] tipc: fix use-after-free Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 15/84] ipv6: reset fn->rr_ptr when replacing route Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 16/84] ipv6: repair fib6 tree in failure case Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 17/84] tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 18/84] net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 19/84] irda: do not leak initialized list.dev to userspace Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 20/84] net: sched: fix NULL pointer dereference when action calls some targets Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 21/84] net_sched: fix order of queue length updates in qdisc_replace() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 22/84] bpf, verifier: add additional patterns to evaluate_reg_imm_alu Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 23/84] bpf: adjust verifier heuristics Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 24/84] bpf, verifier: fix alu ops against map_value{, _adj} register types Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 25/84] bpf: fix mixed signed/unsigned derived min/max value bounds Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 26/84] bpf/verifier: fix min/max handling in BPF_SUB Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 27/84] Input: trackpoint - add new trackpoint firmware ID Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 28/84] Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310 Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 29/84] Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 30/84] KVM: s390: sthyi: fix sthyi inline assembly Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 31/84] KVM: s390: sthyi: fix specification exception detection Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 32/84] KVM: x86: block guest protection keys unless the host has them enabled Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 33/84] ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 34/84] ALSA: core: Fix unexpected error at replacing user TLV Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 35/84] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 36/84] ALSA: firewire: fix NULL pointer dereference when releasing uninitialized data of iso-resource Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 37/84] ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 38/84] mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 39/84] i2c: designware: Fix system suspend Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 40/84] mm/madvise.c: fix freeing of locked page with MADV_FREE Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 41/84] fork: fix incorrect fput of ->exe_file causing use-after-free Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 42/84] mm/memblock.c: reversed logic in memblock_discard() Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 44/84] drm/atomic: If the atomic check fails, return its value first Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 45/84] drm: rcar-du: Fix crash in encoder failure error path Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 46/84] drm: rcar-du: Fix display timing controller parameter Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 47/84] drm: rcar-du: Fix H/V sync signal polarity configuration Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 48/84] tracing: Call clear_boot_tracer() at lateinit_sync Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 49/84] tracing: Fix kmemleak in tracing_map_array_free() Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 50/84] tracing: Fix freeing of filter in create_filter() when set_str is false Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 51/84] kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 52/84] cifs: Fix df output for users with quota limits Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 53/84] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 54/84] nfsd: Limit end of page list when decoding NFSv4 WRITE Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 55/84] ftrace: Check for null ret_stack on profile function graph entry function Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 56/84] perf/core: Fix group {cpu,task} validation Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 57/84] perf probe: Fix --funcs to show correct symbols for offline module Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 58/84] perf/x86/intel/rapl: Make package handling more robust Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 59/84] timers: Fix excessive granularity of new timers after a nohz idle Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 60/84] x86/mm: Fix use-after-free of ldt_struct Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 61/84] net: sunrpc: svcsock: fix NULL-pointer exception Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 62/84] Revert "leds: handle suspend/resume in heartbeat trigger" Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 63/84] netfilter: nat: fix src map lookup Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 64/84] Bluetooth: hidp: fix possible might sleep error in hidp_session_thread Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 65/84] Bluetooth: cmtp: fix possible might sleep error in cmtp_session Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 66/84] Bluetooth: bnep: fix possible might sleep error in bnep_session Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 67/84] Revert "android: binder: Sanity check at binder ioctl" Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 68/84] binder: use group leader instead of open thread Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 69/84] binder: Use wake up hint for synchronous transactions Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 70/84] ANDROID: binder: fix proc->tsk check Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 71/84] iio: imu: adis16480: Fix acceleration scale factor for adis16480 Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 72/84] iio: hid-sensor-trigger: Fix the race with user space powering up sensors Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 73/84] staging: rtl8188eu: add RNX-N150NUB support Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 74/84] Clarify (and fix) MAX_LFS_FILESIZE macros Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 75/84] ntb_transport: fix qp count bug Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 76/84] ntb_transport: fix bug calculating num_qps_mw Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 77/84] NTB: ntb_test: fix bug printing ntb_perf results Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 78/84] ntb: no sleep in ntb_async_tx_submit Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 79/84] ntb: ntb_test: ensure the link is up before trying to configure the mws Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 80/84] ntb: transport shouldnt disable link due to bogus values in SPADs Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 81/84] ACPI: ioapic: Clear on-stack resource before using it Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 82/84] ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 83/84] ACPI: EC: Fix regression related to wrong ECDT initialization order Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 84/84] powerpc/mm: Ensure cpumask update is ordered Greg Kroah-Hartman
2017-08-28 19:39 ` [PATCH 4.9 00/84] 4.9.46-stable review Shuah Khan
2017-08-29 0:10 ` Guenter Roeck
2017-08-29 12:02 ` Sumit Semwal
2017-08-29 15:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170828080529.664303637@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).