tcp: avoid infinite loop in tcp_splice_read() (cc206c68) · Commits · CodeLinaro / la / kernel / x86

Commit cc206c68 authored 8 years ago by Eric Dumazet Committed by jenkins_ndg 7 years ago

tcp: avoid infinite loop in tcp_splice_read()

Splicing from TCP socket is vulnerable when a packet with URG flag is
received and stored into receive queue.

__tcp_splice_read() returns 0, and sk_wait_data() immediately
returns since there is the problematic skb in queue.

This is a nice way to burn cpu (aka infinite loop) and trigger
soft lockups.

Again, this gem was found by syzkaller tool.

Change-Id: Ie3407c32dee061d082554bb4ac134058bcdfa980
Tracked-On: https://jira01.devtools.intel.com/browse/AW-7202


Fixes: 9c55e01c ("[TCP]: Splice receive support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Wajdix Zairi <wajdix.zairi@intel.com>
Reviewed-on: https://android.intel.com/600352


Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>

parent a35ab367

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 6 additions and 0 deletions

Please register or to comment