Re: [3.1] Divide by zero in __tcp_select_window()

From: Eric Dumazet
Date: Mon Nov 14 2011 - 15:57:03 EST

Next message: Steven Rostedt: "Re: [PATCH 1/2] v3.2-rc1-52e4c2a05-rt1 fix for compile break"
Previous message: Andrew Watts: "Re: [OOPS]: Kernel 3.1 (ext3?)"
In reply to: Simon Kirby: "Re: [3.1] Divide by zero in __tcp_select_window()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le lundi 14 novembre 2011 Ã 15:36 -0500, David Miller a Ãcrit :
> From: Eric Dumazet <eric.dumazet@xxxxxxxxx>
> Date: Tue, 08 Nov 2011 22:23:25 +0100
>
> > OK, it seems we let a timer running while we free the socket (same error
> > path than your previous bug report, because of the NULL route)
> >
> > We arm this keepalive timer in tcp_create_openreq_child()
> >
> > net/ipv4/tcp_minisocks.c:513
> > if (sock_flag(newsk, SOCK_KEEPOPEN))
> > inet_csk_reset_keepalive_timer(newsk,
> > keepalive_time_when(newtp));
> >
> > I would try to add a call to tcp_clear_xmit_timers() as well
> >
> > Please try following patch :
>
> We've been waiting quite some time to get some testing validation on
> this patch, but I think it's correct.
>
> Eric can you formally submit this? Thanks!

Sure, here it is.

Please Simon feel free to add your "Tested-by" signature

Thanks

[PATCH] tcp: clear xmit timers in tcp_v4_syn_recv_sock()

Simon Kirby reported divides by zero errors in __tcp_select_window()

This happens when inet_csk_route_child_sock() returns a NULL pointer :

We free new socket while we eventually armed keepalive timer in
tcp_create_openreq_child()

Fix this by a call to tcp_clear_xmit_timers()

[ This is a followup to commit 918eb39962dff (net: add missing
bh_unlock_sock() calls) ]

Reported-by: Simon Kirby <sim@xxxxxxxxxx>
Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
---
net/ipv4/tcp_ipv4.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index a744315..a9db4b1 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1510,6 +1510,7 @@ exit:
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
return NULL;
put_and_exit:
+ tcp_clear_xmit_timers(newsk);
bh_unlock_sock(newsk);
sock_put(newsk);
goto exit;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Rostedt: "Re: [PATCH 1/2] v3.2-rc1-52e4c2a05-rt1 fix for compile break"
Previous message: Andrew Watts: "Re: [OOPS]: Kernel 3.1 (ext3?)"
In reply to: Simon Kirby: "Re: [3.1] Divide by zero in __tcp_select_window()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]