RE: [PATCH net] tipc: avoid sending zero-length stream messages
From: Tung Quang Nguyen
Date: Wed May 06 2026 - 02:42:25 EST
>Subject: [PATCH net] tipc: avoid sending zero-length stream messages
>
>TIPC stream send currently enters the transmit loop even when the user
>payload length is zero. This can build and transmit a header-only connection
>message.
>
>For local TIPC sockets, such messages are delivered synchronously through the
>loopback receive path. When this happens while socket backlog processing is
>being flushed, reply transmission can re-enter TIPC receive processing
>repeatedly and trigger an RCU stall.
>
Can you demonstrate this scenario using code ? It is better to point out what current code is faulty.
>Make zero-length sends on connected SOCK_STREAM TIPC sockets a no-op
>after the existing connection/congestion wait has succeeded. Leave implicit
>connection setup and SOCK_SEQPACKET behavior unchanged.
>
>Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link
>congestion")
>Cc: stable@xxxxxxxxxxxxxxx
>Reported-by: syzbot+aa7d098bd6fa788fae8e@xxxxxxxxxxxxxxxxxxxxxxxxx
>Closes:
>https://lore.kernel.org/all/000000000000cedbc405ae81531f@xxxxxxxxxx/
>Closes: https://syzkaller.appspot.com/bug?extid=aa7d098bd6fa788fae8e
>Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
>---
> net/tipc/socket.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/net/tipc/socket.c b/net/tipc/socket.c index
>9329919fb07f..3c7838713d74 100644
>--- a/net/tipc/socket.c
>+++ b/net/tipc/socket.c
>@@ -1585,6 +1585,8 @@ static int __tipc_sendstream(struct socket *sock,
>struct msghdr *m, size_t dlen)
> tipc_sk_connected(sk)));
> if (unlikely(rc))
> break;
>+ if (unlikely(!dlen && sk->sk_type == SOCK_STREAM))
>+ break;
This change is wrong. It immediately breaks normal connection set up because the ACK (zero in length) has no chance to be sent back from the server to the client.
Please try to test your patch before submission.
> send = min_t(size_t, dlen - sent, TIPC_MAX_USER_MSG_SIZE);
> blocks = tsk->snd_backlog;
> if (tsk->oneway++ >= tsk->nagle_start && maxnagle &&
>
>---
>base-commit: 95084f1883a760e0d4290698346759d58e2b944a
>change-id: 20260505-tipc-zero-length-stream-stall-2c3741de2c93
>
>Best regards,
>--
>Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
>