tcp: fix NULL ref in tail loss probe
[ Upstream commit b2b7af861122a0c0f6260155c29a1b2e594cd5b5 ] TCP loss probe timer may fire when the retranmission queue is empty but has a non-zero tp->packets_out counter. tcp_send_loss_probe will call tcp_rearm_rto which triggers NULL pointer reference by fetching the retranmission queue head in its sub-routines. Add a more detailed warning to help catch the root cause of the inflight accounting inconsistency. Reported-by: Rafael Tinoco <rafael.tinoco@linaro.org> Signed-off-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Yuchung Cheng
Greg Kroah-Hartman
parent
266b50e764
commit
ed7748bcf2
1 changed files with 8 additions and 4 deletions
|
|
@ -2263,14 +2263,18 @@ void tcp_send_loss_probe(struct sock *sk)
|
|||
skb = tcp_write_queue_tail(sk);
|
||||
}
|
||||
|
||||
if (unlikely(!skb)) {
|
||||
WARN_ONCE(tp->packets_out,
|
||||
"invalid inflight: %u state %u cwnd %u mss %d\n",
|
||||
tp->packets_out, sk->sk_state, tp->snd_cwnd, mss);
|
||||
inet_csk(sk)->icsk_pending = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
/* At most one outstanding TLP retransmission. */
|
||||
if (tp->tlp_high_seq)
|
||||
goto rearm_timer;
|
||||
|
||||
/* Retransmit last segment. */
|
||||
if (WARN_ON(!skb))
|
||||
goto rearm_timer;
|
||||
|
||||
if (skb_still_in_host_queue(sk, skb))
|
||||
goto rearm_timer;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue