• E
    tcp: repair: fix TCP_QUEUE_SEQ implementation · 6cd6cbf5
    Eric Dumazet 提交于
    When application uses TCP_QUEUE_SEQ socket option to
    change tp->rcv_next, we must also update tp->copied_seq.
    
    Otherwise, stuff relying on tcp_inq() being precise can
    eventually be confused.
    
    For example, tcp_zerocopy_receive() might crash because
    it does not expect tcp_recv_skb() to return NULL.
    
    We could add tests in various places to fix the issue,
    or simply make sure tcp_inq() wont return a random value,
    and leave fast path as it is.
    
    Note that this fixes ioctl(fd, SIOCINQ, &val) at the same
    time.
    
    Fixes: ee995283 ("tcp: Initial repair mode")
    Fixes: 05255b82 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
    Signed-off-by: NEric Dumazet <edumazet@google.com>
    Reported-by: Nsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    6cd6cbf5
tcp.c 105.2 KB