From: Greg KH on
2.6.33-stable review patch. If anyone has any objections, please let us know.

------------------

From: Ilpo Järvinen <ilpo.jarvinen(a)helsinki.fi>

commit 45e77d314585869dfe43c82679f7e08c9b35b898 upstream.

It can happen that there are no packets in queue while calling
tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns
NULL and that gets deref'ed to get sacked into a local var.

There is no work to do if no packets are outstanding so we just
exit early.

This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out
guard to make joining diff nicer).

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)helsinki.fi>
Reported-by: Lennart Schulte <lennart.schulte(a)nets.rwth-aachen.de>
Tested-by: Lennart Schulte <lennart.schulte(a)nets.rwth-aachen.de>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de>

---
net/ipv4/tcp_output.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2203,6 +2203,9 @@ void tcp_xmit_retransmit_queue(struct so
int mib_idx;
int fwd_rexmitting = 0;

+ if (!tp->packets_out)
+ return;
+
if (!tp->lost_out)
tp->retransmit_high = tp->snd_una;



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/