From: Greg KH on
2.6.34-stable review patch. If anyone has any objections, please let us know.


From: Ilpo Järvinen <ilpo.jarvinen(a)>

commit 45e77d314585869dfe43c82679f7e08c9b35b898 upstream.

It can happen that there are no packets in queue while calling
tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns
NULL and that gets deref'ed to get sacked into a local var.

There is no work to do if no packets are outstanding so we just
exit early.

This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out
guard to make joining diff nicer).

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)>
Reported-by: Lennart Schulte <lennart.schulte(a)>
Tested-by: Lennart Schulte <lennart.schulte(a)>
Signed-off-by: David S. Miller <davem(a)>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)>

net/ipv4/tcp_output.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2206,6 +2206,9 @@ void tcp_xmit_retransmit_queue(struct so
int mib_idx;
int fwd_rexmitting = 0;

+ if (!tp->packets_out)
+ return;
if (!tp->lost_out)
tp->retransmit_high = tp->snd_una;

