From: Tuong Lien <tuong.t.l...@dektech.com.au>
Date: Wed, 3 Jun 2020 12:06:01 +0700
> syzbot found the following crash:
...
> Call Trace:
> tipc_sendstream+0x4c/0x70 net/tipc/socket.c:1533
> sock_sendmsg_nosec net/socket.c:652 [inline]
> sock_sendmsg+0xcf/0x120 net/socket.c:672
> ____sys_sendmsg+0x32f/0x810 net/socket.c:2352
> ___sys_sendmsg+0x100/0x170 net/socket.c:2406
> __sys_sendmmsg+0x195/0x480 net/socket.c:2496
> __do_sys_sendmmsg net/socket.c:2525 [inline]
> __se_sys_sendmmsg net/socket.c:2522 [inline]
> __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2522
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
> RIP: 0033:0x440199
> ...
>
> This bug was bisected to commit 0a3e060f340d ("tipc: add test for Nagle
> algorithm effectiveness"). However, it is not the case, the trouble was
> from the base in the case of zero data length message sending, we would
> unexpectedly make an empty 'txq' queue after the 'tipc_msg_append()' in
> Nagle mode.
>
> A similar crash can be generated even without the bisected patch but at
> the link layer when it accesses the empty queue.
>
> We solve the issues by building at least one buffer to go with socket's
> header and an optional data section that may be empty like what we had
> with the 'tipc_msg_build()'.
>
> Note: the previous commit 4c21daae3dbc ("tipc: Fix NULL pointer
> dereference in __tipc_sendstream()") is obsoleted by this one since the
> 'txq' will be never empty and the check of 'skb != NULL' is unnecessary
> but it is safe anyway.
>
> Reported-by: syzbot+8eac6d030e7807c21...@syzkaller.appspotmail.com
> Fixes: c0bceb97db9e ("tipc: add smart nagle feature")
> Acked-by: Jon Maloy <jma...@redhat.com>
> Signed-off-by: Tuong Lien <tuong.t.l...@dektech.com.au>
Applied and queued up for -stable, thanks.
