tcp: clear icsk_backoff in tcp_write_queue_purge()

[ Upstream commit 04c03114be82194d4a4858d41dba8e286ad1787c ] soukjin bae reported a crash in tcp_v4_err() handling ICMP_DEST_UNREACH after tcp_write_queue_head(sk) returned a NULL pointer. Current logic should have prevented this : if (seq != tp->snd_una || !icsk->icsk_retransmits || !icsk->icsk_backoff || fastopen) break; Problem is the write queue might have been purged and icsk_backoff has not been cleared. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: soukjin bae <soukjin.bae@samsung.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Eric Dumazet <edumazet@google.com> 2019-02-15 13:36:20 -0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-02-23 09:06:43 +0100
commit: 3a493b762f31fc0c571051cdfb0d80f49498e5fd (patch)
tree: c5f0c6cea660a58c4a4c7b993d9724cb584d8091 /net/ipv4
parent: 859838ff68a119a34a562b7a8384204c2c2782b2 (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index fd14501ac3af..00ae9a1d44ed 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2347,7 +2347,6 @@ int tcp_disconnect(struct sock *sk, int flags)
 	tp->write_seq += tp->max_window + 2;
 	if (tp->write_seq == 0)
 		tp->write_seq = 1;
-	icsk->icsk_backoff = 0;
 	tp->snd_cwnd = 2;
 	icsk->icsk_probes_out = 0;
 	tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
author	Eric Dumazet <edumazet@google.com>	2019-02-15 13:36:20 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-02-23 09:06:43 +0100
commit	3a493b762f31fc0c571051cdfb0d80f49498e5fd (patch)
tree	c5f0c6cea660a58c4a4c7b993d9724cb584d8091 /net/ipv4
parent	859838ff68a119a34a562b7a8384204c2c2782b2 (diff)