net: Fix use after free by removing length arg from sk_data_ready callbacks.

[linux.git] / net / ipv4 / tcp_ipv4.c

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 1e4eac779f51c81bf5472d13ed446fefb0827753..438f3b95143df0bffa01322c62b44c8fcd6d6b8b 100644 (file)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -435,7 +435,7 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                        break;
 
                icsk->icsk_backoff--;
-               inet_csk(sk)->icsk_rto = (tp->srtt ? __tcp_set_rto(tp) :
+               inet_csk(sk)->icsk_rto = (tp->srtt_us ? __tcp_set_rto(tp) :
                        TCP_TIMEOUT_INIT) << icsk->icsk_backoff;
                tcp_bound_rto(sk);
 
@@ -854,8 +854,10 @@ static int tcp_v4_rtx_synack(struct sock *sk, struct request_sock *req)
 {
        int res = tcp_v4_send_synack(sk, NULL, req, 0);
 
-       if (!res)
+       if (!res) {
                TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_RETRANSSEGS);
+               NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
+       }
        return res;
 }
 
@@ -878,8 +880,6 @@ bool tcp_syn_flood_action(struct sock *sk,
        bool want_cookie = false;
        struct listen_sock *lopt;
 
-
-
 #ifdef CONFIG_SYN_COOKIES
        if (sysctl_tcp_syncookies) {
                msg = "Sending cookies";
@@ -1434,7 +1434,7 @@ static int tcp_v4_conn_req_fastopen(struct sock *sk,
                tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
                tp->syn_data_acked = 1;
        }
-       sk->sk_data_ready(sk, 0);
+       sk->sk_data_ready(sk);
        bh_unlock_sock(child);
        sock_put(child);
        WARN_ON(req->sk == NULL);