On Thu, Aug 31, 2017 at 1:56 AM, idaifish <idaif...@gmail.com> wrote: > Hi: > This bug seems still can be triggered by the attached PoC on latest > Ubuntu1604 (4.4.0-94-generic) > > ============================================================================ > divide error: 0000 [#1] SMP KASAN > Modules linked in: > CPU: 0 PID: 14933 Comm: syz-executor0 Not tainted 4.9.45 #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > Ubuntu-1.8.2-1ubuntu1 04/01/2014 > task: ffff880076ab9900 task.stack: ffff880062ae8000 > RIP: 0010:[<ffffffff829c1df3>] [<ffffffff829c1df3>] > __tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499 ... > [<ffffffff8297c36e>] tcp_cleanup_rbuf+0x43e/0x4f0 net/ipv4/tcp.c:1468 > [<ffffffff829815df>] tcp_recvmsg+0xc2f/0x25d0 net/ipv4/tcp.c:1937
Thanks for the report. I believe this tcp_recvmsg => tcp_cleanup_rbuf => __tcp_select_window divide-by-zero issue was fixed in May by Wei, in: 499350a5a6e7 tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=499350a5a6e7 Looks like we should probably mark this as a -stable candidate, so that it will eventually make it to 4.4.y, 4.9.y, 4.12.y users, etc. (I don't see the commit in those stable branches.) thanks, neal