From 5d054632429188226b8c1e1e545475c89ad4c582 Mon Sep 17 00:00:00 2001
From: josh_hsu <josh_hsu@asus.com>
Date: Tue, 1 Nov 2016 18:12:59 +0800
Subject: [PATCH] [2016-10-partner][CVE-2016-6828] tcp: fix use after free in
 tcp_xmit_retransmit_queue()

Change-Id: Iaf1abe7a9260856e19491ebba647b760ee80855e
Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/262128
Reviewed-by: Josh Hsu <josh_hsu@asus.com>
Tested-by: Josh Hsu <josh_hsu@asus.com>
Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
---
 include/net/tcp.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/net/tcp.h b/include/net/tcp.h
index 4cc1f2268cee..1b044c3d4415 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1406,6 +1406,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
 {
 	if (sk->sk_send_head == skb_unlinked)
 		sk->sk_send_head = NULL;
+	if (tcp_sk(sk)->highest_sack == skb_unlinked)
+		tcp_sk(sk)->highest_sack = NULL;
 }
 
 static inline void tcp_init_send_head(struct sock *sk)
-- 
GitLab