[thirdparty/kernel/stable-queue.git] / queue-4.19 / net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch

From foo@baz Thu Mar 28 21:54:17 CET 2019
From: Paolo Abeni <pabeni@redhat.com>
Date: Mon, 25 Mar 2019 14:18:06 +0100
Subject: net: datagram: fix unbounded loop in __skb_try_recv_datagram()

From: Paolo Abeni <pabeni@redhat.com>

[ Upstream commit 0b91bce1ebfc797ff3de60c8f4a1e6219a8a3187 ]

Christoph reported a stall while peeking datagram with an offset when
busy polling is enabled. __skb_try_recv_datagram() uses as the loop
termination condition 'queue empty'. When peeking, the socket
queue can be not empty, even when no additional packets are received.

Address the issue explicitly checking for receive queue changes,
as currently done by __skb_wait_for_more_packets().

Fixes: 2b5cd0dfa384 ("net: Change return type of sk_busy_loop from bool to void")
Reported-and-tested-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/datagram.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -279,7 +279,7 @@ struct sk_buff *__skb_try_recv_datagram(
 			break;
 
 		sk_busy_loop(sk, flags & MSG_DONTWAIT);
-	} while (!skb_queue_empty(&sk->sk_receive_queue));
+	} while (sk->sk_receive_queue.prev != *last);
 
 	error = -EAGAIN;
Commit	Line	Data
38568109 GKH	1	From foo@baz Thu Mar 28 21:54:17 CET 2019
	2	From: Paolo Abeni <pabeni@redhat.com>
	3	Date: Mon, 25 Mar 2019 14:18:06 +0100
	4	Subject: net: datagram: fix unbounded loop in __skb_try_recv_datagram()
	5
	6	From: Paolo Abeni <pabeni@redhat.com>
	7
	8	[ Upstream commit 0b91bce1ebfc797ff3de60c8f4a1e6219a8a3187 ]
	9
	10	Christoph reported a stall while peeking datagram with an offset when
	11	busy polling is enabled. __skb_try_recv_datagram() uses as the loop
	12	termination condition 'queue empty'. When peeking, the socket
	13	queue can be not empty, even when no additional packets are received.
	14
	15	Address the issue explicitly checking for receive queue changes,
	16	as currently done by __skb_wait_for_more_packets().
	17
	18	Fixes: 2b5cd0dfa384 ("net: Change return type of sk_busy_loop from bool to void")
	19	Reported-and-tested-by: Christoph Paasch <cpaasch@apple.com>
	20	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
	21	Signed-off-by: David S. Miller <davem@davemloft.net>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23	---
	24	net/core/datagram.c \| 2 +-
	25	1 file changed, 1 insertion(+), 1 deletion(-)
	26
	27	--- a/net/core/datagram.c
	28	+++ b/net/core/datagram.c
	29	@@ -279,7 +279,7 @@ struct sk_buff *__skb_try_recv_datagram(
	30	break;
	31
	32	sk_busy_loop(sk, flags & MSG_DONTWAIT);
	33	- } while (!skb_queue_empty(&sk->sk_receive_queue));
	34	+ } while (sk->sk_receive_queue.prev != *last);
	35
	36	error = -EAGAIN;
	37