src/patches/suse-2.6.27.39/patches.arch/s390-08-05-af_iucv-msgpeek-fix.patch

   1 From: Gerald Schaefer <geraldsc@de.ibm.com>
   2 Subject: af_iucv: System hang if recvmsg() is used with MSG_PEEK
   3 References: bnc#466462,LTC#51136
   4
   5 Symptom:     Receiving socket data with MSG_PEEK flag set causes systen hang
   6 Problem:     If iucv_sock_recvmsg() is called with MSG_PEEK flag set,
   7              the skb is enqueued twice. If the socket is then closed, the
   8              pointer to the skb is also freed twice and causes a kernel oops.
   9 Solution:    Remove the skb_queue_head() call for MSG_PEEK, because the
  10              skb_recv_datagram() function already handles MSG_PEEK (it
  11              actually does not dequeue the skb).
  12
  13 Acked-by: John Jolly <jjolly@suse.de>
  14 ---
  15  net/iucv/af_iucv.c |    6 +++---
  16  1 file changed, 3 insertions(+), 3 deletions(-)
  17
  18 --- a/net/iucv/af_iucv.c
  19 +++ b/net/iucv/af_iucv.c
  20 @@ -789,6 +789,8 @@ static int iucv_sock_recvmsg(struct kioc
  21
  22         target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
  23
  24 +       /* receive/dequeue next skb:
  25 +        * the function understands MSG_PEEK and, thus, does not dequeue skb */
  26         skb = skb_recv_datagram(sk, flags, noblock, &err);
  27         if (!skb) {
  28                 if (sk->sk_shutdown & RCV_SHUTDOWN)
  29 @@ -836,9 +838,7 @@ static int iucv_sock_recvmsg(struct kioc
  30                                 iucv_process_message_q(sk);
  31                         spin_unlock_bh(&iucv->message_q.lock);
  32                 }
  33 -
  34 -       } else
  35 -               skb_queue_head(&sk->sk_receive_queue, skb);
  36 +       }
  37
  38  done:
  39         return err ? : copied;