projects / people / pmueller / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 00e5a55c BS |
1 | From: Gerald Schaefer <geraldsc@de.ibm.com> |
| 2 | Subject: af_iucv: System hang if recvmsg() is used with MSG_PEEK | |
| 3 | References: bnc#466462,LTC#51136 | |
| 4 | ||
| 5 | Symptom: Receiving socket data with MSG_PEEK flag set causes systen hang | |
| 6 | Problem: If iucv_sock_recvmsg() is called with MSG_PEEK flag set, | |
| 7 | the skb is enqueued twice. If the socket is then closed, the | |
| 8 | pointer to the skb is also freed twice and causes a kernel oops. | |
| 9 | Solution: Remove the skb_queue_head() call for MSG_PEEK, because the | |
| 10 | skb_recv_datagram() function already handles MSG_PEEK (it | |
| 11 | actually does not dequeue the skb). | |
| 12 | ||
| 13 | Acked-by: John Jolly <jjolly@suse.de> | |
| 14 | --- | |
| 15 | net/iucv/af_iucv.c | 6 +++--- | |
| 16 | 1 file changed, 3 insertions(+), 3 deletions(-) | |
| 17 | ||
| 18 | --- a/net/iucv/af_iucv.c | |
| 19 | +++ b/net/iucv/af_iucv.c | |
| 20 | @@ -789,6 +789,8 @@ static int iucv_sock_recvmsg(struct kioc | |
| 21 | ||
| 22 | target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); | |
| 23 | ||
| 24 | + /* receive/dequeue next skb: | |
| 25 | + * the function understands MSG_PEEK and, thus, does not dequeue skb */ | |
| 26 | skb = skb_recv_datagram(sk, flags, noblock, &err); | |
| 27 | if (!skb) { | |
| 28 | if (sk->sk_shutdown & RCV_SHUTDOWN) | |
| 29 | @@ -836,9 +838,7 @@ static int iucv_sock_recvmsg(struct kioc | |
| 30 | iucv_process_message_q(sk); | |
| 31 | spin_unlock_bh(&iucv->message_q.lock); | |
| 32 | } | |
| 33 | - | |
| 34 | - } else | |
| 35 | - skb_queue_head(&sk->sk_receive_queue, skb); | |
| 36 | + } | |
| 37 | ||
| 38 | done: | |
| 39 | return err ? : copied; |