1 From: Gerald Schaefer <geraldsc@de.ibm.com>
2 Subject: af_iucv: System hang if recvmsg() is used with MSG_PEEK
3 References: bnc#466462,LTC#51136
5 Symptom: Receiving socket data with MSG_PEEK flag set causes systen hang
6 Problem: If iucv_sock_recvmsg() is called with MSG_PEEK flag set,
7 the skb is enqueued twice. If the socket is then closed, the
8 pointer to the skb is also freed twice and causes a kernel oops.
9 Solution: Remove the skb_queue_head() call for MSG_PEEK, because the
10 skb_recv_datagram() function already handles MSG_PEEK (it
11 actually does not dequeue the skb).
13 Acked-by: John Jolly <jjolly@suse.de>
15 net/iucv/af_iucv.c | 6 +++---
16 1 file changed, 3 insertions(+), 3 deletions(-)
18 --- a/net/iucv/af_iucv.c
19 +++ b/net/iucv/af_iucv.c
20 @@ -789,6 +789,8 @@ static int iucv_sock_recvmsg(struct kioc
22 target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
24 + /* receive/dequeue next skb:
25 + * the function understands MSG_PEEK and, thus, does not dequeue skb */
26 skb = skb_recv_datagram(sk, flags, noblock, &err);
28 if (sk->sk_shutdown & RCV_SHUTDOWN)
29 @@ -836,9 +838,7 @@ static int iucv_sock_recvmsg(struct kioc
30 iucv_process_message_q(sk);
31 spin_unlock_bh(&iucv->message_q.lock);
35 - skb_queue_head(&sk->sk_receive_queue, skb);
39 return err ? : copied;