projects / GitHub / MotorolaMobilityLLC / kernel-slsi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4a7e7c2)
net: fix a race in sock_queue_err_skb()
authorEric Dumazet <eric.dumazet@gmail.com>
Fri, 6 Apr 2012 08:49:10 +0000 (10:49 +0200)
committerDavid S. Miller <davem@davemloft.net>
Fri, 6 Apr 2012 09:07:21 +0000 (05:07 -0400)
As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/skbuff.c patch | blob | blame | history

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f223cdc75da6af27a688430ee98c0743608ea822..baf8d281152cebc9e55ce8a7343d427b24b8b61e 100644 (file)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3161,6 +3161,8 @@ static void sock_rmem_free(struct sk_buff *skb)
  */
 int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
 {
+       int len = skb->len;
+
        if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
            (unsigned)sk->sk_rcvbuf)
                return -ENOMEM;
@@ -3175,7 +3177,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
 
        skb_queue_tail(&sk->sk_error_queue, skb);
        if (!sock_flag(sk, SOCK_DEAD))
-               sk->sk_data_ready(sk, skb->len);
+               sk->sk_data_ready(sk, len);
        return 0;
 }
 EXPORT_SYMBOL(sock_queue_err_skb);
Motorola kernel-slsi