From: Hendrik Brueckner Date: Tue, 21 Apr 2009 06:04:21 +0000 (+0000) Subject: af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag X-Git-Tag: MMI-PSA29.97-13-9~28017^2~121 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=60d3705fcbfe7deca8e94bc7ddecd6f9f1a4647e;p=GitHub%2FMotorolaMobilityLLC%2Fkernel-slsi.git af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued twice. If the socket is then closed, the pointer to the skb is freed twice. Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram() function already handles MSG_PEEK (does not dequeue the skb). Signed-off-by: Hendrik Brueckner Signed-off-by: Ursula Braun Signed-off-by: David S. Miller --- diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index 2941ee50393b..42b3be302c57 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -814,6 +814,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); + /* receive/dequeue next skb: + * the function understands MSG_PEEK and, thus, does not dequeue skb */ skb = skb_recv_datagram(sk, flags, noblock, &err); if (!skb) { if (sk->sk_shutdown & RCV_SHUTDOWN) @@ -861,9 +863,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, iucv_process_message_q(sk); spin_unlock_bh(&iucv->message_q.lock); } - - } else - skb_queue_head(&sk->sk_receive_queue, skb); + } done: return err ? : copied;