diff options
author | Hendrik Brueckner <brueckner@linux.vnet.ibm.com> | 2009-04-21 02:04:21 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-04-22 02:43:13 -0400 |
commit | 60d3705fcbfe7deca8e94bc7ddecd6f9f1a4647e (patch) | |
tree | afd8b424d6a8367ebca081e103a035ca346f88f9 | |
parent | bbe188c8f16effd902d1ad391e06e41ce649b22e (diff) |
af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag
If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued
twice. If the socket is then closed, the pointer to the skb is freed twice.
Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram()
function already handles MSG_PEEK (does not dequeue the skb).
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/iucv/af_iucv.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index 2941ee50393b..42b3be302c57 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c | |||
@@ -814,6 +814,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, | |||
814 | 814 | ||
815 | target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); | 815 | target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); |
816 | 816 | ||
817 | /* receive/dequeue next skb: | ||
818 | * the function understands MSG_PEEK and, thus, does not dequeue skb */ | ||
817 | skb = skb_recv_datagram(sk, flags, noblock, &err); | 819 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
818 | if (!skb) { | 820 | if (!skb) { |
819 | if (sk->sk_shutdown & RCV_SHUTDOWN) | 821 | if (sk->sk_shutdown & RCV_SHUTDOWN) |
@@ -861,9 +863,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, | |||
861 | iucv_process_message_q(sk); | 863 | iucv_process_message_q(sk); |
862 | spin_unlock_bh(&iucv->message_q.lock); | 864 | spin_unlock_bh(&iucv->message_q.lock); |
863 | } | 865 | } |
864 | 866 | } | |
865 | } else | ||
866 | skb_queue_head(&sk->sk_receive_queue, skb); | ||
867 | 867 | ||
868 | done: | 868 | done: |
869 | return err ? : copied; | 869 | return err ? : copied; |