diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2012-04-06 04:49:10 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-04-06 05:07:21 -0400 |
| commit | 110c43304db6f06490961529536c362d9ac5732f (patch) | |
| tree | 5729bd4310cffaea7d0e4fbe3451d26e78271179 /net | |
| parent | 4a7e7c2ad540e54c75489a70137bf0ec15d3a127 (diff) | |
net: fix a race in sock_queue_err_skb()
As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/skbuff.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f223cdc75da6..baf8d281152c 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -3161,6 +3161,8 @@ static void sock_rmem_free(struct sk_buff *skb) | |||
| 3161 | */ | 3161 | */ |
| 3162 | int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) | 3162 | int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) |
| 3163 | { | 3163 | { |
| 3164 | int len = skb->len; | ||
| 3165 | |||
| 3164 | if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= | 3166 | if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= |
| 3165 | (unsigned)sk->sk_rcvbuf) | 3167 | (unsigned)sk->sk_rcvbuf) |
| 3166 | return -ENOMEM; | 3168 | return -ENOMEM; |
| @@ -3175,7 +3177,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) | |||
| 3175 | 3177 | ||
| 3176 | skb_queue_tail(&sk->sk_error_queue, skb); | 3178 | skb_queue_tail(&sk->sk_error_queue, skb); |
| 3177 | if (!sock_flag(sk, SOCK_DEAD)) | 3179 | if (!sock_flag(sk, SOCK_DEAD)) |
| 3178 | sk->sk_data_ready(sk, skb->len); | 3180 | sk->sk_data_ready(sk, len); |
| 3179 | return 0; | 3181 | return 0; |
| 3180 | } | 3182 | } |
| 3181 | EXPORT_SYMBOL(sock_queue_err_skb); | 3183 | EXPORT_SYMBOL(sock_queue_err_skb); |