From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ursula Braun Subject: [patch 03/13] [PATCH] af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag Date: Tue, 21 Apr 2009 12:35:00 +0200 Message-ID: <20090421103705.472784000@linux.vnet.ibm.com> References: <20090421103457.965299000@linux.vnet.ibm.com> Cc: schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, Hendrik Brueckner , Ursula Braun To: davem@davemloft.net, netdev@vger.kernel.org, linux-s390@vger.kernel.org Return-path: Received: from mtagate1.de.ibm.com ([195.212.17.161]:35693 "EHLO mtagate1.de.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752777AbZDUKhH (ORCPT ); Tue, 21 Apr 2009 06:37:07 -0400 Content-Disposition: inline; filename=603-af_iucv-oops.diff Sender: netdev-owner@vger.kernel.org List-ID: From: Hendrik Brueckner If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued twice. If the socket is then closed, the pointer to the skb is freed twice. Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram() function already handles MSG_PEEK (does not dequeue the skb). Signed-off-by: Hendrik Brueckner Signed-off-by: Ursula Braun --- net/iucv/af_iucv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Index: net-2.6-uschi/net/iucv/af_iucv.c =================================================================== --- net-2.6-uschi.orig/net/iucv/af_iucv.c +++ net-2.6-uschi/net/iucv/af_iucv.c @@ -814,6 +814,8 @@ static int iucv_sock_recvmsg(struct kioc target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); + /* receive/dequeue next skb: + * the function understands MSG_PEEK and, thus, does not dequeue skb */ skb = skb_recv_datagram(sk, flags, noblock, &err); if (!skb) { if (sk->sk_shutdown & RCV_SHUTDOWN) @@ -861,9 +863,7 @@ static int iucv_sock_recvmsg(struct kioc iucv_process_message_q(sk); spin_unlock_bh(&iucv->message_q.lock); } - - } else - skb_queue_head(&sk->sk_receive_queue, skb); + } done: return err ? : copied;