summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2012-04-06 10:49:10 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-04-27 09:51:19 -0700
commit6d7946bd33e29b2659504ffb3b98aa9fdb2229d8 (patch)
treecc3c057a993611462f6c491828b917c017fcf07a
parent19a8321ccebc1db80a75d32d0235f2beb646d8f7 (diff)
downloadlinux-stable-6d7946bd33e29b2659504ffb3b98aa9fdb2229d8.tar.gz
linux-stable-6d7946bd33e29b2659504ffb3b98aa9fdb2229d8.tar.bz2
linux-stable-6d7946bd33e29b2659504ffb3b98aa9fdb2229d8.zip
net: fix a race in sock_queue_err_skb()
[ Upstream commit 110c43304db6f06490961529536c362d9ac5732f ] As soon as an skb is queued into socket error queue, another thread can consume it, so we are not allowed to reference skb anymore, or risk use after free. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/core/skbuff.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 46cbd28f40f9..4821df84eba3 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2985,6 +2985,8 @@ static void sock_rmem_free(struct sk_buff *skb)
*/
int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
{
+ int len = skb->len;
+
if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
(unsigned)sk->sk_rcvbuf)
return -ENOMEM;
@@ -2999,7 +3001,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
skb_queue_tail(&sk->sk_error_queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk, skb->len);
+ sk->sk_data_ready(sk, len);
return 0;
}
EXPORT_SYMBOL(sock_queue_err_skb);