From: Hendrik Brueckner <brueckner@xxxxxxxxxxxxxxxxxx>
If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued
twice. If the socket is then closed, the pointer to the skb is freed twice.
Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram()
function already handles MSG_PEEK (does not dequeue the skb).
Signed-off-by: Hendrik Brueckner <brueckner@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Ursula Braun <ursula.braun@xxxxxxxxxx>
---
net/iucv/af_iucv.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: net-2.6-uschi/net/iucv/af_iucv.c
===================================================================
--- net-2.6-uschi.orig/net/iucv/af_iucv.c
+++ net-2.6-uschi/net/iucv/af_iucv.c
@@ -814,6 +814,8 @@ static int iucv_sock_recvmsg(struct kioc
target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
+ /* receive/dequeue next skb:
+ * the function understands MSG_PEEK and, thus, does not dequeue skb */
skb = skb_recv_datagram(sk, flags, noblock, &err);
if (!skb) {
if (sk->sk_shutdown & RCV_SHUTDOWN)
@@ -861,9 +863,7 @@ static int iucv_sock_recvmsg(struct kioc
iucv_process_message_q(sk);
spin_unlock_bh(&iucv->message_q.lock);
}
-
- } else
- skb_queue_head(&sk->sk_receive_queue, skb);
+ }
done:
return err ? : copied;
--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
