diff options
| author | Sasha Levin <sasha.levin@oracle.com> | 2015-12-14 12:11:09 -0500 |
|---|---|---|
| committer | Sasha Levin <sasha.levin@oracle.com> | 2015-12-14 12:17:34 -0500 |
| commit | 3653158c9492ead7452ce59089b33c0d831330c8 (patch) | |
| tree | 3e96ff887e926e0bf89f86b1ae05ca9f7b5491b4 | |
| parent | a9ff3cb5ec5a60c9b9a5dc3d1e870bdb29451f0a (diff) | |
| download | lwn-3653158c9492ead7452ce59089b33c0d831330c8.tar.gz lwn-3653158c9492ead7452ce59089b33c0d831330c8.zip | |
Revert "net: Fix skb_set_peeked use-after-free bug"
This reverts commit d9a1133495b487154ac351cd33b26b416e966d2d.
| -rw-r--r-- | net/core/datagram.c | 41 |
1 files changed, 3 insertions, 38 deletions
diff --git a/net/core/datagram.c b/net/core/datagram.c index 61e99f315ed9..3a402a7b20e9 100644 --- a/net/core/datagram.c +++ b/net/core/datagram.c @@ -130,35 +130,6 @@ out_noerr: goto out; } -static int skb_set_peeked(struct sk_buff *skb) -{ - struct sk_buff *nskb; - - if (skb->peeked) - return 0; - - /* We have to unshare an skb before modifying it. */ - if (!skb_shared(skb)) - goto done; - - nskb = skb_clone(skb, GFP_ATOMIC); - if (!nskb) - return -ENOMEM; - - skb->prev->next = nskb; - skb->next->prev = nskb; - nskb->prev = skb->prev; - nskb->next = skb->next; - - consume_skb(skb); - skb = nskb; - -done: - skb->peeked = 1; - - return 0; -} - /** * __skb_recv_datagram - Receive a datagram skbuff * @sk: socket @@ -193,9 +164,7 @@ done: struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags, int *peeked, int *off, int *err) { - struct sk_buff_head *queue = &sk->sk_receive_queue; struct sk_buff *skb, *last; - unsigned long cpu_flags; long timeo; /* * Caller is allowed not to check sk->sk_err before skb_recv_datagram() @@ -214,6 +183,8 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags, * Look at current nfs client by the way... * However, this function was correct in any case. 8) */ + unsigned long cpu_flags; + struct sk_buff_head *queue = &sk->sk_receive_queue; int _off = *off; last = (struct sk_buff *)queue; @@ -227,11 +198,7 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags, _off -= skb->len; continue; } - - error = skb_set_peeked(skb); - if (error) - goto unlock_err; - + skb->peeked = 1; atomic_inc(&skb->users); } else __skb_unlink(skb, queue); @@ -255,8 +222,6 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags, return NULL; -unlock_err: - spin_unlock_irqrestore(&queue->lock, cpu_flags); no_packet: *err = error; return NULL; |