diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2012-04-06 10:49:10 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2012-05-11 13:14:21 +0100 |
| commit | 8a0885b2113dfe7d1fb4f981a3d3c712ad90619c (patch) | |
| tree | 03e63dc9e197b488f2c62003c7fa1bb79dffd3e8 /net | |
| parent | d6465c3d0237438855ba4adfbdee210d3220ca77 (diff) | |
| download | lwn-8a0885b2113dfe7d1fb4f981a3d3c712ad90619c.tar.gz lwn-8a0885b2113dfe7d1fb4f981a3d3c712ad90619c.zip | |
net: fix a race in sock_queue_err_skb()
[ Upstream commit 110c43304db6f06490961529536c362d9ac5732f ]
As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/skbuff.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 3c30ee4a5710..29cb3924fdf6 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3111,6 +3111,8 @@ static void sock_rmem_free(struct sk_buff *skb) */ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) { + int len = skb->len; + if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= (unsigned)sk->sk_rcvbuf) return -ENOMEM; @@ -3125,7 +3127,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) skb_queue_tail(&sk->sk_error_queue, skb); if (!sock_flag(sk, SOCK_DEAD)) - sk->sk_data_ready(sk, skb->len); + sk->sk_data_ready(sk, len); return 0; } EXPORT_SYMBOL(sock_queue_err_skb); |