openkylin
/
platform_kernel-5.15
mirror of https://gitee.com/openkylin/platform_kernel-5.15.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

net: fix a race in sock_queue_err_skb() 

As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2012-04-06 10:49:10 +02:00 committed by David S. Miller
parent 4a7e7c2ad5
commit 110c43304d
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
net/core/skbuff.c
View File

@ -3161,6 +3161,8 @@ static void sock_rmem_free(struct sk_buff *skb)
*/ */
int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
{ {
int len = skb->len;
if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
(unsigned)sk->sk_rcvbuf) (unsigned)sk->sk_rcvbuf)
return -ENOMEM; return -ENOMEM;
@ -3175,7 +3177,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
skb_queue_tail(&sk->sk_error_queue, skb); skb_queue_tail(&sk->sk_error_queue, skb);
if (!sock_flag(sk, SOCK_DEAD)) if (!sock_flag(sk, SOCK_DEAD))
sk->sk_data_ready(sk, skb->len); sk->sk_data_ready(sk, len);
return 0; return 0;
} }
EXPORT_SYMBOL(sock_queue_err_skb); EXPORT_SYMBOL(sock_queue_err_skb);