From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Fri, 6 Apr 2012 08:49:10 +0000 (+0200)
Subject: net: fix a race in sock_queue_err_skb()
X-Git-Tag: firefly_0821_release~7541^2~1287
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=6d7946bd33e29b2659504ffb3b98aa9fdb2229d8;p=firefly-linux-kernel-4.4.55.git

net: fix a race in sock_queue_err_skb()

[ Upstream commit 110c43304db6f06490961529536c362d9ac5732f ]

As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 46cbd28f40f9..4821df84eba3 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2985,6 +2985,8 @@ static void sock_rmem_free(struct sk_buff *skb)
  */
 int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
 {
+	int len = skb->len;
+
 	if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
 	    (unsigned)sk->sk_rcvbuf)
 		return -ENOMEM;
@@ -2999,7 +3001,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
 
 	skb_queue_tail(&sk->sk_error_queue, skb);
 	if (!sock_flag(sk, SOCK_DEAD))
-		sk->sk_data_ready(sk, skb->len);
+		sk->sk_data_ready(sk, len);
 	return 0;
 }
 EXPORT_SYMBOL(sock_queue_err_skb);