Patch "[PATCH 12/28] net: fix a race in sock_queue_err_skb()" has been added to the 3.3-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    [PATCH 12/28] net: fix a race in sock_queue_err_skb()

to the 3.3-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-fix-a-race-in-sock_queue_err_skb.patch
and it can be found in the queue-3.3 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From ab3e1b7cfc86ddacef4c30f85be80b87454a8170 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <eric.duma...@gmail.com>
Date: Fri, 6 Apr 2012 10:49:10 +0200
Subject: [PATCH 12/28] net: fix a race in sock_queue_err_skb()


From: Eric Dumazet <eric.duma...@gmail.com>

[ Upstream commit 110c43304db6f06490961529536c362d9ac5732f ]

As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.

Signed-off-by: Eric Dumazet <eric.duma...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
 net/core/skbuff.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3160,6 +3160,8 @@ static void sock_rmem_free(struct sk_buf
  */
 int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
 {
+       int len = skb->len;
+
        if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
            (unsigned)sk->sk_rcvbuf)
                return -ENOMEM;
@@ -3174,7 +3176,7 @@ int sock_queue_err_skb(struct sock *sk,
 
        skb_queue_tail(&sk->sk_error_queue, skb);
        if (!sock_flag(sk, SOCK_DEAD))
-               sk->sk_data_ready(sk, skb->len);
+               sk->sk_data_ready(sk, len);
        return 0;
 }
 EXPORT_SYMBOL(sock_queue_err_skb);


Patches currently in stable-queue which might be from eric.duma...@gmail.com are

queue-3.3/net-fix-a-race-in-sock_queue_err_skb.patch
queue-3.3/tcp-allow-splice-to-build-full-tso-packets.patch
queue-3.3/net-fix-proc-net-dev-regression.patch
queue-3.3/tcp-restore-correct-limit.patch
queue-3.3/net-allow-pskb_expand_head-to-get-maximum-tailroom.patch
queue-3.3/net-smsc911x-fix-skb-handling-in-receive-path.patch
queue-3.3/tcp-avoid-order-1-allocations-on-wifi-and-tx-path.patch
queue-3.3/netlink-fix-races-after-skb-queueing.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html