[NETLINK]: Fix race with recvmsg().
This bug causes: assertion (!atomic_read(&sk->sk_rmem_alloc)) failed at net/netlink/af_netlink.c (122) What's happening is that: 1) The skb is sent to socket 1. 2) Someone does a recvmsg on socket 1 and drops the ref on the skb. Note that the rmalloc is not returned at this point since the skb is still referenced. 3) The same skb is now sent to socket 2. This version of the fix resurrects the skb_orphan call that was moved out, last time we had 'shared-skb troubles'. It is practically a no-op in the common case, but still prevents the possible race with recvmsg. Signed-off-by: Tommy S. Christensen <tommy.christensen@tpack.net> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
1eda339e76
commit
db61ecc335
1 changed files with 1 additions and 0 deletions
|
@ -697,6 +697,7 @@ static __inline__ int netlink_broadcast_deliver(struct sock *sk, struct sk_buff
|
||||||
|
|
||||||
if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
|
if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
|
||||||
!test_bit(0, &nlk->state)) {
|
!test_bit(0, &nlk->state)) {
|
||||||
|
skb_orphan(skb);
|
||||||
skb_set_owner_r(skb, sk);
|
skb_set_owner_r(skb, sk);
|
||||||
skb_queue_tail(&sk->sk_receive_queue, skb);
|
skb_queue_tail(&sk->sk_receive_queue, skb);
|
||||||
sk->sk_data_ready(sk, skb->len);
|
sk->sk_data_ready(sk, skb->len);
|
||||||
|
|
Loading…
Reference in a new issue