af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag

If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued
twice. If the socket is then closed, the pointer to the skb is freed twice.

Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram()
function already handles MSG_PEEK (does not dequeue the skb).

Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 2941ee5..42b3be3 100644 (file)
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -814,6 +814,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 
        target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
 
+       /* receive/dequeue next skb:
+        * the function understands MSG_PEEK and, thus, does not dequeue skb */
        skb = skb_recv_datagram(sk, flags, noblock, &err);
        if (!skb) {
                if (sk->sk_shutdown & RCV_SHUTDOWN)
@@ -861,9 +863,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                                iucv_process_message_q(sk);
                        spin_unlock_bh(&iucv->message_q.lock);
                }
-
-       } else
-               skb_queue_head(&sk->sk_receive_queue, skb);
+       }
 
 done:
        return err ? : copied;