| From 99537bdb8d10c5030437f1a10c35c9d2dd272200 Mon Sep 17 00:00:00 2001 |
| From: Steven J. Magnani <steve@digidescorp.com> |
| Date: Tue, 30 Mar 2010 13:56:01 -0700 |
| Subject: net: Fix oops from tcp_collapse() when using splice() |
| |
| |
| From: Steven J. Magnani <steve@digidescorp.com> |
| |
| [ Upstream commit baff42ab1494528907bf4d5870359e31711746ae ] |
| |
| tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. |
| This can cause a panic in tcp_collapse() if it is called as a result |
| of the recv_actor dropping the socket lock. |
| |
| A userspace program that splices data from a socket to either another |
| socket or to a file can trigger this bug. |
| |
| Signed-off-by: Steven J. Magnani <steve@digidescorp.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| --- |
| net/ipv4/tcp.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/ipv4/tcp.c |
| +++ b/net/ipv4/tcp.c |
| @@ -1335,6 +1335,7 @@ int tcp_read_sock(struct sock *sk, read_ |
| sk_eat_skb(sk, skb, 0); |
| if (!desc->count) |
| break; |
| + tp->copied_seq = seq; |
| } |
| tp->copied_seq = seq; |
| |