From: Hans-Joachim Picht <hpicht@redhat.com> Date: Fri, 27 Feb 2009 20:51:14 +0100 Subject: [s390] af_iucv: hang if recvmsg is used with MSG_PEEK Message-id: 20090227195114.GO2447@redhat.com O-Subject: [RHEL5 U4 PATCH 1/7] s390 - af_iucv: System hang if recvmsg() is used with MSG_PEEK Bugzilla: 487703 Description ============ Receiving socket data with MSG_PEEK flag set causes a systen hang. If iucv_sock_recvmsg() is called with the MSG_PEEK flag set, the skb is enqueued twice. If the socket is then closed, the pointer to the skb is also freed twice and causes a kernel oops. Solution: Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram() function already handles MSG_PEEK (it actually does not dequeue the skb). Bugzilla ========= BZ 487703 https://bugzilla.redhat.com/show_bug.cgi?id=487703 Upstream status of the patch: ============================= This patch is included in linux-2.6 as git commit e2e5a0f2b100a5204d27def8bbf73333d1710be2 Test status: ============ The patch has been tested and fixes the problem. The fix has been verified by the IBM test department. Please ACK. With best regards, --Hans diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index feac18b..8038be3 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -780,6 +780,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, target = sock_rcvlowat(sk, flags & MSG_WAITALL, len); + /* receive/dequeue next skb: + * the function understands MSG_PEEK and, thus, does not dequeue skb */ skb = skb_recv_datagram(sk, flags, noblock, &err); if (!skb) { if (sk->sk_shutdown & RCV_SHUTDOWN) @@ -827,9 +829,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, iucv_process_message_q(sk); spin_unlock_bh(&iucv->message_q.lock); } - - } else - skb_queue_head(&sk->sk_receive_queue, skb); + } done: return err ? : copied;