Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f2a77991 authored by Ursula Braun's avatar Ursula Braun Committed by David S. Miller
Browse files

[AF_IUCV]: defensive programming of iucv_callback_txdone 



The loop in iucv_callback_txdone presumes existence of an entry
with msg->tag in the send_skb_q list. In error cases this
assumption might be wrong and might cause an endless loop.
Loop is rewritten to guarantee loop end in case of missing
msg->tag entry in send_skb_q.

Signed-off-by: default avatarUrsula Braun <braunu@de.ibm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d4444722

net/iucv/af_iucv.c

+14 −7
Original line number Diff line number Diff line
@@ -1112,24 +1112,31 @@ static void iucv_callback_txdone(struct iucv_path *path, 
				 struct iucv_message *msg)

{

	struct sock *sk = path->private;

	struct sk_buff *this;

	struct sk_buff *this = NULL;

	struct sk_buff_head *list = &iucv_sk(sk)->send_skb_q;

	struct sk_buff *list_skb = list->next;

	unsigned long flags;



	if (list_skb) {

	if (!skb_queue_empty(list)) {

		spin_lock_irqsave(&list->lock, flags);



		do {

		while (list_skb != (struct sk_buff *)list) {

			if (!memcmp(&msg->tag, list_skb->cb, 4)) {

				this = list_skb;

				break;

			}

			list_skb = list_skb->next;

		} while (memcmp(&msg->tag, this->cb, 4) && list_skb);

		}

		if (this)

			__skb_unlink(this, list);



		spin_unlock_irqrestore(&list->lock, flags);



		if (this)

			kfree_skb(this);

	}

	if (!this)

		printk(KERN_ERR "AF_IUCV msg tag %u not found\n", msg->tag);



	if (sk->sk_state == IUCV_CLOSING) {

		if (skb_queue_empty(&iucv_sk(sk)->send_skb_q)) {