Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 09e14305 authored by David S. Miller's avatar David S. Miller Committed by David S. Miller
Browse files

[NETLINK]: Fix infinite loops in synchronous netlink changes. 



The qlen should continue to decrement, even if we
pop partially processed SKBs back onto the receive queue.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2a0a6ebe

net/core/rtnetlink.c

+3 −4
Original line number Diff line number Diff line
@@ -626,14 +626,13 @@ static void rtnetlink_rcv(struct sock *sk, int len) 
		if (qlen > skb_queue_len(&sk->sk_receive_queue))

			qlen = skb_queue_len(&sk->sk_receive_queue);



		while (qlen--) {

		for (; qlen; qlen--) {

			skb = skb_dequeue(&sk->sk_receive_queue);

			if (rtnetlink_rcv_skb(skb)) {

				if (skb->len) {

				if (skb->len)

					skb_queue_head(&sk->sk_receive_queue,

						       skb);

					qlen++;

				} else

				else

					kfree_skb(skb);

				break;

			}

net/decnet/netfilter/dn_rtmsg.c

+1 −1
Original line number Diff line number Diff line
@@ -121,7 +121,7 @@ static void dnrmg_receive_user_sk(struct sock *sk, int len) 
	struct sk_buff *skb;

	unsigned int qlen = skb_queue_len(&sk->sk_receive_queue);



	while (qlen-- && (skb = skb_dequeue(&sk->sk_receive_queue))) {

	for (; qlen && (skb = skb_dequeue(&sk->sk_receive_queue)); qlen--) {

		dnrmg_receive_user_skb(skb);

		kfree_skb(skb);

	}

net/xfrm/xfrm_user.c

+3 −4
Original line number Diff line number Diff line
@@ -1018,14 +1018,13 @@ static void xfrm_netlink_rcv(struct sock *sk, int len) 
		if (qlen > skb_queue_len(&sk->sk_receive_queue))

			qlen = skb_queue_len(&sk->sk_receive_queue);



		while (qlen--) {

		for (; qlen; qlen--) {

			skb = skb_dequeue(&sk->sk_receive_queue);

			if (xfrm_user_rcv_skb(skb)) {

				if (skb->len) {

				if (skb->len)

					skb_queue_head(&sk->sk_receive_queue,

						       skb);

					qlen++;

				} else

				else

					kfree_skb(skb);

				break;

			}