[UDP]: Fix MSG_PROBE crash

UDP tracks corking status through the pending variable. The IP layer also tracks it through the socket write queue. It is possible for the two to get out of sync when MSG_PROBE is used. This patch changes UDP to check the write queue to ensure that the two stay in sync. Signed-off-by: N Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: N David S. Miller <davem@davemloft.net>

[UDP]: Fix MSG_PROBE crash
UDP tracks corking status through the pending variable. The IP layer also tracks it through the socket write queue. It is possible for the two to get out of sync when MSG_PROBE is used. This patch changes UDP to check the write queue to ensure that the two stay in sync. Signed-off-by: N Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: N David S. Miller <davem@davemloft.net>
1e0c14f4 · Herbert Xu · David S. Miller · 132a55f3 · 1e0c14f4 · 1e0c14f4
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

net/ipv4/udp.c net/ipv4/udp.c +2 -0

net/ipv6/udp.c net/ipv6/udp.c +2 -0

未找到文件。
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -675,6 +675,8 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
 		udp_flush_pending_frames(sk);
 	else if (!corkreq)
 		err = udp_push_pending_frames(sk, up);
+	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
+		up->pending = 0;
 	release_sock(sk);
 out:

--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -770,6 +770,8 @@ static int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
 		udp_v6_flush_pending_frames(sk);
 	else if (!corkreq)
 		err = udp_v6_push_pending_frames(sk, up);
+	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
+		up->pending = 0;
 	if (dst) {
 		if (connected) {