From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 3 Oct 2006 21:35:49 +0000 (-0700)
Subject: [UDP]: Fix MSG_PROBE crash
X-Git-Tag: v2.6.19-rc1~33^2~10
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e0c14f49d6b393179f423abbac47f85618d3d46;p=linux-2.6

[UDP]: Fix MSG_PROBE crash

UDP tracks corking status through the pending variable.  The
IP layer also tracks it through the socket write queue.  It
is possible for the two to get out of sync when MSG_PROBE is
used.

This patch changes UDP to check the write queue to ensure
that the two stay in sync.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 6d6142f9c4..865d75214a 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -675,6 +675,8 @@ do_append_data:
 		udp_flush_pending_frames(sk);
 	else if (!corkreq)
 		err = udp_push_pending_frames(sk, up);
+	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
+		up->pending = 0;
 	release_sock(sk);
 
 out:
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 552ec0f449..e0c3934a7e 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -770,6 +770,8 @@ do_append_data:
 		udp_v6_flush_pending_frames(sk);
 	else if (!corkreq)
 		err = udp_v6_push_pending_frames(sk, up);
+	else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
+		up->pending = 0;
 
 	if (dst) {
 		if (connected) {