From: Steven J. Magnani Date: Tue, 30 Mar 2010 20:56:01 +0000 (-0700) Subject: net: Fix oops from tcp_collapse() when using splice() X-Git-Tag: v2.6.34-rc5~5^2~52 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=baff42ab1494528907bf4d5870359e31711746ae;p=profile%2Fcommon%2Fkernel-common.git net: Fix oops from tcp_collapse() when using splice() tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. This can cause a panic in tcp_collapse() if it is called as a result of the recv_actor dropping the socket lock. A userspace program that splices data from a socket to either another socket or to a file can trigger this bug. Signed-off-by: Steven J. Magnani Signed-off-by: David S. Miller --- diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 6afb6d8..2c75f89 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1368,6 +1368,7 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, sk_eat_skb(sk, skb, 0); if (!desc->count) break; + tp->copied_seq = seq; } tp->copied_seq = seq;