From 36493e838ff016f2cd54353e81e9213d95c5022f Mon Sep 17 00:00:00 2001 From: "Steven J. Magnani" Date: Tue, 30 Mar 2010 13:56:01 -0700 Subject: [PATCH] net: Fix oops from tcp_collapse() when using splice() commit baff42ab1494528907bf4d5870359e31711746ae upstream. tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. This can cause a panic in tcp_collapse() if it is called as a result of the recv_actor dropping the socket lock. A userspace program that splices data from a socket to either another socket or to a file can trigger this bug. Signed-off-by: Steven J. Magnani Signed-off-by: David S. Miller --- net/ipv4/tcp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 8ae8ea8c1d5d..268426d62530 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1256,6 +1256,7 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, sk_eat_skb(sk, skb, 0); if (!desc->count) break; + tp->copied_seq = seq; } tp->copied_seq = seq; -- 2.39.5