Commit 110c4330 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
net: fix a race in sock_queue_err_skb()

As soon as an skb is queued into socket error queue, another thread
can consume it, so we are not allowed to reference skb anymore, or risk
use after free.

Signed-off-by: default avatarEric Dumazet <>
Signed-off-by: default avatarDavid S. Miller <>
parent 4a7e7c2a
......@@ -3161,6 +3161,8 @@ static void sock_rmem_free(struct sk_buff *skb)
int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
int len = skb->len;
if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
return -ENOMEM;
......@@ -3175,7 +3177,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
skb_queue_tail(&sk->sk_error_queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
sk->sk_data_ready(sk, skb->len);
sk->sk_data_ready(sk, len);
return 0;
