From: Benjamin Poirier <bpoirier@suse.de>
Date: Mon, 29 Apr 2013 11:42:12 +0000 (+0000)
Subject: unix/dgram: peek beyond 0-sized skbs
X-Git-Tag: v3.10-rc1~132^2~15^2~2
X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=add05ad4e9f5c4efee9b98535db5efa32b0d0492;p=linux-2.6-block.git

unix/dgram: peek beyond 0-sized skbs

"77c1090 net: fix infinite loop in __skb_recv_datagram()" (v3.8) introduced a
regression:
After that commit, recv can no longer peek beyond a 0-sized skb in the queue.
__skb_recv_datagram() instead stops at the first skb with len == 0 and results
in the system call failing with -EFAULT via skb_copy_datagram_iovec().

When peeking at an offset with 0-sized skb(s), each one of those is received
only once, in sequence. The offset starts moving forward again after receiving
datagrams with len > 0.

Signed-off-by: Benjamin Poirier <bpoirier@suse.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/core/datagram.c b/net/core/datagram.c
index 368f9c3f9dc6..99c4f525b1d9 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -187,7 +187,8 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
 		skb_queue_walk(queue, skb) {
 			*peeked = skb->peeked;
 			if (flags & MSG_PEEK) {
-				if (*off >= skb->len && skb->len) {
+				if (*off >= skb->len && (skb->len || *off ||
+							 skb->peeked)) {
 					*off -= skb->len;
 					continue;
 				}