aboutsummaryrefslogtreecommitdiff
path: root/sys/sys/sockbuf.h
diff options
context:
space:
mode:
authorMark Johnston <markj@FreeBSD.org>2020-04-10 20:42:11 +0000
committerMark Johnston <markj@FreeBSD.org>2020-04-10 20:42:11 +0000
commit25f4ddfb2b1c125cd59562be105448ce576db927 (patch)
treeaeff6f98aeb674aaeabb4e86b322055ad3a5abc0 /sys/sys/sockbuf.h
parenta50b1900a02f1e279cc5822d06af90e704bc32db (diff)
downloadsrc-25f4ddfb2b1c125cd59562be105448ce576db927.tar.gz
src-25f4ddfb2b1c125cd59562be105448ce576db927.zip
sbappendcontrol() needs to avoid clearing M_NOTREADY on data mbufs.
If LOCAL_CREDS is set on a unix socket and sendfile() is called, sendfile will call uipc_send(PRUS_NOTREADY), prepending a control message to the M_NOTREADY mbufs. uipc_send() then calls sbappendcontrol() instead of sbappend(), and sbappendcontrol() would erroneously clear M_NOTREADY. Pass send flags to sbappendcontrol(), like we do for sbappend(), to preserve M_READY when necessary. Reported by: syzkaller MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D24333
Notes
Notes: svn path=/head/; revision=359779
Diffstat (limited to 'sys/sys/sockbuf.h')
-rw-r--r--sys/sys/sockbuf.h4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/sys/sockbuf.h b/sys/sys/sockbuf.h
index eb14ea8ee8ff..6e2340eabd50 100644
--- a/sys/sys/sockbuf.h
+++ b/sys/sys/sockbuf.h
@@ -145,9 +145,9 @@ int sbappendaddr_locked(struct sockbuf *sb, const struct sockaddr *asa,
int sbappendaddr_nospacecheck_locked(struct sockbuf *sb,
const struct sockaddr *asa, struct mbuf *m0, struct mbuf *control);
void sbappendcontrol(struct sockbuf *sb, struct mbuf *m0,
- struct mbuf *control);
+ struct mbuf *control, int flags);
void sbappendcontrol_locked(struct sockbuf *sb, struct mbuf *m0,
- struct mbuf *control);
+ struct mbuf *control, int flags);
void sbappendrecord(struct sockbuf *sb, struct mbuf *m0);
void sbappendrecord_locked(struct sockbuf *sb, struct mbuf *m0);
void sbcompress(struct sockbuf *sb, struct mbuf *m, struct mbuf *n);