ipc: set msg back to -EAGAIN if copy wasn't performed

commit 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d upstream. Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Stanislav Kinsbursky <skinsbursky@parallels.com> 2013-04-01 11:40:51 +0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-04-16 21:48:28 -0700
commit: fccf4d03235294c978b2390a9ce575b33b0fbe5a (patch)
tree: 5fcae6208d44d1936a8227fa4b17fab89cc1cd06 /ipc
parent: 95ffc2b9c20c201cead468e1fe185b8c11f9a55b (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/ipc/msg.c b/ipc/msg.c
index 31cd1bf6af27..fede1d06ef30 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -872,6 +872,7 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
 							goto out_unlock;
 						break;
 					}
+					msg = ERR_PTR(-EAGAIN);
 				} else
 					break;
 				msg_counter++;
author	Stanislav Kinsbursky <skinsbursky@parallels.com>	2013-04-01 11:40:51 +0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-04-16 21:48:28 -0700
commit	fccf4d03235294c978b2390a9ce575b33b0fbe5a (patch)
tree	5fcae6208d44d1936a8227fa4b17fab89cc1cd06 /ipc
parent	95ffc2b9c20c201cead468e1fe185b8c11f9a55b (diff)