From: Jeremy Kerr jk@codeconstruct.com.au
commit 60bd1d9008a50cc78c4033a16a6f5d78210d481c upstream.
We may have pending skbs in the receive queue when the sk is being destroyed; add a destructor to purge the queue.
MCTP doesn't use the error queue, so only the receive_queue is purged.
Fixes: 833ef3b91de6 ("mctp: Populate socket implementation") Signed-off-by: Jeremy Kerr jk@codeconstruct.com.au Reviewed-by: Pavan Chebbi pavan.chebbi@broadcom.com Link: https://lore.kernel.org/r/20230126064551.464468-1-jk@codeconstruct.com.au Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/mctp/af_mctp.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/net/mctp/af_mctp.c +++ b/net/mctp/af_mctp.c @@ -587,6 +587,11 @@ static void mctp_sk_unhash(struct sock * del_timer_sync(&msk->key_expiry); }
+static void mctp_sk_destruct(struct sock *sk) +{ + skb_queue_purge(&sk->sk_receive_queue); +} + static struct proto mctp_proto = { .name = "MCTP", .owner = THIS_MODULE, @@ -623,6 +628,7 @@ static int mctp_pf_create(struct net *ne return -ENOMEM;
sock_init_data(sock, sk); + sk->sk_destruct = mctp_sk_destruct;
rc = 0; if (sk->sk_prot->init)