From: Paolo Abeni <pab...@redhat.com> Date: Tue, 5 Jun 2018 12:32:33 +0200
> @@ -1157,7 +1158,9 @@ static int kcm_recvmsg(struct socket *sock, struct > msghdr *msg, > /* Finished with message */ > msg->msg_flags |= MSG_EOR; > KCM_STATS_INCR(kcm->stats.rx_msgs); > + spin_lock_bh(&kcm->mux->rx_lock); > skb_unlink(skb, &sk->sk_receive_queue); > + spin_unlock_bh(&kcm->mux->rx_lock); Hmmm, maybe I don't understand the corruption. But, skb_unlink() takes the sk->sk_receive_queue.lock which should prevent SKB list corruption.
