From 09e14305982efc2f3b509d3c50ef5dcbff64a998 Mon Sep 17 00:00:00 2001
From: "David S. Miller" <davem@sunset.davemloft.net>
Date: Tue, 3 May 2005 15:30:05 -0700
Subject: [PATCH] [NETLINK]: Fix infinite loops in synchronous netlink changes.

The qlen should continue to decrement, even if we
pop partially processed SKBs back onto the receive queue.

Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/core/rtnetlink.c            | 7 +++----
 net/decnet/netfilter/dn_rtmsg.c | 2 +-
 net/xfrm/xfrm_user.c            | 7 +++----
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6e1ab1e34b2..75b6d33b529 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -626,14 +626,13 @@ static void rtnetlink_rcv(struct sock *sk, int len)
 		if (qlen > skb_queue_len(&sk->sk_receive_queue))
 			qlen = skb_queue_len(&sk->sk_receive_queue);
 
-		while (qlen--) {
+		for (; qlen; qlen--) {
 			skb = skb_dequeue(&sk->sk_receive_queue);
 			if (rtnetlink_rcv_skb(skb)) {
-				if (skb->len) {
+				if (skb->len)
 					skb_queue_head(&sk->sk_receive_queue,
 						       skb);
-					qlen++;
-				} else
+				else
 					kfree_skb(skb);
 				break;
 			}
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 101ddef9ba9..284a9998e53 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -121,7 +121,7 @@ static void dnrmg_receive_user_sk(struct sock *sk, int len)
 	struct sk_buff *skb;
 	unsigned int qlen = skb_queue_len(&sk->sk_receive_queue);
 
-	while (qlen-- && (skb = skb_dequeue(&sk->sk_receive_queue))) {
+	for (; qlen && (skb = skb_dequeue(&sk->sk_receive_queue)); qlen--) {
 		dnrmg_receive_user_skb(skb);
 		kfree_skb(skb);
 	}
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index dab112f1dd8..e8740a4a1d7 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1018,14 +1018,13 @@ static void xfrm_netlink_rcv(struct sock *sk, int len)
 		if (qlen > skb_queue_len(&sk->sk_receive_queue))
 			qlen = skb_queue_len(&sk->sk_receive_queue);
 
-		while (qlen--) {
+		for (; qlen; qlen--) {
 			skb = skb_dequeue(&sk->sk_receive_queue);
 			if (xfrm_user_rcv_skb(skb)) {
-				if (skb->len) {
+				if (skb->len)
 					skb_queue_head(&sk->sk_receive_queue,
 						       skb);
-					qlen++;
-				} else
+				else
 					kfree_skb(skb);
 				break;
 			}