* [PATCH net] net: correct udp zerocopy refcnt also when zerocopy only on append
@ 2019-06-07 21:57 Willem de Bruijn
2019-06-11 18:44 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Willem de Bruijn @ 2019-06-07 21:57 UTC (permalink / raw)
To: netdev; +Cc: davem, Willem de Bruijn, syzbot
From: Willem de Bruijn <willemb@google.com>
The below patch fixes an incorrect zerocopy refcnt increment when
appending with MSG_MORE to an existing zerocopy udp skb.
send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1
send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags)
But it missed that zerocopy need not be passed at the first send. The
right test whether the uarg is newly allocated and thus has extra
refcnt 1 is not !skb, but !skb_zcopy.
send(.., MSG_MORE); // <no uarg>
send(.., MSG_ZEROCOPY); // refcnt 1
Fixes: 100f6d8e09905 ("net: correct zerocopy refcnt with udp MSG_MORE")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
net/ipv4/ip_output.c | 2 +-
net/ipv6/ip6_output.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 8c9189a41b136..16f9159234a20 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -918,7 +918,7 @@ static int __ip_append_data(struct sock *sk,
uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
if (!uarg)
return -ENOBUFS;
- extra_uref = !skb; /* only extra ref if !MSG_MORE */
+ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
if (rt->dst.dev->features & NETIF_F_SG &&
csummode == CHECKSUM_PARTIAL) {
paged = true;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 934c88f128abb..834475717110e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1340,7 +1340,7 @@ static int __ip6_append_data(struct sock *sk,
uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
if (!uarg)
return -ENOBUFS;
- extra_uref = !skb; /* only extra ref if !MSG_MORE */
+ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
if (rt->dst.dev->features & NETIF_F_SG &&
csummode == CHECKSUM_PARTIAL) {
paged = true;
--
2.22.0.rc2.383.gf4fbbf30c2-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] net: correct udp zerocopy refcnt also when zerocopy only on append
2019-06-07 21:57 [PATCH net] net: correct udp zerocopy refcnt also when zerocopy only on append Willem de Bruijn
@ 2019-06-11 18:44 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2019-06-11 18:44 UTC (permalink / raw)
To: willemdebruijn.kernel; +Cc: netdev, willemb, syzkaller
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Fri, 7 Jun 2019 17:57:48 -0400
> From: Willem de Bruijn <willemb@google.com>
>
> The below patch fixes an incorrect zerocopy refcnt increment when
> appending with MSG_MORE to an existing zerocopy udp skb.
>
> send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1
> send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags)
>
> But it missed that zerocopy need not be passed at the first send. The
> right test whether the uarg is newly allocated and thus has extra
> refcnt 1 is not !skb, but !skb_zcopy.
>
> send(.., MSG_MORE); // <no uarg>
> send(.., MSG_ZEROCOPY); // refcnt 1
>
> Fixes: 100f6d8e09905 ("net: correct zerocopy refcnt with udp MSG_MORE")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>
Applied, thanks Willem.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-11 18:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-07 21:57 [PATCH net] net: correct udp zerocopy refcnt also when zerocopy only on append Willem de Bruijn
2019-06-11 18:44 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).