git.baikalelectronics.ru Git - kernel.git/commit

author	Willem de Bruijn <willemb@google.com>
	Thu, 30 May 2019 22:01:21 +0000 (18:01 -0400)
committer	David S. Miller <davem@davemloft.net>
	Thu, 30 May 2019 22:54:04 +0000 (15:54 -0700)
commit	866554534e343d1de44c91121575651ec973fbb8
tree	4d3161cefeea7f8ff4dc614a5d0140dd29bd7793	tree \| snapshot
parent	4b8a422423881f6b0f6f388d09bdb69adb717392	commit \| diff

net: correct zerocopy refcnt with udp MSG_MORE

TCP zerocopy takes a uarg reference for every skb, plus one for the
tcp_sendmsg_locked datapath temporarily, to avoid reaching refcnt zero
as it builds, sends and frees skbs inside its inner loop.

UDP and RAW zerocopy do not send inside the inner loop so do not need
the extra sock_zerocopy_get + sock_zerocopy_put pair. Commit
52900d22288ed ("udp: elide zerocopy operation in hot path") introduced
extra_uref to pass the initial reference taken in sock_zerocopy_alloc
to the first generated skb.

But, sock_zerocopy_realloc takes this extra reference at the start of
every call. With MSG_MORE, no new skb may be generated to attach the
extra_uref to, so refcnt is incorrectly 2 with only one skb.

Do not take the extra ref if uarg && !tcp, which implies MSG_MORE.
Update extra_uref accordingly.

This conditional assignment triggers a false positive may be used
uninitialized warning, so have to initialize extra_uref at define.

Changes v1->v2: fix typo in Fixes SHA1

Fixes: 8b6a65ed81678 ("udp: elide zerocopy operation in hot path")
Reported-by: syzbot <syzkaller@googlegroups.com>
Diagnosed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/core/skbuff.c		diff \| blob \| history
net/ipv4/ip_output.c		diff \| blob \| history
net/ipv6/ip6_output.c		diff \| blob \| history