Commit 522924b5 authored Jun 07, 2019 by Willem de Bruijn Committed by David S. Miller Jun 11, 2019

net: correct udp zerocopy refcnt also when zerocopy only on append



The below patch fixes an incorrect zerocopy refcnt increment when
appending with MSG_MORE to an existing zerocopy udp skb.

  send(.., MSG_ZEROCOPY | MSG_MORE);	// refcnt 1
  send(.., MSG_ZEROCOPY | MSG_MORE);	// refcnt still 1 (bar frags)

But it missed that zerocopy need not be passed at the first send. The
right test whether the uarg is newly allocated and thus has extra
refcnt 1 is not !skb, but !skb_zcopy.

  send(.., MSG_MORE);			// <no uarg>
  send(.., MSG_ZEROCOPY);		// refcnt 1

Fixes: 100f6d8e ("net: correct zerocopy refcnt with udp MSG_MORE")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent dce5cccc

net/ipv4/ip_output.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -918,7 +918,7 @@ static int __ip_append_data(struct sock *sk,
		uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
		if (!uarg)
		return -ENOBUFS;
		extra_uref = !skb; /* only extra ref if !MSG_MORE */
		extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
		if (rt->dst.dev->features & NETIF_F_SG &&
		csummode == CHECKSUM_PARTIAL) {
		paged = true;

net/ipv6/ip6_output.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1340,7 +1340,7 @@ static int __ip6_append_data(struct sock *sk,
		uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
		if (!uarg)
		return -ENOBUFS;
		extra_uref = !skb; /* only extra ref if !MSG_MORE */
		extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
		if (rt->dst.dev->features & NETIF_F_SG &&
		csummode == CHECKSUM_PARTIAL) {
		paged = true;