• Willem de Bruijn's avatar
    net: correct zerocopy refcnt with udp MSG_MORE · 100f6d8e
    Willem de Bruijn authored
    TCP zerocopy takes a uarg reference for every skb, plus one for the
    tcp_sendmsg_locked datapath temporarily, to avoid reaching refcnt zero
    as it builds, sends and frees skbs inside its inner loop.
    
    UDP and RAW zerocopy do not send inside the inner loop so do not need
    the extra sock_zerocopy_get + sock_zerocopy_put pair. Commit
    52900d22288ed ("udp: elide zerocopy operation in hot path") introduced
    extra_uref to pass the initial reference taken in sock_zerocopy_alloc
    to the first generated skb.
    
    But, sock_zerocopy_realloc takes this extra reference at the start of
    every call. With MSG_MORE, no new skb may be generated to attach the
    extra_uref to, so refcnt is incorrectly 2 with only one skb.
    
    Do not take the extra ref if uarg && !tcp, which implies MSG_MORE.
    Update extra_uref accordingly.
    
    This conditional assignment triggers a false positive may be used
    uninitialized warning, so have to initialize extra_uref at define.
    
    Changes v1->v2: fix typo in Fixes SHA1
    
    Fixes: 52900d22 ("udp: elide zerocopy operation in hot path")
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Diagnosed-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    100f6d8e
skbuff.c 142 KB