Commit ccaffff1 authored by Willem de Bruijn's avatar Willem de Bruijn Committed by David S. Miller

sock: fix zerocopy panic in mem accounting

Only call mm_unaccount_pinned_pages when releasing a struct ubuf_info
that has initialized its field uarg->mmp.

Before this patch, a vhost-net with experimental_zcopytx can crash in

  mm_unaccount_pinned_pages
  sock_zerocopy_put
  skb_zcopy_clear
  skb_release_data

Only sock_zerocopy_alloc initializes this field. Move the unaccount
call from generic sock_zerocopy_put to its specific callback
sock_zerocopy_callback.

Fixes: a91dbff5 ("sock: ulimit on MSG_ZEROCOPY pages")
Reported-by: default avatarDavid Ahern <dsahern@gmail.com>
Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d5e7f827
...@@ -1044,6 +1044,8 @@ void sock_zerocopy_callback(struct ubuf_info *uarg, bool success) ...@@ -1044,6 +1044,8 @@ void sock_zerocopy_callback(struct ubuf_info *uarg, bool success)
u32 lo, hi; u32 lo, hi;
u16 len; u16 len;
mm_unaccount_pinned_pages(&uarg->mmp);
/* if !len, there was only 1 call, and it was aborted /* if !len, there was only 1 call, and it was aborted
* so do not queue a completion notification * so do not queue a completion notification
*/ */
...@@ -1084,8 +1086,6 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback); ...@@ -1084,8 +1086,6 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback);
void sock_zerocopy_put(struct ubuf_info *uarg) void sock_zerocopy_put(struct ubuf_info *uarg)
{ {
if (uarg && atomic_dec_and_test(&uarg->refcnt)) { if (uarg && atomic_dec_and_test(&uarg->refcnt)) {
mm_unaccount_pinned_pages(&uarg->mmp);
if (uarg->callback) if (uarg->callback)
uarg->callback(uarg, uarg->zerocopy); uarg->callback(uarg, uarg->zerocopy);
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment