net: correct udp zerocopy refcnt also when zerocopy only on append

The below patch fixes an incorrect zerocopy refcnt increment when appending with MSG_MORE to an existing zerocopy udp skb. send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1 send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags) But it missed that zerocopy need not be passed at the first send. The right test whether the uarg is newly allocated and thus has extra refcnt 1 is not !skb, but !skb_zcopy. send(.., MSG_MORE); // <no uarg> send(.., MSG_ZEROCOPY); // refcnt 1 Fixes: 100f6d8 ("net: correct zerocopy refcnt with udp MSG_MORE") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
mrchapp · Jun 11, 2019 · 522924b · 522924b
1 parent dce5ccc
commit 522924b
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
@@ -918,7 +918,7 @@ static int __ip_append_data(struct sock *sk,
  uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
  if (!uarg)
  return -ENOBUFS;
- extra_uref = !skb; /* only extra ref if !MSG_MORE */
+ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
  if (rt->dst.dev->features & NETIF_F_SG &&
  csummode == CHECKSUM_PARTIAL) {
  paged = true;

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
@@ -1340,7 +1340,7 @@ static int __ip6_append_data(struct sock *sk,
  uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
  if (!uarg)
  return -ENOBUFS;
- extra_uref = !skb; /* only extra ref if !MSG_MORE */
+ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
  if (rt->dst.dev->features & NETIF_F_SG &&
  csummode == CHECKSUM_PARTIAL) {
  paged = true;