diff options
| author | Willem de Bruijn <willemb@google.com> | 2019-06-07 17:57:48 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-06-11 11:40:54 -0700 |
| commit | 522924b583082f51b8a2406624a2f27c22119b20 (patch) | |
| tree | 74e958e6694bd5adbd77ffc23e88f760f494c03f /net/ipv6/ip6_output.c | |
| parent | dce5ccccd1231c6eaec5ede80bce85f2ae536826 (diff) | |
| download | linux-522924b583082f51b8a2406624a2f27c22119b20.tar.gz linux-522924b583082f51b8a2406624a2f27c22119b20.tar.bz2 linux-522924b583082f51b8a2406624a2f27c22119b20.zip | |
net: correct udp zerocopy refcnt also when zerocopy only on append
The below patch fixes an incorrect zerocopy refcnt increment when
appending with MSG_MORE to an existing zerocopy udp skb.
send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1
send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags)
But it missed that zerocopy need not be passed at the first send. The
right test whether the uarg is newly allocated and thus has extra
refcnt 1 is not !skb, but !skb_zcopy.
send(.., MSG_MORE); // <no uarg>
send(.., MSG_ZEROCOPY); // refcnt 1
Fixes: 100f6d8e09905 ("net: correct zerocopy refcnt with udp MSG_MORE")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ip6_output.c')
| -rw-r--r-- | net/ipv6/ip6_output.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 934c88f128ab..834475717110 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1340,7 +1340,7 @@ emsgsize: uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb)); if (!uarg) return -ENOBUFS; - extra_uref = !skb; /* only extra ref if !MSG_MORE */ + extra_uref = !skb_zcopy(skb); /* only ref on new uarg */ if (rt->dst.dev->features & NETIF_F_SG && csummode == CHECKSUM_PARTIAL) { paged = true; |