[PATCH net-next 0/2] zerocopy fixes

[PATCH net-next 0/2] zerocopy fixes

[Willem de Bruijn]

From: Willem de Bruijn <willemb@google.com>

Fix two issues introduced in the msg_zerocopy patchset.

Willem de Bruijn (2):
  sock: fix zerocopy panic in mem accounting
  sock: fix zerocopy_success regression with msg_zerocopy

 include/linux/skbuff.h | 9 +++++++--
 net/core/skbuff.c      | 4 ++--
 2 files changed, 9 insertions(+), 4 deletions(-)

-- 
2.14.0.434.g98096fd7a8-goog

[PATCH net-next 1/2] sock: fix zerocopy panic in mem accounting

[Willem de Bruijn]

From: Willem de Bruijn <willemb@google.com>

Only call mm_unaccount_pinned_pages when releasing a struct ubuf_info
that has initialized its field uarg->mmp.

Before this patch, a vhost-net with experimental_zcopytx can crash in

  mm_unaccount_pinned_pages
  sock_zerocopy_put
  skb_zcopy_clear
  skb_release_data

Only sock_zerocopy_alloc initializes this field. Move the unaccount
call from generic sock_zerocopy_put to its specific callback
sock_zerocopy_callback.

Fixes: a91dbff551a6 ("sock: ulimit on MSG_ZEROCOPY pages")
Reported-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/core/skbuff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 42b62c716a33..cb123590c674 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1044,6 +1044,8 @@ void sock_zerocopy_callback(struct ubuf_info *uarg, bool success)
 	u32 lo, hi;
 	u16 len;
 
+	mm_unaccount_pinned_pages(&uarg->mmp);
+
 	/* if !len, there was only 1 call, and it was aborted
 	 * so do not queue a completion notification
 	 */
@@ -1084,8 +1086,6 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback);
 void sock_zerocopy_put(struct ubuf_info *uarg)
 {
 	if (uarg && atomic_dec_and_test(&uarg->refcnt)) {
-		mm_unaccount_pinned_pages(&uarg->mmp);
-
 		if (uarg->callback)
 			uarg->callback(uarg, uarg->zerocopy);
 		else
-- 
2.14.0.434.g98096fd7a8-goog

[PATCH net-next 2/2] sock: fix zerocopy_success regression with msg_zerocopy

[Willem de Bruijn]

From: Willem de Bruijn <willemb@google.com>

Do not use uarg->zerocopy outside msg_zerocopy. In other paths the
field is not explicitly initialized and aliases another field.

Those paths have only one reference so do not need this intermediate
variable. Call uarg->callback directly.

Fixes: 1f8b977ab32d ("sock: enable MSG_ZEROCOPY")
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 include/linux/skbuff.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 8c0708d2e5e6..7594e19bce62 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1273,8 +1273,13 @@ static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy)
 	struct ubuf_info *uarg = skb_zcopy(skb);
 
 	if (uarg) {
-		uarg->zerocopy = uarg->zerocopy && zerocopy;
-		sock_zerocopy_put(uarg);
+		if (uarg->callback == sock_zerocopy_callback) {
+			uarg->zerocopy = uarg->zerocopy && zerocopy;
+			sock_zerocopy_put(uarg);
+		} else {
+			uarg->callback(uarg, zerocopy);
+		}
+
 		skb_shinfo(skb)->tx_flags &= ~SKBTX_ZEROCOPY_FRAG;
 	}
 }
-- 
2.14.0.434.g98096fd7a8-goog

Re: [PATCH net-next 0/2] zerocopy fixes

[David Miller]

From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Wed,  9 Aug 2017 19:09:42 -0400

> Fix two issues introduced in the msg_zerocopy patchset.

Series applied, thanks for following up on this so quickly.

Re: [PATCH net-next 0/2] zerocopy fixes

[David Ahern]

On 8/9/17 5:09 PM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@google.com>
> 
> Fix two issues introduced in the msg_zerocopy patchset.
> 
> Willem de Bruijn (2):
>   sock: fix zerocopy panic in mem accounting
>   sock: fix zerocopy_success regression with msg_zerocopy
> 
>  include/linux/skbuff.h | 9 +++++++--
>  net/core/skbuff.c      | 4 ++--
>  2 files changed, 9 insertions(+), 4 deletions(-)
> 

Fixes the problem I reported. Thanks for the quick turn around.