diff options
author | Willem de Bruijn <willemb@google.com> | 2017-08-09 19:09:43 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-08-09 16:49:17 -0700 |
commit | ccaffff182027078e9443d912b5af461850965f4 (patch) | |
tree | 57ab395865cde825c912a20d91cb021beefca6b5 | |
parent | d5e7f827a6a20ca0c3545591dae7d24b2ccf1e70 (diff) |
sock: fix zerocopy panic in mem accounting
Only call mm_unaccount_pinned_pages when releasing a struct ubuf_info
that has initialized its field uarg->mmp.
Before this patch, a vhost-net with experimental_zcopytx can crash in
mm_unaccount_pinned_pages
sock_zerocopy_put
skb_zcopy_clear
skb_release_data
Only sock_zerocopy_alloc initializes this field. Move the unaccount
call from generic sock_zerocopy_put to its specific callback
sock_zerocopy_callback.
Fixes: a91dbff551a6 ("sock: ulimit on MSG_ZEROCOPY pages")
Reported-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/core/skbuff.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 42b62c716a33..cb123590c674 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1044,6 +1044,8 @@ void sock_zerocopy_callback(struct ubuf_info *uarg, bool success) u32 lo, hi; u16 len; + mm_unaccount_pinned_pages(&uarg->mmp); + /* if !len, there was only 1 call, and it was aborted * so do not queue a completion notification */ @@ -1084,8 +1086,6 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback); void sock_zerocopy_put(struct ubuf_info *uarg) { if (uarg && atomic_dec_and_test(&uarg->refcnt)) { - mm_unaccount_pinned_pages(&uarg->mmp); - if (uarg->callback) uarg->callback(uarg, uarg->zerocopy); else |