summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWillem de Bruijn <willemb@google.com>2017-08-09 19:09:43 -0400
committerDavid S. Miller <davem@davemloft.net>2017-08-09 16:49:17 -0700
commitccaffff182027078e9443d912b5af461850965f4 (patch)
tree57ab395865cde825c912a20d91cb021beefca6b5
parentd5e7f827a6a20ca0c3545591dae7d24b2ccf1e70 (diff)
sock: fix zerocopy panic in mem accounting
Only call mm_unaccount_pinned_pages when releasing a struct ubuf_info that has initialized its field uarg->mmp. Before this patch, a vhost-net with experimental_zcopytx can crash in mm_unaccount_pinned_pages sock_zerocopy_put skb_zcopy_clear skb_release_data Only sock_zerocopy_alloc initializes this field. Move the unaccount call from generic sock_zerocopy_put to its specific callback sock_zerocopy_callback. Fixes: a91dbff551a6 ("sock: ulimit on MSG_ZEROCOPY pages") Reported-by: David Ahern <dsahern@gmail.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/core/skbuff.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 42b62c716a33..cb123590c674 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1044,6 +1044,8 @@ void sock_zerocopy_callback(struct ubuf_info *uarg, bool success)
u32 lo, hi;
u16 len;
+ mm_unaccount_pinned_pages(&uarg->mmp);
+
/* if !len, there was only 1 call, and it was aborted
* so do not queue a completion notification
*/
@@ -1084,8 +1086,6 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback);
void sock_zerocopy_put(struct ubuf_info *uarg)
{
if (uarg && atomic_dec_and_test(&uarg->refcnt)) {
- mm_unaccount_pinned_pages(&uarg->mmp);
-
if (uarg->callback)
uarg->callback(uarg, uarg->zerocopy);
else