[net,1/2] skbuff: orphan frags before zerocopy clone

Message ID	20171220223750.27795-2-willemdebruijn.kernel@gmail.com
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> To: netdev@vger.kernel.org Cc: davem@davemloft.net, Willem de Bruijn <willemb@google.com> Subject: [PATCH net 1/2] skbuff: orphan frags before zerocopy clone Date: Wed, 20 Dec 2017 17:37:49 -0500 Message-Id: <20171220223750.27795-2-willemdebruijn.kernel@gmail.com> In-Reply-To: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com> References: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	zerocopy fixes \| expand [net,0/2] zerocopy fixes [net,1/2] skbuff: orphan frags before zerocopy clone [net,2/2] skbuff: skb_copy_ubufs must release uarg even without user frags

Message ID

20171220223750.27795-2-willemdebruijn.kernel@gmail.com

State

Accepted, archived

Delegated to:

David Miller

Headers

From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, Willem de Bruijn <willemb@google.com>
Subject: [PATCH net 1/2] skbuff: orphan frags before zerocopy clone
Date: Wed, 20 Dec 2017 17:37:49 -0500
Message-Id: <20171220223750.27795-2-willemdebruijn.kernel@gmail.com>
In-Reply-To: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
References: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

zerocopy fixes | expand

Commit Message

Willem de Bruijn Dec. 20, 2017, 10:37 p.m. UTC

From: Willem de Bruijn <willemb@google.com>

Call skb_zerocopy_clone after skb_orphan_frags, to avoid duplicate
calls to skb_uarg(skb)->callback for the same data.

skb_zerocopy_clone associates skb_shinfo(skb)->uarg from frag_skb
with each segment. This is only safe for uargs that do refcounting,
which is those that pass skb_orphan_frags without dropping their
shared frags. For others, skb_orphan_frags drops the user frags and
sets the uarg to NULL, after which sock_zerocopy_clone has no effect.

Qemu hangs were reported due to duplicate vhost_net_zerocopy_callback
calls for the same data causing the vhost_net_ubuf_ref_>refcount to
drop below zero.

Link: http://lkml.kernel.org/r/<CAF=yD-LWyCD4Y0aJ9O0e_CHLR+3JOeKicRRTEVCPxgw4XOcqGQ@mail.gmail.com>
Fixes: 1f8b977ab32d ("sock: enable MSG_ZEROCOPY")
Reported-by: Andreas Hartmann <andihartmann@01019freenet.de>
Reported-by: David Hill <dhill@redhat.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>

---

This fix causes skb_zerocopy_clone to be called for each frag in the
array. I will follow-up with a patch to net-next that will call both
skb_orphan_frags and skb_zerocopy_clone once per skb only.
---
 net/core/skbuff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a592ca025fc4..edf40ac0cd07 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3654,8 +3654,6 @@  struct sk_buff *skb_segment(struct sk_buff *head_skb,
 
 		skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
 					      SKBTX_SHARED_FRAG;
-		if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
-			goto err;
 
 		while (pos < offset + len) {
 			if (i >= nfrags) {
@@ -3681,6 +3679,8 @@  struct sk_buff *skb_segment(struct sk_buff *head_skb,
 
 			if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
 				goto err;
+			if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+				goto err;
 
 			*nskb_frag = *frag;
 			__skb_frag_ref(nskb_frag);

[net,1/2] skbuff: orphan frags before zerocopy clone

Commit Message

Patch