From patchwork Wed Dec 20 22:37:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
X-Patchwork-Id: 851715
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="VYLcSE9c"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z28mt12dwz9t3m
	for <patchwork-incoming@ozlabs.org>;
	Thu, 21 Dec 2017 09:38:06 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756665AbdLTWiE (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 20 Dec 2017 17:38:04 -0500
Received: from mail-yw0-f193.google.com ([209.85.161.193]:44080 "EHLO
	mail-yw0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756469AbdLTWhy (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 20 Dec 2017 17:37:54 -0500
Received: by mail-yw0-f193.google.com with SMTP id m129so2300353ywb.11
	for <netdev@vger.kernel.org>; Wed, 20 Dec 2017 14:37:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=d2igN5U4TPimKXk3aEkZmGjnCsLMJ5Ah8/VtUZdcGPU=;
	b=VYLcSE9cDVkdHAKgTlyHUjVYHEH0nshDiBgDwz/HTqRuu/Xb0cK8kyFzvz8g6dASSV
	PMIQPYP9dXWdtH7Ey+xGuqb/P05cuSg1JPkh8Ot68RpEsq8zdXpoqJIiv09uNX4VAHuv
	bG7xCoMHd2nDxnZegvLDuKVzSPDAhOIyCMnaLkTtMFa2s/VL5QWjQd57qjFoCFFcBqS9
	Me43DTce4RwJz+be+PVpGaOWr4DpvmT5XXI72LXUWm3lIEQSkemnWc7zmqjPsidfsfaE
	P/PflLgjkE6Mc5aH/jRzeLJPhE7XxfpXEDnms5BvCl1RPVLL+asOS6lwLXldvK7NmgMT
	wuRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=d2igN5U4TPimKXk3aEkZmGjnCsLMJ5Ah8/VtUZdcGPU=;
	b=UVuE2St3yCBim/5MrzmJxI8LUej1PXRpnASfG1nMxjVz5ZK21+eX5Qz+Zs0op0Vfz9
	KZASoTuRwIJiQ5ZQAAYh6NEK9RhW5jaUDFqyRr8ylrLCNfvyataKSkOlbuGKkl9rpw8e
	ul4ZmFOwjM/ofNcD6lsggRlt0kvZat/VFtg+bkS/GsHYDB/qAwSyYwQgSxeopRFrDT8G
	RnDL+YmkjMcbbNoz6Dasaw3hRYUJTibnLHskGgWTx0R2cRdpbpxua4ej0PmA6x1O3N3h
	aADvYXLx+Cjw6h1AZKlh59j9+LAXRVQb0qOWVeASEobks6+c5ubIAUtE3jFdP9w5ZxOk
	uttg==
X-Gm-Message-State: AKGB3mKCNf6Q0dh2eFB2ppQ95AzdLaVN+s+1g2QwCroesIkKoou2yQ9p
	4Sx/7BHVxHL6Yk8HxtjIM+P/FZ60
X-Google-Smtp-Source: 
 ACJfBouLie0x8cg0KKyn820Ckx/jzVSrSj1GIeUgSQqbMl7oE6t4f6zUvwOLHNS+v97DDmyFD212Kw==
X-Received: by 10.129.168.193 with SMTP id
	f184mr6303033ywh.511.1513809473779;
	Wed, 20 Dec 2017 14:37:53 -0800 (PST)
Received: from willemb1.nyc.corp.google.com ([100.101.212.246])
	by smtp.gmail.com with ESMTPSA id
	l33sm8380810ywh.6.2017.12.20.14.37.53
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 20 Dec 2017 14:37:53 -0800 (PST)
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, Willem de Bruijn <willemb@google.com>
Subject: [PATCH net 1/2] skbuff: orphan frags before zerocopy clone
Date: Wed, 20 Dec 2017 17:37:49 -0500
Message-Id: <20171220223750.27795-2-willemdebruijn.kernel@gmail.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
In-Reply-To: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
References: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Willem de Bruijn <willemb@google.com>

Call skb_zerocopy_clone after skb_orphan_frags, to avoid duplicate
calls to skb_uarg(skb)->callback for the same data.

skb_zerocopy_clone associates skb_shinfo(skb)->uarg from frag_skb
with each segment. This is only safe for uargs that do refcounting,
which is those that pass skb_orphan_frags without dropping their
shared frags. For others, skb_orphan_frags drops the user frags and
sets the uarg to NULL, after which sock_zerocopy_clone has no effect.

Qemu hangs were reported due to duplicate vhost_net_zerocopy_callback
calls for the same data causing the vhost_net_ubuf_ref_>refcount to
drop below zero.

Link: http://lkml.kernel.org/r/<CAF=yD-LWyCD4Y0aJ9O0e_CHLR+3JOeKicRRTEVCPxgw4XOcqGQ@mail.gmail.com>
Fixes: 1f8b977ab32d ("sock: enable MSG_ZEROCOPY")
Reported-by: Andreas Hartmann <andihartmann@01019freenet.de>
Reported-by: David Hill <dhill@redhat.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---

This fix causes skb_zerocopy_clone to be called for each frag in the
array. I will follow-up with a patch to net-next that will call both
skb_orphan_frags and skb_zerocopy_clone once per skb only.
---
 net/core/skbuff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a592ca025fc4..edf40ac0cd07 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3654,8 +3654,6 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
 
 		skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
 					      SKBTX_SHARED_FRAG;
-		if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
-			goto err;
 
 		while (pos < offset + len) {
 			if (i >= nfrags) {
@@ -3681,6 +3679,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
 
 			if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
 				goto err;
+			if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+				goto err;
 
 			*nskb_frag = *frag;
 			__skb_frag_ref(nskb_frag);