From patchwork Wed Dec 20 22:37:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
X-Patchwork-Id: 851715
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="VYLcSE9c"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z28mt12dwz9t3m
	for <patchwork-incoming@ozlabs.org>;
	Thu, 21 Dec 2017 09:38:06 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756665AbdLTWiE (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 20 Dec 2017 17:38:04 -0500
Received: from mail-yw0-f193.google.com ([209.85.161.193]:44080 "EHLO
	mail-yw0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756469AbdLTWhy (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 20 Dec 2017 17:37:54 -0500
Received: by mail-yw0-f193.google.com with SMTP id m129so2300353ywb.11
	for <netdev@vger.kernel.org>; Wed, 20 Dec 2017 14:37:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=d2igN5U4TPimKXk3aEkZmGjnCsLMJ5Ah8/VtUZdcGPU=;
	b=VYLcSE9cDVkdHAKgTlyHUjVYHEH0nshDiBgDwz/HTqRuu/Xb0cK8kyFzvz8g6dASSV
	PMIQPYP9dXWdtH7Ey+xGuqb/P05cuSg1JPkh8Ot68RpEsq8zdXpoqJIiv09uNX4VAHuv
	bG7xCoMHd2nDxnZegvLDuKVzSPDAhOIyCMnaLkTtMFa2s/VL5QWjQd57qjFoCFFcBqS9
	Me43DTce4RwJz+be+PVpGaOWr4DpvmT5XXI72LXUWm3lIEQSkemnWc7zmqjPsidfsfaE
	P/PflLgjkE6Mc5aH/jRzeLJPhE7XxfpXEDnms5BvCl1RPVLL+asOS6lwLXldvK7NmgMT
	wuRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=d2igN5U4TPimKXk3aEkZmGjnCsLMJ5Ah8/VtUZdcGPU=;
	b=UVuE2St3yCBim/5MrzmJxI8LUej1PXRpnASfG1nMxjVz5ZK21+eX5Qz+Zs0op0Vfz9
	KZASoTuRwIJiQ5ZQAAYh6NEK9RhW5jaUDFqyRr8ylrLCNfvyataKSkOlbuGKkl9rpw8e
	ul4ZmFOwjM/ofNcD6lsggRlt0kvZat/VFtg+bkS/GsHYDB/qAwSyYwQgSxeopRFrDT8G
	RnDL+YmkjMcbbNoz6Dasaw3hRYUJTibnLHskGgWTx0R2cRdpbpxua4ej0PmA6x1O3N3h
	aADvYXLx+Cjw6h1AZKlh59j9+LAXRVQb0qOWVeASEobks6+c5ubIAUtE3jFdP9w5ZxOk
	uttg==
X-Gm-Message-State: AKGB3mKCNf6Q0dh2eFB2ppQ95AzdLaVN+s+1g2QwCroesIkKoou2yQ9p
	4Sx/7BHVxHL6Yk8HxtjIM+P/FZ60
X-Google-Smtp-Source: 
 ACJfBouLie0x8cg0KKyn820Ckx/jzVSrSj1GIeUgSQqbMl7oE6t4f6zUvwOLHNS+v97DDmyFD212Kw==
X-Received: by 10.129.168.193 with SMTP id
	f184mr6303033ywh.511.1513809473779;
	Wed, 20 Dec 2017 14:37:53 -0800 (PST)
Received: from willemb1.nyc.corp.google.com ([100.101.212.246])
	by smtp.gmail.com with ESMTPSA id
	l33sm8380810ywh.6.2017.12.20.14.37.53
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 20 Dec 2017 14:37:53 -0800 (PST)
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, Willem de Bruijn <willemb@google.com>
Subject: [PATCH net 1/2] skbuff: orphan frags before zerocopy clone
Date: Wed, 20 Dec 2017 17:37:49 -0500
Message-Id: <20171220223750.27795-2-willemdebruijn.kernel@gmail.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
In-Reply-To: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
References: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Willem de Bruijn <willemb@google.com>

Call skb_zerocopy_clone after skb_orphan_frags, to avoid duplicate
calls to skb_uarg(skb)->callback for the same data.

skb_zerocopy_clone associates skb_shinfo(skb)->uarg from frag_skb
with each segment. This is only safe for uargs that do refcounting,
which is those that pass skb_orphan_frags without dropping their
shared frags. For others, skb_orphan_frags drops the user frags and
sets the uarg to NULL, after which sock_zerocopy_clone has no effect.

Qemu hangs were reported due to duplicate vhost_net_zerocopy_callback
calls for the same data causing the vhost_net_ubuf_ref_>refcount to
drop below zero.

Link: http://lkml.kernel.org/r/<CAF=yD-LWyCD4Y0aJ9O0e_CHLR+3JOeKicRRTEVCPxgw4XOcqGQ@mail.gmail.com>
Fixes: 1f8b977ab32d ("sock: enable MSG_ZEROCOPY")
Reported-by: Andreas Hartmann <andihartmann@01019freenet.de>
Reported-by: David Hill <dhill@redhat.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---

This fix causes skb_zerocopy_clone to be called for each frag in the
array. I will follow-up with a patch to net-next that will call both
skb_orphan_frags and skb_zerocopy_clone once per skb only.
---
 net/core/skbuff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a592ca025fc4..edf40ac0cd07 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3654,8 +3654,6 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
 
 		skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
 					      SKBTX_SHARED_FRAG;
-		if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
-			goto err;
 
 		while (pos < offset + len) {
 			if (i >= nfrags) {
@@ -3681,6 +3679,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
 
 			if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
 				goto err;
+			if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+				goto err;
 
 			*nskb_frag = *frag;
 			__skb_frag_ref(nskb_frag);

From patchwork Wed Dec 20 22:37:50 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
X-Patchwork-Id: 851714
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="bKNCAPI4"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z28mm0ZH8z9t3m
	for <patchwork-incoming@ozlabs.org>;
	Thu, 21 Dec 2017 09:38:00 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756594AbdLTWh6 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 20 Dec 2017 17:37:58 -0500
Received: from mail-yw0-f196.google.com ([209.85.161.196]:39153 "EHLO
	mail-yw0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756531AbdLTWhz (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 20 Dec 2017 17:37:55 -0500
Received: by mail-yw0-f196.google.com with SMTP id q26so2305011ywa.6
	for <netdev@vger.kernel.org>; Wed, 20 Dec 2017 14:37:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=nYcHHYr5tp1WxNW4RlREM5Y+skzYQt4nmCXou6FEAYc=;
	b=bKNCAPI4XeI8bHpotbmOahFBvQNcoZn4VzHXneNUK+bU76fTjqHAHKaQw/QYdbCCNZ
	laxwLdzc4C6saQojpBcPLSY1OO9PX2HDXdDLO3/oZbmFkZFEW2juC6cOy815DMDTfIbI
	ZnczSFEH7t9mZdJrbQe0vXOWHV1xSEbDPZ9YayNWoa9YRCB5jCzKvD5/zLkVuGPCZk5c
	flvAZ83a8HhvbuoRWU7PfcyRrLaIyFIMGGHKR5OlNWQdK38pzh2BEBG1fmIoDAlY7peB
	O23Jw1uAStL4HxNAd+HfH40+vFrXtcFUZWayPFszQeZ+jdQAC9clJZw+tQ75Dy5MjyHe
	cn/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=nYcHHYr5tp1WxNW4RlREM5Y+skzYQt4nmCXou6FEAYc=;
	b=B0yGlSzt57fTTwLmkOFdgXZ81YzKhX7hAKCCUAOE8uNdWh2FYnHgBovtPO17djZkJr
	z6a9mvg8gIsmGV8Rcji3Y2fvGYl/vmAbIL4eeGJEVhaUs5Vtxg0T94Ez6Ae4vc8Py+ia
	TgzBxhpxcv57KWAg//qzPpAHDbsrdo+4wYOpYj7MFsTBpSIGKn6LI1vRnrYkOBIMmk4N
	QK+ld5BLOH/jbaYf/Dmh31rIsv1+5ntayokTgv57093mtTR94zhC5RE0uq6ViUYdco0l
	Fk96Q5HL9X7NpBkxjVlYFdZIYakkSX8KfesHq17/43Z2xPld8OWnlpNfh2cyJIRZOFNi
	rjEQ==
X-Gm-Message-State: AKGB3mJdyb71CoVxCfIvcEhZVVKrQ63BdhCJN6BbnviUP6qPMyZIct5H
	0eFPjIgShP3Rp/tZV4gPZqU516Bz
X-Google-Smtp-Source: 
 ACJfBovDqmL1/hKsvPq9vyJ4pzff2oRyKo0ZRO/UGD0leD70hH/1os6apBpbUXbdKK4HhUfvnqi8zg==
X-Received: by 10.129.181.8 with SMTP id t8mr6329502ywh.119.1513809474324;
	Wed, 20 Dec 2017 14:37:54 -0800 (PST)
Received: from willemb1.nyc.corp.google.com ([100.101.212.246])
	by smtp.gmail.com with ESMTPSA id
	l33sm8380810ywh.6.2017.12.20.14.37.53
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 20 Dec 2017 14:37:53 -0800 (PST)
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, Willem de Bruijn <willemb@google.com>
Subject: [PATCH net 2/2] skbuff: skb_copy_ubufs must release uarg even
	without user frags
Date: Wed, 20 Dec 2017 17:37:50 -0500
Message-Id: <20171220223750.27795-3-willemdebruijn.kernel@gmail.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
In-Reply-To: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
References: <20171220223750.27795-1-willemdebruijn.kernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Willem de Bruijn <willemb@google.com>

skb_copy_ubufs creates a private copy of frags[] to release its hold
on user frags, then calls uarg->callback to notify the owner.

Call uarg->callback even when no frags exist. This edge case can
happen when zerocopy_sg_from_iter finds enough room in skb_headlen
to copy all the data.

Fixes: 3ece782693c4 ("sock: skb_copy_ubufs support for compound pages")
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/core/skbuff.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index edf40ac0cd07..a3cb0be4c6f3 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1178,7 +1178,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
 	u32 d_off;
 
 	if (!num_frags)
-		return 0;
+		goto release;
 
 	if (skb_shared(skb) || skb_unclone(skb, gfp_mask))
 		return -EINVAL;
@@ -1238,6 +1238,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
 	__skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off);
 	skb_shinfo(skb)->nr_frags = new_frags;
 
+release:
 	skb_zcopy_clear(skb, false);
 	return 0;
 }