sock: fix zerocopy panic in mem accounting
authorWillem de Bruijn <willemb@google.com>
Wed, 9 Aug 2017 23:09:43 +0000 (19:09 -0400)
committerDavid S. Miller <davem@davemloft.net>
Wed, 9 Aug 2017 23:49:17 +0000 (16:49 -0700)
Only call mm_unaccount_pinned_pages when releasing a struct ubuf_info
that has initialized its field uarg->mmp.

Before this patch, a vhost-net with experimental_zcopytx can crash in

  mm_unaccount_pinned_pages
  sock_zerocopy_put
  skb_zcopy_clear
  skb_release_data

Only sock_zerocopy_alloc initializes this field. Move the unaccount
call from generic sock_zerocopy_put to its specific callback
sock_zerocopy_callback.

Fixes: a91dbff551a6 ("sock: ulimit on MSG_ZEROCOPY pages")
Reported-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/skbuff.c

index 42b62c7..cb12359 100644 (file)
@@ -1044,6 +1044,8 @@ void sock_zerocopy_callback(struct ubuf_info *uarg, bool success)
        u32 lo, hi;
        u16 len;
 
+       mm_unaccount_pinned_pages(&uarg->mmp);
+
        /* if !len, there was only 1 call, and it was aborted
         * so do not queue a completion notification
         */
@@ -1084,8 +1086,6 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback);
 void sock_zerocopy_put(struct ubuf_info *uarg)
 {
        if (uarg && atomic_dec_and_test(&uarg->refcnt)) {
-               mm_unaccount_pinned_pages(&uarg->mmp);
-
                if (uarg->callback)
                        uarg->callback(uarg, uarg->zerocopy);
                else