Message ID | 20200813121310.23016-1-linmiaohe@huawei.com |
---|---|
State | Rejected |
Delegated to: | David Miller |
Headers | show |
Series | net: add missing skb_uarg refcount increment in pskb_carve_inside_header() | expand |
On Thu, Aug 13, 2020 at 2:16 PM Miaohe Lin <linmiaohe@huawei.com> wrote: > > If the skb is zcopied, we should increase the skb_uarg refcount before we > involve skb_release_data(). See pskb_expand_head() as a reference. Did you manage to observe a bug through this datapath in practice? pskb_carve_inside_header is called from pskb_carve from pskb_extract from rds_tcp_data_recv That receive path should not see any packets with zerocopy state associated. > Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function") > Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 475f9aa51b57..975600558e8b 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5842,6 +5842,8 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off, kfree(data); return -ENOMEM; } + if (skb_zcopy(skb)) + refcount_inc(&skb_uarg(skb)->refcnt); for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) skb_frag_ref(skb, i); if (skb_has_frag_list(skb))
If the skb is zcopied, we should increase the skb_uarg refcount before we involve skb_release_data(). See pskb_expand_head() as a reference. Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function") Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> --- net/core/skbuff.c | 2 ++ 1 file changed, 2 insertions(+)