From: Willem de Bruijn <willemdebruijn.ker...@gmail.com>
Date: Thu, 30 May 2019 18:01:21 -0400
> From: Willem de Bruijn <will...@google.com>
>
> TCP zerocopy takes a uarg reference for every skb, plus one for the
> tcp_sendmsg_locked datapath temporarily, to avoid reaching refcnt zero
> as it builds, sends and frees skbs inside its inner loop.
>
> UDP and RAW zerocopy do not send inside the inner loop so do not need
> the extra sock_zerocopy_get + sock_zerocopy_put pair. Commit
> 52900d22288ed ("udp: elide zerocopy operation in hot path") introduced
> extra_uref to pass the initial reference taken in sock_zerocopy_alloc
> to the first generated skb.
>
> But, sock_zerocopy_realloc takes this extra reference at the start of
> every call. With MSG_MORE, no new skb may be generated to attach the
> extra_uref to, so refcnt is incorrectly 2 with only one skb.
>
> Do not take the extra ref if uarg && !tcp, which implies MSG_MORE.
> Update extra_uref accordingly.
>
> This conditional assignment triggers a false positive may be used
> uninitialized warning, so have to initialize extra_uref at define.
>
> Changes v1->v2: fix typo in Fixes SHA1
>
> Fixes: 52900d22288e7 ("udp: elide zerocopy operation in hot path")
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Diagnosed-by: Eric Dumazet <eduma...@google.com>
> Signed-off-by: Willem de Bruijn <will...@google.com>
Applied and queued up for -stable, thanks.
