sock: fix zerocopy panic in mem accounting
Only call mm_unaccount_pinned_pages when releasing a struct ubuf_info
that has initialized its field uarg->mmp.
Before this patch, a vhost-net with experimental_zcopytx can crash in
mm_unaccount_pinned_pages
sock_zerocopy_put
skb_zcopy_clear
skb_release_data
Only sock_zerocopy_alloc initializes this field. Move the unaccount
call from generic sock_zerocopy_put to its specific callback
sock_zerocopy_callback.
Fixes: a91dbff551 ("sock: ulimit on MSG_ZEROCOPY pages")
Reported-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Willem de Bruijn
David S. Miller
Родитель
d5e7f827a6
Коммит
ccaffff182
|
|
@ -1044,6 +1044,8 @@ void sock_zerocopy_callback(struct ubuf_info *uarg, bool success)
|
||||||
u32 lo, hi;
|
u32 lo, hi;
|
||||||
u16 len;
|
u16 len;
|
||||||
|
|
||||||
|
mm_unaccount_pinned_pages(&uarg->mmp);
|
||||||
|
|
||||||
/* if !len, there was only 1 call, and it was aborted
|
/* if !len, there was only 1 call, and it was aborted
|
||||||
* so do not queue a completion notification
|
* so do not queue a completion notification
|
||||||
*/
|
*/
|
||||||
|
|
@ -1084,8 +1086,6 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback);
|
||||||
void sock_zerocopy_put(struct ubuf_info *uarg)
|
void sock_zerocopy_put(struct ubuf_info *uarg)
|
||||||
{
|
{
|
||||||
if (uarg && atomic_dec_and_test(&uarg->refcnt)) {
|
if (uarg && atomic_dec_and_test(&uarg->refcnt)) {
|
||||||
mm_unaccount_pinned_pages(&uarg->mmp);
|
|
||||||
|
|
||||||
if (uarg->callback)
|
if (uarg->callback)
|
||||||
uarg->callback(uarg, uarg->zerocopy);
|
uarg->callback(uarg, uarg->zerocopy);
|
||||||
else
|
else
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче