From: Willem de Bruijn <[email protected]> Date: Fri, 7 Jun 2019 17:57:48 -0400
> From: Willem de Bruijn <[email protected]> > > The below patch fixes an incorrect zerocopy refcnt increment when > appending with MSG_MORE to an existing zerocopy udp skb. > > send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1 > send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags) > > But it missed that zerocopy need not be passed at the first send. The > right test whether the uarg is newly allocated and thus has extra > refcnt 1 is not !skb, but !skb_zcopy. > > send(.., MSG_MORE); // <no uarg> > send(.., MSG_ZEROCOPY); // refcnt 1 > > Fixes: 100f6d8e09905 ("net: correct zerocopy refcnt with udp MSG_MORE") > Reported-by: syzbot <[email protected]> > Signed-off-by: Willem de Bruijn <[email protected]> Applied, thanks Willem.
