Commit 3bdd5ee0 authored Jun 09, 2021 by Willem de Bruijn Committed by David S. Miller Jun 10, 2021

skbuff: fix incorrect msg_zerocopy copy notifications



msg_zerocopy signals if a send operation required copying with a flag
in serr->ee.ee_code.

This field can be incorrect as of the below commit, as a result of
both structs uarg and serr pointing into the same skb->cb[].

uarg->zerocopy must be read before skb->cb[] is reinitialized to hold
serr. Similar to other fields len, hi and lo, use a local variable to
temporarily hold the value.

This was not a problem before, when the value was passed as a function
argument.

Fixes: 75518851 ("skbuff: Push status and refcounts into sock_zerocopy_callback")
Reported-by: Talal Ahmad <talalahmad@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 388fa7f1

net/core/skbuff.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1253,6 +1253,7 @@ static void __msg_zerocopy_callback(struct ubuf_info *uarg)
		struct sock *sk = skb->sk;
		struct sk_buff_head *q;
		unsigned long flags;
		bool is_zerocopy;
		u32 lo, hi;
		u16 len;

		@@ -1267,6 +1268,7 @@ static void __msg_zerocopy_callback(struct ubuf_info *uarg)
		len = uarg->len;
		lo = uarg->id;
		hi = uarg->id + len - 1;
		is_zerocopy = uarg->zerocopy;

		serr = SKB_EXT_ERR(skb);
		memset(serr, 0, sizeof(*serr));
		@@ -1274,7 +1276,7 @@ static void __msg_zerocopy_callback(struct ubuf_info *uarg)
		serr->ee.ee_origin = SO_EE_ORIGIN_ZEROCOPY;
		serr->ee.ee_data = hi;
		serr->ee.ee_info = lo;
		if (!uarg->zerocopy)
		if (!is_zerocopy)
		serr->ee.ee_code \|= SO_EE_CODE_ZEROCOPY_COPIED;

		q = &sk->sk_error_queue;