@@ -1019,7 +1019,9 @@ static int __ip_append_data(struct sock *sk,
uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
if (!uarg)
return -ENOBUFS;
- extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
+ /* Only ref on newly allocated uarg. */
+ if (!skb_zcopy(skb) || (sk->sk_type != SOCK_STREAM && skb_zcopy(skb) != uarg))
+ extra_uref = true;
if (rt->dst.dev->features & NETIF_F_SG &&
csummode == CHECKSUM_PARTIAL) {
paged = true;
@@ -1476,7 +1476,9 @@ static int __ip6_append_data(struct sock *sk,
uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
if (!uarg)
return -ENOBUFS;
- extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
+ /* Only ref on newly allocated uarg. */
+ if (!skb_zcopy(skb) || (sk->sk_type != SOCK_STREAM && skb_zcopy(skb) != uarg))
+ extra_uref = true;
if (rt->dst.dev->features & NETIF_F_SG &&
csummode == CHECKSUM_PARTIAL) {
paged = true;
The var extra_uref is introduced to pass the initial reference taken in sock_zerocopy_alloc to the first generated skb. But now we may fail to pass the initial reference with newly allocated UDP or RAW uarg when the skb is zcopied. If the skb is zcopied, we always set extra_uref to false. This is fine with reallocted uarg because no extra ref is taken by UDP and RAW zerocopy. But if uarg is newly allocated via sock_zerocopy_alloc(), we lost the initial reference because extra_uref is false and we missed to pass it to the first generated skb. To fix this, we should set extra_uref to true if UDP or RAW uarg is newly allocated when the skb is zcopied. Fixes: 522924b58308 ("net: correct udp zerocopy refcnt also when zerocopy only on append") Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> --- net/ipv4/ip_output.c | 4 +++- net/ipv6/ip6_output.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-)