skbuff: orphan frags before zerocopy clone

Call skb_zerocopy_clone after skb_orphan_frags, to avoid duplicate
calls to skb_uarg(skb)->callback for the same data.

skb_zerocopy_clone associates skb_shinfo(skb)->uarg from frag_skb
with each segment. This is only safe for uargs that do refcounting,
which is those that pass skb_orphan_frags without dropping their
shared frags. For others, skb_orphan_frags drops the user frags and
sets the uarg to NULL, after which sock_zerocopy_clone has no effect.

Qemu hangs were reported due to duplicate vhost_net_zerocopy_callback
calls for the same data causing the vhost_net_ubuf_ref_>refcount to
drop below zero.

Link: http://lkml.kernel.org/r/<CAF=yD-LWyCD4Y0aJ9O0e_CHLR+3JOeKicRRTEVCPxgw4XOcqGQ@mail.gmail.com>
Fixes: 1f8b977ab32d ("sock: enable MSG_ZEROCOPY")
Reported-by: Andreas Hartmann <andihartmann@01019freenet.de>
Reported-by: David Hill <dhill@redhat.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 2 insertions, 2 deletions

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a592ca025fc4..edf40ac0cd07 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3654,8 +3654,6 @@ normal:
 
                 skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
                                               SKBTX_SHARED_FRAG;
-                if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
-                        goto err;
 
                 while (pos < offset + len) {
                         if (i >= nfrags) {
@@ -3681,6 +3679,8 @@ normal:
 
                         if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
                                 goto err;
+                        if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+                                goto err;
 
                         *nskb_frag = *frag;
                         __skb_frag_ref(nskb_frag);