From: Cong Wang <cong.wang@xxxxxxxxxxxxx>
With ->read_skb() now we have an entire skb dequeued from
receive queue, now we just need to grab an addtional refcnt
before passing its ownership to recv actors.
And we should not touch them any more, particularly for
skb->sk. Fortunately, skb->sk is already set for most of
the protocols except UDP where skb->sk has been stolen,
so we have to fix it up for UDP case.
Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: John Fastabend <john.fastabend@xxxxxxxxx>
Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Cc: Jakub Sitnicki <jakub@xxxxxxxxxxxxxx>
Signed-off-by: Cong Wang <cong.wang@xxxxxxxxxxxxx>
---
net/core/skmsg.c | 7 +------
net/ipv4/udp.c | 1 +
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 50405e3eda88..3ff86d73672c 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -1166,10 +1166,7 @@ static int sk_psock_verdict_recv(struct sock *sk, struct sk_buff *skb)
int ret = __SK_DROP;
int len = skb->len;
- /* clone here so sk_eat_skb() in tcp_read_sock does not drop our data */
- skb = skb_clone(skb, GFP_ATOMIC);
- if (!skb)
- return 0;
+ skb_get(skb);
rcu_read_lock();
psock = sk_psock(sk);
@@ -1182,12 +1179,10 @@ static int sk_psock_verdict_recv(struct sock *sk, struct sk_buff *skb)
if (!prog)
prog = READ_ONCE(psock->progs.skb_verdict);
if (likely(prog)) {
- skb->sk = sk;
skb_dst_drop(skb);
skb_bpf_redirect_clear(skb);
ret = bpf_prog_run_pin_on_cpu(prog, skb);
ret = sk_psock_map_verd(ret, skb_bpf_redirect_fetch(skb));
- skb->sk = NULL;
}
if (sk_psock_verdict_apply(psock, skb, ret) < 0)
len = 0;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index b8cfa0c3de59..71c2c147f2d0 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1817,6 +1817,7 @@ int udp_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
continue;
}
+ WARN_ON(!skb_set_owner_sk_safe(skb, sk));
used = recv_actor(sk, skb);
if (used <= 0) {
if (!copied)
--
2.32.0
