On 5/15/23 10:06 AM, Pavel Begunkov wrote:
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index 40f591f7fce1..3d18e295bb2f 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -1231,7 +1231,6 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
> if ((flags & MSG_ZEROCOPY) && size) {
> if (msg->msg_ubuf) {
> uarg = msg->msg_ubuf;
> - net_zcopy_get(uarg);
> zc = sk->sk_route_caps & NETIF_F_SG;
> } else if (sock_flag(sk, SOCK_ZEROCOPY)) {
> skb = tcp_write_queue_tail(sk);
> @@ -1458,7 +1457,9 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
> tcp_push(sk, flags, mss_now, tp->nonagle, size_goal);
> }
> out_nopush:
> - net_zcopy_put(uarg);
> + /* msg->msg_ubuf is pinned by the caller so we don't take extra refs */
> + if (uarg && !msg->msg_ubuf)
> + net_zcopy_put(uarg);
> return copied + copied_syn;
>
> do_error:
> @@ -1467,7 +1468,9 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
> if (copied + copied_syn)
> goto out;
> out_err:
> - net_zcopy_put_abort(uarg, true);
> + /* msg->msg_ubuf is pinned by the caller so we don't take extra refs */
> + if (uarg && !msg->msg_ubuf)
> + net_zcopy_put_abort(uarg, true);
> err = sk_stream_error(sk, flags, err);
> /* make sure we wake any epoll edge trigger waiter */
> if (unlikely(tcp_rtx_and_write_queues_empty(sk) && err == -EAGAIN)) {
Both net_zcopy_put_abort and net_zcopy_put have an `if (uarg)` check.
