fw/cache: Do not take an additional reference on paged sk_buff fragment

while copying http/2 response body

Taking additional reference on paged sk_buff fragment is not needed
when building http/2 response body because each fragment is represented
by newly allocated page with page->_refcount == 1. Extra page reference
would result in memory leak during sk_buff freeing because of non-zero
page->_refcount, so final __put_page() would not be called.

For http/1 responses we still need an additional page reference
due to the fact that the page in question has actually been allocated
previously by TDB (see tdb_file_open()). Missing an additional reference
here would lead to TDB owned pages freeing by kfree_skb(), which in turn
would cause memory corruption.

Signed-off-by: Petr Vyazovik <xen@f-m.fm>

Author: s0nx

fw/cache.c

@@ -2251,7 +2251,8 @@ tfw_cache_add_body_page(TfwMsgIter *it, char *p, int sz, TfwFrameHdr *frame_hdr,
 
 	++it->frag;
 	skb_fill_page_desc(it->skb, it->frag, page, off, sz);
-	skb_frag_ref(it->skb, it->frag);
+	if (!h2)
+		skb_frag_ref(it->skb, it->frag);
 	ss_skb_adjust_data_len(it->skb, sz);
 
 	return 0;

fw/http.c

@@ -4807,7 +4807,6 @@ tfw_h2_append_predefined_body(TfwHttpResp *resp, unsigned int stream_id,
 		++it->frag;
 		skb_fill_page_desc(it->skb, it->frag, page, 0,
 				   copy + FRAME_HEADER_SIZE);
-		skb_frag_ref(it->skb, it->frag);
 		ss_skb_adjust_data_len(it->skb, copy + FRAME_HEADER_SIZE);
 
 		if (it->frag + 1 == MAX_SKB_FRAGS