From cb4e2983ca75e18e9513c0d31756b5b28f6d6cea Mon Sep 17 00:00:00 2001 From: Petr Vyazovik Date: Fri, 11 Nov 2022 19:17:56 +0400 Subject: [PATCH] fw/cache: Do not take an additional reference on paged sk_buff fragment while copying http/2 response body Taking additional reference on paged sk_buff fragment is not needed when building http/2 response body because each fragment is represented by newly allocated page with page->_refcount == 1. Extra page reference would result in memory leak during sk_buff freeing because of non-zero page->_refcount, so final __put_page() would not be called. For http/1 responses we still need an additional page reference due to the fact that the page in question has actually been allocated previously by TDB (see tdb_file_open()). Missing an additional reference here would lead to TDB owned pages freeing by kfree_skb(), which in turn would cause memory corruption. Signed-off-by: Petr Vyazovik --- fw/cache.c | 3 ++- fw/http.c | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fw/cache.c b/fw/cache.c index 9792d7c77..266881bc8 100644 --- a/fw/cache.c +++ b/fw/cache.c @@ -2251,7 +2251,8 @@ tfw_cache_add_body_page(TfwMsgIter *it, char *p, int sz, TfwFrameHdr *frame_hdr, ++it->frag; skb_fill_page_desc(it->skb, it->frag, page, off, sz); - skb_frag_ref(it->skb, it->frag); + if (!h2) + skb_frag_ref(it->skb, it->frag); ss_skb_adjust_data_len(it->skb, sz); return 0; diff --git a/fw/http.c b/fw/http.c index 09756b656..b9a8767d6 100644 --- a/fw/http.c +++ b/fw/http.c @@ -4807,7 +4807,6 @@ tfw_h2_append_predefined_body(TfwHttpResp *resp, unsigned int stream_id, ++it->frag; skb_fill_page_desc(it->skb, it->frag, page, 0, copy + FRAME_HEADER_SIZE); - skb_frag_ref(it->skb, it->frag); ss_skb_adjust_data_len(it->skb, copy + FRAME_HEADER_SIZE); if (it->frag + 1 == MAX_SKB_FRAGS