Willem de Bruijn <willemdebruijn.ker...@gmail.com> wrote: >On Thu, Aug 6, 2020 at 1:48 PM linmiaohe <linmia...@huawei.com> wrote: >> >> From: Miaohe Lin <linmia...@huawei.com> >> >> We could be trapped in deadloop when we try to copy userspace skb >> frags buffers to kernel with a cloned skb: > >> Catch this unexpected case and return -EINVAL in skb_orphan_frags() >> before we call skb_copy_ubufs() to fix it. > >Is this a hypothetical codepath? > >skb zerocopy carefully tracks clone calls where necessary. See the call to >skb_orphan_frags in skb_clone, and the implementation of that callee. > >The only caller of skb zerocopy with nouarg is tpacket_fill_skb, as of commit >5cd8d46ea156 ("packet: copy user buffers before orphan or clone"). > >As the commit subject indicates, this sets skb_zcopy_set_nouarg exactly to be >sure that any clone will trigger a copy of "zerocopy" >user data to private kernel memory. > >No clone must happen between alloc_skb and skb_zcopy_set_nouarg, indeed. But >AFAIK, none exists.
Many thanks for your reply and explaination. As you say, this is a hypothetical codepath. This would not be triggerd normally. I catch this suspicious patch just in case.