socket: move frame creation after memory check in quic_sendmsg

It is better to create frames only after checking memory availability to
avoid freeing a frame if the memory check fails. This patch updates the
code accordingly for both handshake and datagram message sending.

Since handshake data may be fragmented into multiple messages, it must
first use len = 1 to check the wspace and calculate msg_len with wspace
considered in quic_frame_crypto_create(), then perform a second wmem
check after frame creation with the real msg_len, similar as what it
does for stream data.

Meanwhile, duplicate code in quic_frame_crypto_create() is removed.

Reported-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>

Author: lxin

modules/net/quic/frame.c

@@ -342,7 +342,7 @@ static struct quic_frame *quic_frame_handshake_done_create(struct sock *sk, void
 
 static struct quic_frame *quic_frame_crypto_create(struct sock *sk, void *data, u8 type)
 {
-	u32 msg_len, max_frame_len, hlen = 1;
+	u32 msg_len, max_frame_len, wspace, hlen = 1;
 	struct quic_msginfo *info = data;
 	struct quic_crypto *crypto;
 	struct quic_frame *frame;
@@ -352,35 +352,13 @@ static struct quic_frame *quic_frame_crypto_create(struct sock *sk, void *data,
 	max_frame_len = quic_packet_max_payload(quic_packet(sk));
 	crypto = quic_crypto(sk, info->level);
 	msg_len = iov_iter_count(info->msg);
-
-	if (!info->level) {
-		offset = 0;
-		hlen += quic_var_len(offset);
-		hlen += quic_var_len(max_frame_len);
-		if (msg_len > max_frame_len - hlen)
-			return NULL;
-
-		frame = quic_frame_alloc(msg_len + hlen, NULL, GFP_ATOMIC);
-		if (!frame)
-			return NULL;
-		p = quic_put_var(frame->data, type);
-		p = quic_put_var(p, offset);
-		p = quic_put_var(p, msg_len);
-		if (!quic_frame_copy_from_iter_full(p, msg_len, info->msg)) {
-			quic_frame_put(frame);
-			return NULL;
-		}
-		p += msg_len;
-		frame->bytes = (u16)msg_len;
-		frame->len = (u16)(p - frame->data);
-		frame->size = frame->len;
-
-		return frame;
-	}
+	wspace = sk_stream_wspace(sk);
 
 	offset = quic_crypto_send_offset(crypto);
 	hlen += quic_var_len(offset);
 	hlen += quic_var_len(max_frame_len);
+	if (msg_len > wspace)
+		msg_len = wspace;
 	if (msg_len > max_frame_len - hlen)
 		msg_len = max_frame_len - hlen;
 

modules/net/quic/socket.c

@@ -727,31 +727,36 @@ static int quic_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
 		msginfo.level = hinfo.crypto_level;
 		msginfo.msg = &msg->msg_iter;
 		while (iov_iter_count(&msg->msg_iter) > 0) {
-			frame = quic_frame_create(sk, QUIC_FRAME_CRYPTO, &msginfo);
-			if (!frame) {
-				if (!bytes) {
-					err = -ENOMEM;
-					goto err;
-				}
-				goto out;
-			}
-			len = frame->bytes;
 			if (sk_stream_wspace(sk) < len || !sk_wmem_schedule(sk, len)) {
 				if (delay) {
 					quic_outq_set_force_delay(outq, 0);
 					quic_outq_transmit(sk);
 				}
 				err = quic_wait_for_send(sk, flags, len);
 				if (err) {
-					quic_frame_put(frame);
 					if (err == -EPIPE || !bytes)
 						goto err;
 					goto out;
 				}
 			}
+			frame = quic_frame_create(sk, QUIC_FRAME_CRYPTO, &msginfo);
+			if (!frame) {
+				if (!bytes) {
+					err = -ENOMEM;
+					goto err;
+				}
+				goto out;
+			}
+			len = frame->bytes;
+			if (!sk_wmem_schedule(sk, len)) {
+				iov_iter_revert(msginfo.msg, len);
+				quic_frame_put(frame);
+				continue;
+			}
 			bytes += frame->bytes;
 			quic_outq_set_force_delay(outq, delay);
 			quic_outq_ctrl_tail(sk, frame, delay);
+			len = 1;
 		}
 		goto out;
 	}
@@ -766,19 +771,19 @@ static int quic_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
 			err = -EINVAL;
 			goto err;
 		}
-		frame = quic_frame_create(sk, QUIC_FRAME_DATAGRAM_LEN, &msg->msg_iter);
-		if (!frame) {
-			err = -EINVAL;
-			goto err;
-		}
-		len = frame->bytes;
+		len = iov_iter_count(&msg->msg_iter);
 		if (sk_stream_wspace(sk) < len || !sk_wmem_schedule(sk, len)) {
 			err = quic_wait_for_send(sk, flags, len);
 			if (err) {
 				quic_frame_put(frame);
 				goto err;
 			}
 		}
+		frame = quic_frame_create(sk, QUIC_FRAME_DATAGRAM_LEN, &msg->msg_iter);
+		if (!frame) {
+			err = -EINVAL;
+			goto err;
+		}
 		bytes += frame->bytes;
 		quic_outq_set_force_delay(outq, delay);
 		quic_outq_dgram_tail(sk, frame, delay);