Re: [PATCH net] net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer

Next message: SeongJae Park: "Re: [PATCH] mm/damon/core: avoid use of half-online-committed context"
Previous message: syzbot: "Forwarded: [PATCH] ntfs3: fix memory leak in indx_insert_into_root()"
In reply to: Qi Tang: "[PATCH net] net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Fri Mar 20 2026 - 22:10:55 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Wed, 18 Mar 2026 14:48:47 +0800 you wrote:
> smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores
> the pointer in pipe_buffer.private. The pipe_buf_operations for these
> buffers used .get = generic_pipe_buf_get, which only increments the page
> reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv
> pointer itself was not handled, so after tee() both the original and the
> cloned pipe_buffer share the same smc_spd_priv *.
>
> [...]

Here is the summary with links:
- [net] net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
https://git.kernel.org/netdev/net/c/24dd586bb4cb

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html