Re: [PATCH net] net: skbuff: fix missing zerocopy reference in pskb_carve helpers

Next message: Lance Yang: "Re: [PATCH] docs/mm: fix spelling mistakes in memory management docs"
Previous message: syzbot: "[syzbot] [block?] possible deadlock in bdev_release (2)"
Next in thread: Willem de Bruijn: "Re: [PATCH net] net: skbuff: fix missing zerocopy reference in pskb_carve helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Willem de Bruijn

Date: Sun May 24 2026 - 09:37:43 EST

lazyming wrote:
> pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
> the old skb_shared_info header into a new buffer via memcpy(), which
> includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.

These functions are not supposed to maintain zerocopy frags.

Both call skb_orphan_frags.

I think what may need to happen is to invert the order of that call
and the memcpy. Current code:

memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0]));
if (skb_orphan_frags(skb, gfp_mask)) {
skb_kfree_head(data);
return -ENOMEM;
}

> Neither function calls net_zcopy_get() for the new shinfo, creating an
> unaccounted holder: every skb_shared_info with destructor_arg set will
> call skb_zcopy_clear() once when freed, but the corresponding
> net_zcopy_get() was never called for the new copy. Repeated calls
> drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
> TX skbs still hold live destructor_arg pointers.