Re: [PATCH net v2] net: skbuff: fix missing zerocopy reference in pskb_carve helpers

Next message: Jakub Kicinski: "Re: [PATCH] net: shaper: use kfree_rcu() in net_shaper_flush()"
Previous message: Farhad Alemi: "[BUG] lib/bitmap: divide error in bitmap_fold() when sz argument is 0"
In reply to: patchwork-bot+netdevbpf: "Re: [PATCH net v2] net: skbuff: fix missing zerocopy reference in pskb_carve helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pavel Begunkov

Date: Thu May 28 2026 - 14:32:46 EST

On 5/26/26 05:12, lazyming wrote:

From: Minh Nguyen <minhnguyen.080505@xxxxxxxxx>

pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.

A bit late but lgtm

Reviewed-by: Pavel Begunkov <asml.silence@xxxxxxxxx>

--
Pavel Begunkov