Re: [PATCH net] net: skbuff: fix missing zerocopy reference in pskb_carve helpers

Next message: Sibi Sankar: "[PATCH V9 2/3] arm64: dts: glymur: Add LPASS macro codecs and pinctrl"
Previous message: Sibi Sankar: "[PATCH V9 3/3] arm64: dts: qcom: glymur-crd: add Audio sound card node"
In reply to: lazyming: "[PATCH net] net: skbuff: fix missing zerocopy reference in pskb_carve helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: lazyming

Date: Sat May 23 2026 - 04:58:27 EST

I reviewed the Sashiko AI review of this patch and it raised two
issues worth noting:

1. Stale shinfo after skb_orphan_frags (vhost_net path) -- this can
lead to UAF when skb_zcopy_clear() fires on a destructor_arg that
was already freed by skb_copy_ubufs().

2. SKBFL_MANAGED_FRAG_REFS page ref leak (io_uring path) -- page refs
from skb_frag_ref() are never released because skb_release_data()
skips __skb_frag_unref() when MANAGED_FRAG_REFS is set.

Both are pre-existing bugs in the carve helpers, not introduced by
this patch. This patch only fixes the missing net_zcopy_get() for the
MSG_ZEROCOPY TCP path (SKBFL_ZEROCOPY_ENABLE without SKBFL_SHARED_FRAG),
which is unrelated to either issue above.

Could you re-review this patch? Issue 1 in particular looks genuinely
dangerous and probably deserves a separate fix from someone familiar
with the vhost_net zcopy path.