From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2954387361 for ; Sun, 24 May 2026 14:06:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779631600; cv=none; b=lCz0yDygi8rKW7UpQ6C6GOGtR/UNIYDyc2nllvD2FUz2k2aTS57fR1MrddqpFcci1n1bXZBkWgxcSVMxHtTGfHjsDofWO9lY2vv+ybt5rMjOV0zv4OjhdB+tu1dh9WF7+EorLFR80H585hWtjXf3ObU3FkpVQS9AhRER39utbAs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779631600; c=relaxed/simple; bh=Qz2+zOV25iTx3zbmTy6kuZTWbglGpfcZeFRXbQSmvZw=; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject: Mime-Version:Content-Type; b=vCPtgolJ8FW6QZ14iHjukMnwQRigqB18yC3hlhjJ8mr4VPT/bb9VVVCdpWWnLqFndSXlZmru/zdP2KxMPKU46vIssaGhgyVAjKjBy7XZhK1Ay1qBdxLKe2zNTi3IDP+Zw7lMjjv3IZIgOltERVTGkyXqiKO1JT1jczo2LnRs+kM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LvZETZ3/; arc=none smtp.client-ip=209.85.128.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LvZETZ3/" Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-7bf0b1a47b1so90183807b3.0 for ; Sun, 24 May 2026 07:06:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779631598; x=1780236398; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=9CJjJKgtWoyZSysUUsYp4qOxs7/XAlSGmIv7oaAgT08=; b=LvZETZ3/p3MiybOdsZoT9LC4Q5BQyZ/wjr3jbOX0BGh4GwBHBGZfsEYeTu2mKVtWzO asHOcA7L43xWeDlw543bcIXzwRblNTvwErx050fQh+kbtjyBPvpNcWvzDzp8SSFzMg1Y w7B2ExS+6ugPGbkEjKPjG0rbRGOfYCS568dq1gmIX033cxixBI6S2V5s4UgORVSd2vnq 3bfs6LZCJ7sWH7bK0lptkmmSh6evY9anQgx559x3UoAqrnLs78Z4n2bWfD6NjXTUp206 W2dhEO+LJJwEI7exoXP/OuTkh/SPDh1NeaZc9nDLDcGN2uA2RmuVfb/aBP22gm4lr15N 3tjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779631598; x=1780236398; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=9CJjJKgtWoyZSysUUsYp4qOxs7/XAlSGmIv7oaAgT08=; b=VKiKsj7KGgjHEb8slgllCUi41B6vGn3C2aU4DB0wgKimXtT/RvbdPUInJwy1hPued9 zwjUQuAa/O9yi8iGqjL+HZF4YDEQh5okAYwF8uKsMdWyFrZGuhO+w9fEdrRGkskcwbWe a9QgjZKGxm8EAN8JxcvVDdbpAVAUvf3lOPeVFdSMtYSJRlmNYqgE61vpYm4aVEDGKTHp 7BmJSRSyGsbomvevgpsTNo7i8Wch/0RhRw5mbO9crgEhvd2jFvfdsdCKLcedyNVueSJe oXQ6EOjVMEPFwUzuxw5B5+3Va8yHF0yXBONoL7hs408EZU/i0k4RXiLym9FVTzeEDlxs C/FQ== X-Forwarded-Encrypted: i=1; AFNElJ9wsb+++lxJr+SDvbNdEiCl3F6th3JHU4Sl64YqWxVrnhhr7trHVvTxqCWY3HKKTc0bGQmDQR/Q/t3HnwY=@vger.kernel.org X-Gm-Message-State: AOJu0YwqAStE6XeJ4l0HlzH7XiFSqW/aNLpTrDRj/rZ/TI/43VbFH8ce FspJQKjYIQpOgC8k5HnEzfFR4dfcJPp9+KKTZMqLtSz4fVrT0QA6ogNa X-Gm-Gg: Acq92OEZ0EercMqod7Rg5kVJYk4/Q+IHIeY5KmB9PGfycXdF/C0U+pJQs+3xbF68Se7 LvdhsxEmSsV9GsSxZXuHR2jMwPwaFzrFxDKyCzXsdq40Hp8ZYSYm/9Ebhv+nt9fusU2WRw0wfHl OmUKAbCcBzku6gQlxJKsRpMip+FuSY4B7ldzGaXo2N2WaGafkIHFQo+tfuUusoSwFybiHQYaLeC ym/hpyNEgzbp3yzwGp7bErh+nIxB6xkcm0yu+3AzmML1q92ibCgPhW++GRTJ97OWaPiCGCxgt0M /HJa8kbUK6UX1DrC2T3rssukpnlwTkas3iIE2E61fb9vC21r343lPBJL8Ir8JCcCA6F1XTVhZS6 umEnD0LDIOVjMSt9ZEO59gWSZpgdi8IBOfmSdTTCD2IxRmii2fcxeYEAm/iLtvaisQGynnYLpvX ArrJz1XvCrjmqFnkLa/d5+Dlsl9uRFyHRIL8X7S+ez7tEucGnffTYFp6Wi/UJPRsv7TEKmwRLP6 bkPfqA= X-Received: by 2002:a05:690c:4906:b0:7c5:4c4e:a8a5 with SMTP id 00721157ae682-7d336ab0731mr125169907b3.46.1779631597750; Sun, 24 May 2026 07:06:37 -0700 (PDT) Received: from gmail.com (141.139.145.34.bc.googleusercontent.com. [34.145.139.141]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7d38bf2f84esm32902807b3.31.2026.05.24.07.06.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 May 2026 07:06:37 -0700 (PDT) Date: Sun, 24 May 2026 10:06:36 -0400 From: Willem de Bruijn To: Willem de Bruijn , lazyming , netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, w@1wt.eu, security@kernel.org, linux-kernel@vger.kernel.org, lazyming , stable@vger.kernel.org, asml.silence@gmail.com, achender@kernel.org Message-ID: In-Reply-To: References: <20260521121628.309924-1-minhnguyen.080505@gmail.com> Subject: Re: [PATCH net] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Willem de Bruijn wrote: > lazyming wrote: > > pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy > > the old skb_shared_info header into a new buffer via memcpy(), which > > includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs. > > These functions are not supposed to maintain zerocopy frags. > > Both call skb_orphan_frags. > > I think what may need to happen is to invert the order of that call > and the memcpy. Current code: > > memcpy((struct skb_shared_info *)(data + size), > skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0])); > if (skb_orphan_frags(skb, gfp_mask)) { > skb_kfree_head(data); > return -ENOMEM; > } Never mind. This actually corresponds to the first Sashiko report you mentioned: if zerocopy skbs are converted, then the memcpy prior to that call will have stale state. For skbs where skb_orphan_frags does not do a deep copy, we do need to take this extra reference. Reviewed-by: Willem de Bruijn