From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yx1-f54.google.com (mail-yx1-f54.google.com [74.125.224.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B372396B68 for ; Sun, 24 May 2026 13:37:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779629848; cv=none; b=Uz5IJmeByk3DioQIoDb7lras15Mw3x5R+rXilxwjKjnyPJMgs6Ta8A3HVhZNifrJPa5yT74RBFp+TdwOKOGoUjp6PIj2CMhcpRqH0Rrkj9/TIE2FvxmsY2hodCialTiRKgZehBBXT9GBDVl9SEZrPL8YmQ1Y59bvgw0uxWFg4Ko= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779629848; c=relaxed/simple; bh=P7flB7wlJlTemBMOJ1CJhIGMof7wEnYxAdHRWvkO2pE=; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject: Mime-Version:Content-Type; b=j1dcKkd45/eyYBiEZ0wdZKc5BJoOmKhd5rBnKiuWUAz9LywbwipYUY0Uqw7QmUlJhUxTCZp4bbSpa6cx81kYpYWNmdjByIz8tH/6AVukAFZ98EG4S8X9fBniE3tHNDESJAlZjlsXHb0FP0cTV5lc8KM0Ev4JH5VU+NFeP4kGwRE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=djlXhBzD; arc=none smtp.client-ip=74.125.224.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="djlXhBzD" Received: by mail-yx1-f54.google.com with SMTP id 956f58d0204a3-65c2cd216c9so7343569d50.3 for ; Sun, 24 May 2026 06:37:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779629846; x=1780234646; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=5YzZR/UW8yRfScwxVy4k+9Cx7IebnzhqtMNHTkpEuco=; b=djlXhBzDweCzyq4p7iDDi1cLfxZyGhDt1ZNBnvkn+i8WQa1UVt6N9w9M1Y86PTYwxC GLznfND7Jq/u35m69RY520XAg25CrHu/d4RG5rbIJWnShGT2V2prC10is7aq6K26OxjT GFV4adNaVtfcKk4Urz4yCJF0Gswyk3PQ5fT70vUygD6/wOEzbC/2ePFM3K+3VIRRksq8 218A8S2lr/PyGGQOTo8OAqOmyX/D69DzgREWRmgluI8Nnv+754FpXp8GRX+HgnDsRH3u xeZCQXFVuZCNQlKfcl6nybchf6/qzh2aGnlKUyEfQYMyhrvxG2kd2xdERuviZS7mKs7d GL1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779629846; x=1780234646; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=5YzZR/UW8yRfScwxVy4k+9Cx7IebnzhqtMNHTkpEuco=; b=T/CELe4QEyKFD5lx6BEastlzuvzDhzEoSjH2wnQocwa2B9nkKlwTTF8oDFVm8gR3pn 7oi9FkKJFqRJweaqu/WHuZuK6NA1qNCo/aYTtMtqC5fyeyNtOmS1V68Ikkkx1ZTp5CCK TqKn2M6Txg2a0RLqkDB+rFdY92CFIeb9AYZfOD71S73+ogQhhM1xCwpxGKih2doiHTru aZZ99S3GXsTMIPDt4ziWLOl33H9KZLBtRv5xYeZesVYBqKUz/rpULvYrncBUyC31H1CT 26QLIAQqVx44K04rExmwjpZNkFM+OGgTfSOtD2ZKzrI5izS+fMZpWPe8h39LHUqaD2F1 +0ww== X-Forwarded-Encrypted: i=1; AFNElJ8EkX0NDETDv2rsemo6Ie4aMUvrjnep8LEtLMllsA87HVYODUiAFnH8j/Zeizz/WodTTBygmh4=@vger.kernel.org X-Gm-Message-State: AOJu0YxkkCdvJqZqY0b6rRAkFFlCECRoKCHXYT6V1oS88tINTFeYxxxk 3EXpgJO833j01pUukFrl83uqHITVBzWzp7k+BlNrKUZd7qYvl8aK+DYz X-Gm-Gg: Acq92OGfuwWiif4fxy2xARpeINPbdGlcZbExsZduXaXeu+Dna0PBSjSplr8Wu6GHOmx L6JBcdlpTdsjEMLY1xr41jHHPduIX5trHHJZrzmZiEhjXU5UuIBB9qMkKTSqrxgpN1QnUtkYiPU lf9FW8du53hXPACWbjdvJAXm1HDUTOZxUCMzt0fELgf8JXcJliSe/KpG4/P5ycBV3Jc1EL+RS2N CwXu3vTq9EcvEdAPTPg7bmJpSH1dGGV4f3e8vmr8MmtY0LfSecawvDt586hxJ1gHHKBuINq+5/X Z8hN81lJclB+gj6R+VaxdbSMxG9kfub6wqf8ic4L/uUc6V9NATTk54msL6qsdDBcnVWT3YgnUXH 1HJvjdk3PyMaLtCc+W79QkwzaA+Sn2ZQ/67V0Hbi7fFg+bAu7J/++9uDkqqZMNnmxCocW8SHN4A wlupzcigFWg8l9oTWi9WhbCEd1IeIkdcYDpfDqEa/q7EIbmktShNjIoUNvMpT0wSoRwQjELTJH4 8T196I= X-Received: by 2002:a53:c04e:0:20b0:65c:65aa:df7c with SMTP id 956f58d0204a3-65ec98ea7d8mr8460898d50.33.1779629845849; Sun, 24 May 2026 06:37:25 -0700 (PDT) Received: from gmail.com (141.139.145.34.bc.googleusercontent.com. [34.145.139.141]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65ecfdf4bd7sm3163017d50.19.2026.05.24.06.37.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 May 2026 06:37:24 -0700 (PDT) Date: Sun, 24 May 2026 09:37:24 -0400 From: Willem de Bruijn To: lazyming , netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, w@1wt.eu, security@kernel.org, linux-kernel@vger.kernel.org, lazyming , stable@vger.kernel.org Message-ID: In-Reply-To: <20260521121628.309924-1-minhnguyen.080505@gmail.com> References: <20260521121628.309924-1-minhnguyen.080505@gmail.com> Subject: Re: [PATCH net] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit lazyming wrote: > pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy > the old skb_shared_info header into a new buffer via memcpy(), which > includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs. These functions are not supposed to maintain zerocopy frags. Both call skb_orphan_frags. I think what may need to happen is to invert the order of that call and the memcpy. Current code: memcpy((struct skb_shared_info *)(data + size), skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0])); if (skb_orphan_frags(skb, gfp_mask)) { skb_kfree_head(data); return -ENOMEM; } > Neither function calls net_zcopy_get() for the new shinfo, creating an > unaccounted holder: every skb_shared_info with destructor_arg set will > call skb_zcopy_clear() once when freed, but the corresponding > net_zcopy_get() was never called for the new copy. Repeated calls > drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while > TX skbs still hold live destructor_arg pointers.