git.ipfire.org Git - thirdparty/linux.git/commit

author	Pavel Begunkov <asml.silence@gmail.com>
	Thu, 28 May 2026 18:43:53 +0000 (19:43 +0100)
committer	Jakub Kicinski <kuba@kernel.org>
	Fri, 29 May 2026 19:55:27 +0000 (12:55 -0700)
commit	ff6e798c2eac3ebd0501ad7e796f583fab928de8
tree	d3a7c5c004e21d60fe354db604d20e7d1e3f4f32	tree \| snapshot
parent	9c7da87c2dc860bb17ca1ece942495d28b1ce3b9	commit \| diff

net: skbuff: fix pskb_carve leaking zcopy pages

When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but
their lifetime is controlled by the attached ubuf_info. To make a copy
of the skb_shared_info, we either should clear the flag and reference
the frags, or keep the flag and have frags unreferenced.

pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't
follow the rule and thus can leak page references. Let's clear
SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the
simplest way to address it, but there are more performant ways to do
that if it ever becomes a problem.

Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/
Fixes: 753f1ca4e1e50 ("net: introduce managed frags infrastructure")
Reported-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>