> Thanks for the report, David, and sorry for the breakage.
> I am not able to reproduce the issue with my qemu setup with vhost-net
> with experimental_zcopytx so far.

I did just reproduce the (well, a) panic in sock_zerocopy_put. It is
indeed in the mm_unaccount_pinned_pages code that tests

(gdb) list *(sock_zerocopy_put+0x26)
0xffffffff81620316 is in sock_zerocopy_put (net/core/skbuff.c:933).
928     }
930     static void mm_unaccount_pinned_pages(struct mmpin *mmp)
931     {
932             if (mmp->user) {
933                     atomic_long_sub(mmp->num_pg, &mmp->user->locked_vm);
934                     free_uid(mmp->user);

This gives me more confidence that the previous fix is sufficient.
I will have to revise it to avoid this path for all zerocopy paths
besides msg_zerocopy.

