Linux 6.15 shipped a new zero-copy receive subsystem for io_uring called ZCRX. It manages a pool of network I/O vectors (niovs) using a stack: freelist[] holds available slot indices, free_count is the depth. There is no upper bound check on free_count. Two separate kernel teardown paths both return niovs to the same freelist, and when they overlap, free_count exceeds the allocated array length...