From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Hyunwoo Kim <imv4bel@gmail.com>,
dhowells@redhat.com, marc.dionne@auristor.com,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, qingfang.deng@linux.dev
Cc: linux-afs@lists.infradead.org, netdev@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net v3] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Date: Sat, 9 May 2026 10:32:08 +0800 [thread overview]
Message-ID: <252e4742-34db-4a04-8c9d-560625df1e70@linux.dev> (raw)
In-Reply-To: <af2kdW2F1gJ9U-Gg@v4bel>
On 5/8/26 4:53 PM, Hyunwoo Kim wrote:
> The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
> handler in rxrpc_verify_response() copy the skb to a linear one before
> calling into the security ops only when skb_cloned() is true. An skb
> that is not cloned but still carries externally-owned paged fragments
> (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
> __ip_append_data, or a chained skb_has_frag_list()) falls through to
> the in-place decryption path, which binds the frag pages directly into
> the AEAD/skcipher SGL via skb_to_sgvec().
>
> Extend the gate to also unshare when skb_has_frag_list() or
> skb_has_shared_frag() is true. This catches the splice-loopback vector
> and other externally-shared frag sources while preserving the
> zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
> page_pool RX, GRO). The OOM/trace handling already in place is reused.
To be clear, frag_list is not empty for SKB_GSO_FRAGLIST and the skb
will go through the copy path.
It's just tradeoff.
>
> Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> ---
> Changes in v3:
> - Use skb_has_frag_list() || skb_has_shared_frag() instead of skb_is_nonlinear()
> - v2: https://lore.kernel.org/all/af2F1FU5d4Q_Gn1W@v4bel/
Others lgtm, it makes sense to keep this as the ESP fix, since both
patches address your Dirty Frag vulnerability.
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
next prev parent reply other threads:[~2026-05-09 2:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 8:53 [PATCH net v3] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Hyunwoo Kim
2026-05-08 15:45 ` David Howells
2026-05-09 2:32 ` Jiayuan Chen [this message]
2026-05-09 14:30 ` Jeffrey E Altman
2026-05-10 15:45 ` Jakub Kicinski
2026-05-10 16:48 ` Hyunwoo Kim
2026-05-10 17:03 ` Jakub Kicinski
2026-05-10 17:05 ` Fernando Fernandez Mancera
2026-05-10 17:05 ` Hyunwoo Kim
2026-05-10 17:23 ` Jakub Kicinski
2026-05-11 1:54 ` Jiayuan Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=252e4742-34db-4a04-8c9d-560625df1e70@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=imv4bel@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=qingfang.deng@linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.