From: Hyunwoo Kim <imv4bel@gmail.com>
To: kuba@kernel.org, dhowells@redhat.com, marc.dionne@auristor.com,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
horms@kernel.org, qingfang.deng@linux.dev,
jiayuan.chen@linux.dev
Cc: linux-afs@lists.infradead.org, netdev@vger.kernel.org, imv4bel@gmail.com
Subject: [PATCH net] rxrpc: Use skb_ensure_writable() before in-place decryption
Date: Mon, 11 May 2026 03:51:05 +0900 [thread overview]
Message-ID: <agDTmXM2wXnJflYc@v4bel> (raw)
Writing to any frag is incorrect since frag pages can be shared.
Use skb_ensure_writable() to ensure the skb is writable before
in-place decryption.
Fixes: aa54b1d27fe0 ("rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
net/rxrpc/call_event.c | 18 ++----------------
net/rxrpc/conn_event.c | 23 +++++------------------
2 files changed, 7 insertions(+), 34 deletions(-)
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index 2b19b252225e..837e121ed9a6 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -334,22 +334,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
sp->hdr.securityIndex != 0 &&
- (skb_cloned(skb) ||
- skb_has_frag_list(skb) ||
- skb_has_shared_frag(skb))) {
- /* Unshare the packet so that it can be
- * modified by in-place decryption.
- */
- struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
-
- if (nskb) {
- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
- rxrpc_input_call_packet(call, nskb);
- rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
- } else {
- /* OOM - Drop the packet. */
- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
- }
+ skb_ensure_writable(skb, skb->len)) {
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
} else {
rxrpc_input_call_packet(call, skb);
}
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 442414d90ba1..a9eaad970e0c 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -245,26 +245,13 @@ static int rxrpc_verify_response(struct rxrpc_connection *conn,
{
int ret;
- if (skb_cloned(skb) || skb_has_frag_list(skb) ||
- skb_has_shared_frag(skb)) {
- /* Copy the packet if shared so that we can do in-place
- * decryption.
- */
- struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
-
- if (nskb) {
- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
- ret = conn->security->verify_response(conn, nskb);
- rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
- } else {
- /* OOM - Drop the packet. */
- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
- ret = -ENOMEM;
- }
- } else {
- ret = conn->security->verify_response(conn, skb);
+ if (skb_ensure_writable(skb, skb->len)) {
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+ return -ENOMEM;
}
+ ret = conn->security->verify_response(conn, skb);
+
return ret;
}
--
2.43.0
reply other threads:[~2026-05-10 18:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agDTmXM2wXnJflYc@v4bel \
--to=imv4bel@gmail.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiayuan.chen@linux.dev \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=qingfang.deng@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.