From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD8A923D290 for ; Tue, 12 May 2026 14:02:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778594542; cv=none; b=Q3tqZCTHxX9p3CuIXASMCN7YPZf7WfF8/JkBsjReh0Uwyvnww6IOKpYDkCJIjVm0uxjdiuQeLe8MbF0LVTTPzeeq/oO+SF12eJMuWU+3rzVTrpoRw0RH+WfGyE6GlnaZbSl9t93eRui01mEj6vGjvgMKtnMV2xEENGgIz4TVwMA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778594542; c=relaxed/simple; bh=5WlhEMQh9X34pszkCamo0PzCnz+T6O0Wx6dkjqd2UpA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=B2sKcNk88q5IH3gIUPvNHYs2aYKsb2mvjNNVzAFcqy7nFEPwPj6g90Ff/lMmpzAbOWuVzYtWkSO1arPquqNH71MDFmDrQj+gQH/gfOdHuVsepxod2dHmlmZCsJl5LamixbPjkpGzv0m9AVojNnUX2sy2LZGlFH+TRJwFx/pkDqQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=sM1ZpHVo; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="sM1ZpHVo" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-48d1c670255so1815e9.0 for ; Tue, 12 May 2026 07:02:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1778594539; x=1779199339; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=ail+SStMh4bLPlZ1kUt87DuDvaaI1f9S+0ECKZGp8xA=; b=sM1ZpHVozQRQLIQypok2xQUjDek/o4mK9iW1DmoN979vrW9WYcPC74KEyHzzmt8EVW qYelecM2t3rg2+AgfjYOKNYPgpjYxCQ0c2UP803uS27H0EGCvtFusqpvtrDfiAeVRimk nvReGYQvaPpjmMpn7+hvKzviqKKej02OzotAsCC4jQQJn4FjoVEkxFJ+3PXc+e/R2655 D0vr0E1mvynYgW4wRznNjh0HHL0p8FZwcDnIgi/gl7u3F1khtCeVRfmE/8rCpoaavRxf o3nWYzoGBEG/Z11MJOx7c/tR5y58VoI3q+pYQxxUtzirOauOEO09YGq8H3hcVpo1JpFV d9KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778594539; x=1779199339; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ail+SStMh4bLPlZ1kUt87DuDvaaI1f9S+0ECKZGp8xA=; b=I+NbgL5vh95hUYoChYMPsqhnITWGoNHZW6LpXffp5SVP9oMeZ38n4zQ4cQfUYdeX4E dB1ThOOHlpPqEjMUt5t3/bJrD5C6pcQowF4ydRNdd/N6AKr4qovl1ezsLgeWUSGRnCiR Qv4THTIb6PhSLaP86/r9COdU3JhH238WJXj05kLpT0t21luHdOxxy/wtnO6l5KdAP+jt arTUiJawNokEip/TrgfpW7f6PWsuj+llWFqnbZojlea8XM6VTxQwtdO7QDXvxPLbDbii Dc7qMOPDa/zPUFi/ynssaSs2sbit5h5FkZUsb8V6Ki2S4AqW7HUbLCPorfeoCWfGGZSJ JZJA== X-Gm-Message-State: AOJu0YzCvqGvYWegsaJW7SZ3pPqZf03xRpEQV+YRSg8Q1CwTRWqY59AA OU6H+A7tuQ4hInX9N6UIiov7+vKcDev6+GoMDsSrBHuqP3TcdcDvrB2y0sNp/jaCRJPgBY0nExW CyijSIgDS X-Gm-Gg: Acq92OFiO2+oyXMCIilbpvBAM0dCyMrKo7KQTpLunCXeHPyUBH2UKSc2IciaeBhXsep T+xb4CavfjPH+HRzKtxx5f+0RioTyZ27jdyt+Q4er0Yk/Zh5eBTqf++SW/icRcUKqcmuT1sWLtK F/8r+XQYM76cWZe65EcuGR2iuJXMM8ghdXj+g+aMQBQietq2GpKPOms8fePBJh3535uCYVaZPvl NLGK+G7kL4R/l+SkSZyBwoG/ARK3Z6eSbnApGhTtjiRTqKlSld6uGWKUZeDSKhnlBrajwwHegxT bqGhlOOtesQs73VwhiV8LwEaV0/RhH9BVdXSO6NAQlH5ucWbriIJKYjxe62nB4dVSLrlzbJcsBH kEVgEPn8yqRUkEbu+YcAO9VreX5P4/x/iJ6dy9hbKSn43Pw43YzsV6v98uWbCI5VfBB8e/1a0ih RCp9psof40w2kFOej3YLJzUU04ZdnihVaGWjDesPLJNceuNACQZH3nOF0ikr8LOTJ6dW7PBHRn X-Received: by 2002:a05:600c:696:b0:48a:56fa:36dd with SMTP id 5b1f17b1804b1-48e906a0e5bmr424205e9.11.1778594538445; Tue, 12 May 2026 07:02:18 -0700 (PDT) Received: from localhost ([2a00:79e0:288a:8:118e:a0ac:896b:9240]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e8e62944bsm20059215e9.8.2026.05.12.07.02.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 07:02:17 -0700 (PDT) From: Jann Horn Date: Tue, 12 May 2026 16:02:03 +0200 Subject: [PATCH] net: block MSG_NO_SHARED_FRAGS in sendmsg() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260512-msg_no_shared_frags-v1-1-55ea46760331@google.com> X-B4-Tracking: v=1; b=H4sIANoyA2oC/x3MQQqAIBBA0avErBMyMqOrRIjlaLPIYgYiiO6et HyL/x8QZEKBsXqA8SKhIxfouoJ18zmholAMbdP2jdFa7ZJcPpxsnjG4yD6JCsbYVXfYDXaBUp6 Mke7/Os3v+wF5JhmLZQAAAA== X-Change-ID: 20260511-msg_no_shared_frags-d557c14e487b To: Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, John Fastabend , Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1778594532; l=1721; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=5WlhEMQh9X34pszkCamo0PzCnz+T6O0Wx6dkjqd2UpA=; b=hUvaf76umJyRj59Fwa2jB8xSKsjTfjBkUeptCHuX3J0V2Hz7Cd+v3xVeUNVm1PJxb9bGOLjNA NJW18y4oxIIAXYkktGx+WbpnWDtzDL7dM+XtIiwPWD2SAmvQP8a7s+/ X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= This change should cause no difference in behavior; it just cleans up some hazardous code that could have become a problem in the future. MSG_NO_SHARED_FRAGS is a kernel-internal flag that cancels the effect of MSG_SPLICE_PAGES, another kernel-internal flag that influences the data-sharing semantics of SKBs. Prevent passing this flag in from userspace via sendmsg() by adding it to MSG_INTERNAL_SENDMSG_FLAGS. This is not currently an observable problem because MSG_NO_SHARED_FRAGS only has an effect if kernel code adds MSG_SPLICE_PAGES to it. The only codepath that adds MSG_SPLICE_PAGES to user-supplied flags from which MSG_NO_SHARED_FRAGS hasn't been cleared is the path tcp_bpf_sendmsg -> tcp_bpf_send_verdict -> tcp_bpf_push, and that is not a problem because tcp_bpf_sendmsg always intentionally sets MSG_NO_SHARED_FRAGS anyway. Signed-off-by: Jann Horn --- include/linux/socket.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/socket.h b/include/linux/socket.h index ec4a0a025793..1a4d0d128a13 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -357,7 +357,7 @@ struct ucred { /* Flags to be cleared on entry by sendmsg and sendmmsg syscalls */ #define MSG_INTERNAL_SENDMSG_FLAGS \ - (MSG_SPLICE_PAGES | MSG_SENDPAGE_NOPOLICY | MSG_SENDPAGE_DECRYPTED) + (MSG_SPLICE_PAGES | MSG_SENDPAGE_NOPOLICY | MSG_SENDPAGE_DECRYPTED | MSG_NO_SHARED_FRAGS) /* Setsockoptions(2) level. Thanks to BSD these must match IPPROTO_xxx */ #define SOL_IP 0 --- base-commit: 5d6919055dec134de3c40167a490f33c74c12581 change-id: 20260511-msg_no_shared_frags-d557c14e487b -- Jann Horn