From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: William Bowling <vakzz@zellic.io>, netdev@vger.kernel.org
Cc: "David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
David Ahern <dsahern@kernel.org>
Subject: Re: [PATCH net] net: skbuff: preserve shared-frag marker during coalescing
Date: Thu, 14 May 2026 16:46:49 +0800 [thread overview]
Message-ID: <1707b255-05ac-4d7d-8f06-3c7ac37a23f9@linux.dev> (raw)
In-Reply-To: <20260513041635.1289541-1-vakzz@zellic.io>
On 5/13/26 12:16 PM, William Bowling wrote:
> skb_try_coalesce() can attach paged frags from @from to @to. If @from
> has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
> externally-owned or page-cache-backed frags, but the shared-frag marker
> is currently lost.
>
> That breaks the invariant relied on by later in-place writers. In
> particular, ESP input checks skb_has_shared_frag() before deciding
> whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
> receive coalescing has moved shared frags into an unmarked skb, ESP can
> see skb_has_shared_frag() as false and decrypt in place over page-cache
> backed frags.
>
> Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
> frags. The tailroom copy path does not need the marker because it copies
> bytes into @to's linear data rather than transferring frag descriptors.
>
> Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
> Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
Tested-by: Jiayuan Chen <jiayuan.chen@linux.dev>
I have reproduced and tesed it in 5.15/6.6/upstream with
https://github.com/v12-security/pocs/tree/main/fragnesia
This patch fixed the issue.
Thanks
next prev parent reply other threads:[~2026-05-14 8:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 4:16 [PATCH net] net: skbuff: preserve shared-frag marker during coalescing William Bowling
2026-05-13 8:03 ` Eric Dumazet
2026-05-13 11:31 ` Hyunwoo Kim
2026-05-14 8:46 ` Jiayuan Chen [this message]
2026-05-15 1:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1707b255-05ac-4d7d-8f06-3c7ac37a23f9@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
--cc=vakzz@zellic.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox