From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 1/6] xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
Date: Wed, 10 Jun 2026 16:07:40 +0200 [thread overview]
Message-ID: <20260610140800.2562818-2-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20260610140800.2562818-1-steffen.klassert@secunet.com>
From: Takao Sato <takaosato1997@gmail.com>
iptfs_consume_frags() transfers paged fragments from one socket buffer
to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is
the same class of bug that was fixed in skb_try_coalesce() for
CVE-2026-46300: when fragments backed by read-only page-cache pages are
merged, the marker indicating their shared nature must be preserved so
that ESP can decide correctly whether in-place encryption is safe.
Apply the same two-line fix used in skb_try_coalesce() to
iptfs_consume_frags().
Fixes: b96ba312e21c ("xfrm: iptfs: share page fragments of inner packets")
Cc: stable@vger.kernel.org # 6.14+
Signed-off-by: Takao Sato <takaosato1997@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_iptfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 6c6bbc040517..62ba828632f1 100644
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -2168,6 +2168,8 @@ static void iptfs_consume_frags(struct sk_buff *to, struct sk_buff *from)
memcpy(&toi->frags[toi->nr_frags], fromi->frags,
sizeof(fromi->frags[0]) * fromi->nr_frags);
toi->nr_frags += fromi->nr_frags;
+ if (fromi->nr_frags)
+ toi->flags |= fromi->flags & SKBFL_SHARED_FRAG;
fromi->nr_frags = 0;
from->data_len = 0;
from->len = 0;
--
2.43.0
next prev parent reply other threads:[~2026-06-10 14:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 14:07 [PATCH 0/6] pull request (net): ipsec 2026-06-10 Steffen Klassert
2026-06-10 14:07 ` Steffen Klassert [this message]
2026-06-10 14:07 ` [PATCH 2/6] xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload Steffen Klassert
2026-06-10 14:07 ` [PATCH 3/6] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Steffen Klassert
2026-06-10 14:07 ` [PATCH 4/6] xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state() Steffen Klassert
2026-06-10 14:07 ` [PATCH 5/6] xfrm: espintcp: do not reuse an in-progress partial send Steffen Klassert
2026-06-10 14:07 ` [PATCH 6/6] esp: fix page frag reference leak on skb_to_sgvec failure Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610140800.2562818-2-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox