From: Hyunwoo Kim <imv4bel@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: William Bowling <vakzz@zellic.io>,
netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
David Ahern <dsahern@kernel.org>,
imv4bel@gmail.com
Subject: Re: [PATCH net] net: skbuff: preserve shared-frag marker during coalescing
Date: Wed, 13 May 2026 20:31:34 +0900 [thread overview]
Message-ID: <agRhFtawP06hWyRa@v4bel> (raw)
In-Reply-To: <CANn89i+NMVb5EyfsLEfcBu=R+hrD2NPhrNSUwK3hHBWav68KhQ@mail.gmail.com>
On Wed, May 13, 2026 at 01:03:00AM -0700, Eric Dumazet wrote:
> On Tue, May 12, 2026 at 9:16 PM William Bowling <vakzz@zellic.io> wrote:
> >
> > skb_try_coalesce() can attach paged frags from @from to @to. If @from
> > has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
> > externally-owned or page-cache-backed frags, but the shared-frag marker
> > is currently lost.
> >
> > That breaks the invariant relied on by later in-place writers. In
> > particular, ESP input checks skb_has_shared_frag() before deciding
> > whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
> > receive coalescing has moved shared frags into an unmarked skb, ESP can
> > see skb_has_shared_frag() as false and decrypt in place over page-cache
> > backed frags.
> >
> > Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
> > frags. The tailroom copy path does not need the marker because it copies
> > bytes into @to's linear data rather than transferring frag descriptors.
> >
> > Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
> > Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
> > Signed-off-by: William Bowling <vakzz@zellic.io>
>
> Reviewed-by: Eric Dumazet <edumazet@google.com>
>
> Thanks!
Dear Eric,
William's patch covers the shared-frag marker loss in skb_try_coalesce(), but a
sibling defect of the same class is left uncovered in __pskb_copy_fclone()
(pskb_copy()). I have submitted a follow-up patch addressing that variant --
I'd appreciate it if you could take a look.
I confirmed dynamically that the follow-up patch resolves the additional issue
(reproduced with a small PoC: unshare(USER|NET) + a single nft 'dup' rule landing
a pskb_copy()'d skb in esp_input()). Further auditing and testing for other
variants in the same class are still ongoing on my side; I will send an update
as soon as I have more results.
https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/
Best regards,
Hyunwoo Kim
prev parent reply other threads:[~2026-05-13 11:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 4:16 [PATCH net] net: skbuff: preserve shared-frag marker during coalescing William Bowling
2026-05-13 8:03 ` Eric Dumazet
2026-05-13 11:31 ` Hyunwoo Kim [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agRhFtawP06hWyRa@v4bel \
--to=imv4bel@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
--cc=vakzz@zellic.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox