[PATCH net] net: skbuff: preserve shared-frag marker during coalescing

[PATCH net] net: skbuff: preserve shared-frag marker during coalescing

[William Bowling]

skb_try_coalesce() can attach paged frags from @from to @to.  If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.

That breaks the invariant relied on by later in-place writers.  In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.

Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags.  The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.

Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
Signed-off-by: William Bowling <vakzz@zellic.io>
---
 net/core/skbuff.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 7dad68e3b..9c4e8d331 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6200,6 +6200,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
 	       from_shinfo->frags,
 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
 	to_shinfo->nr_frags += from_shinfo->nr_frags;
+	if (from_shinfo->nr_frags)
+		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
 
 	if (!skb_cloned(from))
 		from_shinfo->nr_frags = 0;

Re: [PATCH net] net: skbuff: preserve shared-frag marker during coalescing

[Eric Dumazet]

On Tue, May 12, 2026 at 9:16 PM William Bowling <vakzz@zellic.io> wrote:
>
> skb_try_coalesce() can attach paged frags from @from to @to.  If @from
> has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
> externally-owned or page-cache-backed frags, but the shared-frag marker
> is currently lost.
>
> That breaks the invariant relied on by later in-place writers.  In
> particular, ESP input checks skb_has_shared_frag() before deciding
> whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP
> receive coalescing has moved shared frags into an unmarked skb, ESP can
> see skb_has_shared_frag() as false and decrypt in place over page-cache
> backed frags.
>
> Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
> frags.  The tailroom copy path does not need the marker because it copies
> bytes into @to's linear data rather than transferring frag descriptors.
>
> Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
> Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
> Signed-off-by: William Bowling <vakzz@zellic.io>

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks!

Re: [PATCH net] net: skbuff: preserve shared-frag marker during coalescing

[Hyunwoo Kim]

On Wed, May 13, 2026 at 01:03:00AM -0700, Eric Dumazet wrote:
> On Tue, May 12, 2026 at 9:16 PM William Bowling <vakzz@zellic.io> wrote:
> >
> > skb_try_coalesce() can attach paged frags from @from to @to.  If @from
> > has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
> > externally-owned or page-cache-backed frags, but the shared-frag marker
> > is currently lost.
> >
> > That breaks the invariant relied on by later in-place writers.  In
> > particular, ESP input checks skb_has_shared_frag() before deciding
> > whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP
> > receive coalescing has moved shared frags into an unmarked skb, ESP can
> > see skb_has_shared_frag() as false and decrypt in place over page-cache
> > backed frags.
> >
> > Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
> > frags.  The tailroom copy path does not need the marker because it copies
> > bytes into @to's linear data rather than transferring frag descriptors.
> >
> > Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
> > Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
> > Signed-off-by: William Bowling <vakzz@zellic.io>
> 
> Reviewed-by: Eric Dumazet <edumazet@google.com>
> 
> Thanks!

Dear Eric,

William's patch covers the shared-frag marker loss in skb_try_coalesce(), but a 
sibling defect of the same class is left uncovered in __pskb_copy_fclone() 
(pskb_copy()).  I have submitted a follow-up patch addressing that variant -- 
I'd appreciate it if you could take a look.

I confirmed dynamically that the follow-up patch resolves the additional issue 
(reproduced with a small PoC: unshare(USER|NET) + a single nft 'dup' rule landing 
a pskb_copy()'d skb in esp_input()).  Further auditing and testing for other 
variants in the same class are still ongoing on my side; I will send an update 
as soon as I have more results.

https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/


Best regards,
Hyunwoo Kim