From: Jeffrey E Altman <jaltman@auristor.com>
To: Hyunwoo Kim <imv4bel@gmail.com>,
dhowells@redhat.com, marc.dionne@auristor.com,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, qingfang.deng@linux.dev,
jiayuan.chen@linux.dev
Cc: linux-afs@lists.infradead.org, netdev@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net v3] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Date: Sat, 9 May 2026 10:30:39 -0400 [thread overview]
Message-ID: <ee897c82-d9c0-4b09-86e5-e34458b6341a@auristor.com> (raw)
In-Reply-To: <af2kdW2F1gJ9U-Gg@v4bel>
On 5/8/2026 4:53 AM, Hyunwoo Kim wrote:
> The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
> handler in rxrpc_verify_response() copy the skb to a linear one before
> calling into the security ops only when skb_cloned() is true. An skb
> that is not cloned but still carries externally-owned paged fragments
> (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
> __ip_append_data, or a chained skb_has_frag_list()) falls through to
> the in-place decryption path, which binds the frag pages directly into
> the AEAD/skcipher SGL via skb_to_sgvec().
>
> Extend the gate to also unshare when skb_has_frag_list() or
> skb_has_shared_frag() is true. This catches the splice-loopback vector
> and other externally-shared frag sources while preserving the
> zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
> page_pool RX, GRO). The OOM/trace handling already in place is reused.
>
> Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> ---
> Changes in v3:
> - Use skb_has_frag_list() || skb_has_shared_frag() instead of skb_is_nonlinear()
> - v2: https://lore.kernel.org/all/af2F1FU5d4Q_Gn1W@v4bel/
> Changes in v2:
> - Use skb_is_nonlinear() instead of skb->data_len
> - v1: https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
> ---
> net/rxrpc/call_event.c | 4 +++-
> net/rxrpc/conn_event.c | 3 ++-
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
> index fdd683261226..2b19b252225e 100644
> --- a/net/rxrpc/call_event.c
> +++ b/net/rxrpc/call_event.c
> @@ -334,7 +334,9 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
>
> if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
> sp->hdr.securityIndex != 0 &&
> - skb_cloned(skb)) {
> + (skb_cloned(skb) ||
> + skb_has_frag_list(skb) ||
> + skb_has_shared_frag(skb))) {
> /* Unshare the packet so that it can be
> * modified by in-place decryption.
> */
As pointed out by Jiayuan Chen, "frag_list is not empty for
SKB_GSO_FRAGLIST and the skb
will go through the copy path." The copy path calls skb_copy() which
returns NULL when
SKB_GSO_FRAGLIST is set:
if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
return NULL;
which will cause rxrpc_input_call_event() to drop the packet:
/* OOM - Drop the packet. */
rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
Is it safe to permit an skb with SKB_GSO_FRAGLIST set to go through the
non-copy path
or does there needs to be some alternative logic to process the packet.
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index a2130d25aaa9..442414d90ba1 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
> @@ -245,7 +245,8 @@ static int rxrpc_verify_response(struct rxrpc_connection *conn,
> {
> int ret;
>
> - if (skb_cloned(skb)) {
> + if (skb_cloned(skb) || skb_has_frag_list(skb) ||
> + skb_has_shared_frag(skb)) {
> /* Copy the packet if shared so that we can do in-place
> * decryption.
> */
The copy path in rxrpc_verify_response() also calls sk_copy().
Thank you.
Jeffrey Altman
next prev parent reply other threads:[~2026-05-09 14:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 8:53 [PATCH net v3] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Hyunwoo Kim
2026-05-08 15:45 ` David Howells
2026-05-09 2:32 ` Jiayuan Chen
2026-05-09 14:30 ` Jeffrey E Altman [this message]
2026-05-10 15:45 ` Jakub Kicinski
2026-05-10 16:48 ` Hyunwoo Kim
2026-05-10 17:03 ` Jakub Kicinski
2026-05-10 17:05 ` Fernando Fernandez Mancera
2026-05-10 17:05 ` Hyunwoo Kim
2026-05-10 17:23 ` Jakub Kicinski
2026-05-11 1:54 ` Jiayuan Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ee897c82-d9c0-4b09-86e5-e34458b6341a@auristor.com \
--to=jaltman@auristor.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=imv4bel@gmail.com \
--cc=jiayuan.chen@linux.dev \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=qingfang.deng@linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox