From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.chopps.org (smtp.chopps.org [54.88.81.56]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A434810F2; Sun, 24 May 2026 06:28:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.88.81.56 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779604086; cv=none; b=JuwsVjvlv8rc1TaTfFYFdZs6Q08leaXkOpfB31w7IKcVlkjeNVAFvBf/unjSo7ym6excR0bko4nKXML+tmlwp4ml9ZAt9uT/OFzWKfICAM6euv5/Q6IFv+XmAp4o2VM1ztzveAOtydWN5PhJC57w8gzh9r0DzJ3EmhbnZwNmunU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779604086; c=relaxed/simple; bh=C56XPEmyiutI6uU+IC8A8y7eRsd2kZmjmJDlh7z1wV0=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=ilZDvAACMM/CfWJRIf9VK2uZvFM4XerMORAyk4jCsndNGpWyGpcUCFLnuDUp5SSIEupXTR9aHZZcmWZ2mymTzHrw0LruWAQVCcNrguw9i3EuhwQXf84TLHxa6QSxKKXoIVdecsMIt5pf4vuccJfSnxE8yId9lT5XeaLjnyvXdG0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=chopps.org; spf=fail smtp.mailfrom=chopps.org; arc=none smtp.client-ip=54.88.81.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=chopps.org Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=chopps.org Received: from ja.int.chopps.org.chopps.org (unknown [47.225.56.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by smtp.chopps.org (Postfix) with ESMTPSA id D79B37D08D; Sun, 24 May 2026 06:19:54 +0000 (UTC) From: Christian Hopps To: Takao Sato Cc: netdev@vger.kernel.org, steffen.klassert@secunet.com, w@1wt.eu, davem@davemloft.net, herbert@gondor.apana.org.au, stable@vger.kernel.org Subject: Re: [PATCH net v3] xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() In-Reply-To: <20260522142504.1394864-1-takaosato1997@gmail.com> (Takao Sato's message of "Fri, 22 May 2026 11:25:04 -0300") References: <20260522142504.1394864-1-takaosato1997@gmail.com> User-Agent: mu4e 1.14.1; emacs 30.2 Date: Sun, 24 May 2026 02:19:53 -0400 Message-ID: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; format=flowed Takao Sato writes: > iptfs_consume_frags() transfers paged fragments from one socket buffer > to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is > the same class of bug that was fixed in skb_try_coalesce() for > CVE-2026-46300: when fragments backed by read-only page-cache pages are > merged, the marker indicating their shared nature must be preserved so > that ESP can decide correctly whether in-place encryption is safe. > > Apply the same two-line fix used in skb_try_coalesce() to > iptfs_consume_frags(). > > Fixes: b96ba312e21c ("xfrm: iptfs: share page fragments of inner packets") > Cc: stable@vger.kernel.org # 6.8+ > Signed-off-by: Takao Sato > --- > net/xfrm/xfrm_iptfs.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c > index 97bc979e5..4db85e158 100644 > --- a/net/xfrm/xfrm_iptfs.c > +++ b/net/xfrm/xfrm_iptfs.c > @@ -2168,6 +2168,8 @@ static void iptfs_consume_frags(struct sk_buff *to, struct sk_buff *from) > memcpy(&toi->frags[toi->nr_frags], fromi->frags, > sizeof(fromi->frags[0]) * fromi->nr_frags); > toi->nr_frags += fromi->nr_frags; > + if (fromi->nr_frags) > + toi->flags |= fromi->flags & SKBFL_SHARED_FRAG; > fromi->nr_frags = 0; > from->data_len = 0; > from->len = 0; LGTM, Thanks! Reviewed-by: Christian Hopps