From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34AF5352C52 for ; Mon, 11 May 2026 06:02:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778479341; cv=none; b=Ka25G3/snGh44Xin0YaarovetSudlTGO4ILgOAzhEUyIggT4zFEKU2QGeLYV+b8OPHxufEshXxi0mczPH6W6Zj81YuUcJN4fNuf/d4vGZMCLf06PYKAbscUfblNwqayDjuZd19XUuDf2a2yBgvUkjD2xtkPjpDEDm/xXeRleidc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778479341; c=relaxed/simple; bh=/iUPgxA8JEX2BjrBF3SM6dMzPFIUoQ2jtm/k16NpFuU=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=Xng3kzls6fZK1NITPJARy51qLweQviI+TKOoQo3cXvOmd5OUm3iYoFAzFsqd38gHCR0wmGZmxTuOEY4njqr35cvjt0iKM3DtAS1pilRz0ruLyvGm0NGWP0ZjC2G7fIrBDJkaxWCos89uKdcsIbM0R5sw3HqjnGeRN6k+Zq4WIRE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=OKS7UTj7; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="OKS7UTj7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7568AC2BCF5; Mon, 11 May 2026 06:02:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778479340; bh=/iUPgxA8JEX2BjrBF3SM6dMzPFIUoQ2jtm/k16NpFuU=; h=Subject:To:Cc:From:Date:From; b=OKS7UTj7QaRd3TsxJAz4an4dGXdjV0z50IscAlmPG4+3BAI40Ria/B1uQcwp9NVQ6 7Y34hDCpPTLytOi0Y/+HuyfZYzp6ccdQJ7ac6jbrKJzYuy6oWpm3otFcpHIoFGdhU8 +D8kiJEwbB9V9eB+fHz8/EqWHUyj4SpAl6XEs1bw= Subject: FAILED: patch "[PATCH] rxrpc: Also unshare DATA/RESPONSE packets when paged frags" failed to apply to 6.1-stable tree To: imv4bel@gmail.com,dhowells@redhat.com,jiayuan.chen@linux.dev,torvalds@linux-foundation.org Cc: From: Date: Mon, 11 May 2026 08:02:17 +0200 Message-ID: <2026051117-cassette-storeroom-241e@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 # git commit -s git send-email --to '' --in-reply-to '2026051117-cassette-storeroom-241e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Fri, 8 May 2026 17:53:09 +0900 Subject: [PATCH] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused. Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Cc: stable@vger.kernel.org Signed-off-by: Hyunwoo Kim Reviewed-by: Jiayuan Chen Acked-by: David Howells Signed-off-by: Linus Torvalds diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c index fdd683261226..2b19b252225e 100644 --- a/net/rxrpc/call_event.c +++ b/net/rxrpc/call_event.c @@ -334,7 +334,9 @@ bool rxrpc_input_call_event(struct rxrpc_call *call) if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA && sp->hdr.securityIndex != 0 && - skb_cloned(skb)) { + (skb_cloned(skb) || + skb_has_frag_list(skb) || + skb_has_shared_frag(skb))) { /* Unshare the packet so that it can be * modified by in-place decryption. */ diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index a2130d25aaa9..442414d90ba1 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -245,7 +245,8 @@ static int rxrpc_verify_response(struct rxrpc_connection *conn, { int ret; - if (skb_cloned(skb)) { + if (skb_cloned(skb) || skb_has_frag_list(skb) || + skb_has_shared_frag(skb)) { /* Copy the packet if shared so that we can do in-place * decryption. */