[PATCH] rxrpc: always copy skb on in-place decrypt to avoid pagecache aliasing
Ziyi Guo
n7l8m4 at u.northwestern.edu
Sat May 2 14:13:40 PDT 2026
skb_cloned() does not detect frag-level page sharing introduced by splice()
with MSG_SPLICE_PAGES. When such an skb reaches the rxrpc DATA path,
in-place decryption (rxkad/rxgk) writes plaintext into file
pagecache pages still aliased to the source file, leading to
corrupt the page cache of any readable file.
Drop the skb_cloned() gate so skb_copy() is performed unconditionally
for DATA packets, severing the alias before decrypt.
Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Signed-off-by: Ziyi Guo <n7l8m4 at u.northwestern.edu>
---
net/rxrpc/call_event.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index fdd683261226..39d19a354172 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -333,10 +333,12 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
- sp->hdr.securityIndex != 0 &&
- skb_cloned(skb)) {
- /* Unshare the packet so that it can be
- * modified by in-place decryption.
+ sp->hdr.securityIndex != 0) {
+ /* Always unshare: skb_cloned() does not
+ * detect frag-level page sharing introduced
+ * by splice() with MSG_SPLICE_PAGES, so
+ * in-place decryption could otherwise corrupt
+ * the source file's page cache.
*/
struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
--
2.34.1
More information about the linux-afs
mailing list