[PATCH net v3] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Jiayuan Chen
jiayuan.chen at linux.dev
Fri May 8 19:32:08 PDT 2026
On 5/8/26 4:53 PM, Hyunwoo Kim wrote:
> The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
> handler in rxrpc_verify_response() copy the skb to a linear one before
> calling into the security ops only when skb_cloned() is true. An skb
> that is not cloned but still carries externally-owned paged fragments
> (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
> __ip_append_data, or a chained skb_has_frag_list()) falls through to
> the in-place decryption path, which binds the frag pages directly into
> the AEAD/skcipher SGL via skb_to_sgvec().
>
> Extend the gate to also unshare when skb_has_frag_list() or
> skb_has_shared_frag() is true. This catches the splice-loopback vector
> and other externally-shared frag sources while preserving the
> zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
> page_pool RX, GRO). The OOM/trace handling already in place is reused.
To be clear, frag_list is not empty for SKB_GSO_FRAGLIST and the skb
will go through the copy path.
It's just tradeoff.
>
> Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
> Cc: stable at vger.kernel.org
> Signed-off-by: Hyunwoo Kim <imv4bel at gmail.com>
> ---
> Changes in v3:
> - Use skb_has_frag_list() || skb_has_shared_frag() instead of skb_is_nonlinear()
> - v2: https://lore.kernel.org/all/af2F1FU5d4Q_Gn1W@v4bel/
Others lgtm, it makes sense to keep this as the ESP fix, since both
patches address your Dirty Frag vulnerability.
Reviewed-by: Jiayuan Chen <jiayuan.chen at linux.dev>
More information about the linux-afs
mailing list