[PATCH net v3] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Jeffrey E Altman
jaltman at auristor.com
Sat May 9 07:30:39 PDT 2026
On 5/8/2026 4:53 AM, Hyunwoo Kim wrote:
> The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
> handler in rxrpc_verify_response() copy the skb to a linear one before
> calling into the security ops only when skb_cloned() is true. An skb
> that is not cloned but still carries externally-owned paged fragments
> (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
> __ip_append_data, or a chained skb_has_frag_list()) falls through to
> the in-place decryption path, which binds the frag pages directly into
> the AEAD/skcipher SGL via skb_to_sgvec().
>
> Extend the gate to also unshare when skb_has_frag_list() or
> skb_has_shared_frag() is true. This catches the splice-loopback vector
> and other externally-shared frag sources while preserving the
> zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
> page_pool RX, GRO). The OOM/trace handling already in place is reused.
>
> Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
> Cc: stable at vger.kernel.org
> Signed-off-by: Hyunwoo Kim <imv4bel at gmail.com>
> ---
> Changes in v3:
> - Use skb_has_frag_list() || skb_has_shared_frag() instead of skb_is_nonlinear()
> - v2: https://lore.kernel.org/all/af2F1FU5d4Q_Gn1W@v4bel/
> Changes in v2:
> - Use skb_is_nonlinear() instead of skb->data_len
> - v1: https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
> ---
> net/rxrpc/call_event.c | 4 +++-
> net/rxrpc/conn_event.c | 3 ++-
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
> index fdd683261226..2b19b252225e 100644
> --- a/net/rxrpc/call_event.c
> +++ b/net/rxrpc/call_event.c
> @@ -334,7 +334,9 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
>
> if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
> sp->hdr.securityIndex != 0 &&
> - skb_cloned(skb)) {
> + (skb_cloned(skb) ||
> + skb_has_frag_list(skb) ||
> + skb_has_shared_frag(skb))) {
> /* Unshare the packet so that it can be
> * modified by in-place decryption.
> */
As pointed out by Jiayuan Chen, "frag_list is not empty for
SKB_GSO_FRAGLIST and the skb
will go through the copy path." The copy path calls skb_copy() which
returns NULL when
SKB_GSO_FRAGLIST is set:
if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
return NULL;
which will cause rxrpc_input_call_event() to drop the packet:
/* OOM - Drop the packet. */
rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
Is it safe to permit an skb with SKB_GSO_FRAGLIST set to go through the
non-copy path
or does there needs to be some alternative logic to process the packet.
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index a2130d25aaa9..442414d90ba1 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
> @@ -245,7 +245,8 @@ static int rxrpc_verify_response(struct rxrpc_connection *conn,
> {
> int ret;
>
> - if (skb_cloned(skb)) {
> + if (skb_cloned(skb) || skb_has_frag_list(skb) ||
> + skb_has_shared_frag(skb)) {
> /* Copy the packet if shared so that we can do in-place
> * decryption.
> */
The copy path in rxrpc_verify_response() also calls sk_copy().
Thank you.
Jeffrey Altman
More information about the linux-afs
mailing list