[Deepin-Kernel-SIG] [linux 6.18.y] [FROMLIST] sync upstream xfrm and mailist rxrpc fixes#1671
Merged
opsiff merged 2 commits intodeepin-community:linux-6.18.yfrom May 8, 2026
Conversation
Reviewer's guide (collapsed on small PRs)Reviewer's GuideSyncs upstream xfrm ESP and rxrpc fixes by properly marking shared SKB frags during IPv4/IPv6 output and avoiding unsafe in‑place decryption or COW handling when SKBs are shared or non‑linear, tightening conditions around fragment handling and decryption copying. Sequence diagram for IPv4/IPv6 output marking shared SKB fragmentssequenceDiagram
actor App
participant Sock as sock
participant IPOut as __ip_append_data
participant SKB as sk_buff
participant ShInfo as skb_shared_info
App->>Sock: sendmsg(data, flags)
Sock->>IPOut: __ip_append_data(sk, getfrag, from, length, flags)
IPOut->>SKB: get_or_alloc_skb()
IPOut->>SKB: append_payload_zero_copy()
SKB->>IPOut: return_bytes_copied(copy)
alt flags has MSG_NO_SHARED_FRAGS
IPOut->>ShInfo: do_not_set_flag_SKBFL_SHARED_FRAG
else flags does_not_have MSG_NO_SHARED_FRAGS
IPOut->>ShInfo: set_flag(SKBF L_SHARED_FRAG)
end
IPOut-->>Sock: return_success
Sock-->>App: send_complete
Sequence diagram for rxrpc decryption copying on cloned or non-linear SKBssequenceDiagram
participant Net as net_rxrpc
participant Call as rxrpc_call
participant Conn as rxrpc_connection
participant RXEv as rxrpc_input_call_event
participant CNNEv as rxrpc_verify_response
participant SKB as sk_buff
Net->>RXEv: rxrpc_input_call_event(call)
RXEv->>SKB: inspect(hdr.type, hdr.securityIndex, cloned, data_len)
alt DATA packet with security and (skb_cloned or data_len>0)
RXEv->>SKB: unshare_or_copy_for_decryption()
else other_cases
RXEv->>SKB: use_in_place()
end
Net->>CNNEv: rxrpc_verify_response(conn, skb)
CNNEv->>SKB: inspect(cloned, data_len)
alt skb_cloned or data_len>0
CNNEv->>SKB: copy_for_in_place_decryption()
else linear_and_unshared
CNNEv->>SKB: decrypt_in_place()
end
Class diagram for SKB structures and ESP/rxrpc functions handling shared fragmentsclassDiagram
class sk_buff {
+unsigned_int len
+unsigned_int data_len
+bool cloned
+void *head
+void *data
+skb_shared_info *shinfo
}
class skb_shared_info {
+unsigned_int nr_frags
+unsigned_int flags
+const_unsigned_int SKBFL_SHARED_FRAG
}
class xfrm_state {
+int id
}
class rxrpc_call {
+int id
}
class rxrpc_connection {
+int id
}
class esp4_c {
+int esp_input(xfrm_state *x, sk_buff *skb)
}
class esp6_c {
+int esp6_input(xfrm_state *x, sk_buff *skb)
}
class ip_output_c {
+int __ip_append_data(sock *sk, getfrag_t getfrag, void *from, int length, unsigned_int flags)
}
class ip6_output_c {
+int __ip6_append_data(sock *sk, getfrag_t getfrag, void *from, int length, unsigned_int flags)
}
class rxrpc_call_event_c {
+bool rxrpc_input_call_event(rxrpc_call *call)
}
class rxrpc_conn_event_c {
+int rxrpc_verify_response(rxrpc_connection *conn, sk_buff *skb)
}
class helpers {
+bool skb_has_frag_list(sk_buff *skb)
+bool skb_has_shared_frag(sk_buff *skb)
+skb_shared_info* skb_shinfo(sk_buff *skb)
+bool skb_cloned(sk_buff *skb)
}
sk_buff --> skb_shared_info : has
esp4_c ..> sk_buff : uses
esp4_c ..> helpers : calls
esp6_c ..> sk_buff : uses
esp6_c ..> helpers : calls
ip_output_c ..> sk_buff : alloc_append
ip_output_c ..> skb_shared_info : sets_flags
ip_output_c ..> helpers : calls_skb_shinfo
ip6_output_c ..> sk_buff : alloc_append
ip6_output_c ..> skb_shared_info : sets_flags
ip6_output_c ..> helpers : calls_skb_shinfo
rxrpc_call_event_c ..> sk_buff : inspects_and_copies
rxrpc_call_event_c ..> helpers : calls_skb_cloned
rxrpc_conn_event_c ..> sk_buff : inspects_and_copies
rxrpc_conn_event_c ..> helpers : calls_skb_cloned
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In the rxrpc paths you’re using
skb->data_lento detect non-linear skbs; consider switching toskb_is_nonlinear(skb)for clarity and consistency with common kernel patterns. - The new use of
SKBFL_SHARED_FRAGin the IPv4/IPv6 output paths is keyed off!(flags & MSG_NO_SHARED_FRAGS); it may be worth double-checking and documenting at the call sites that this flag is always set/cleared intentionally, since downstream behavior now depends on it.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the rxrpc paths you’re using `skb->data_len` to detect non-linear skbs; consider switching to `skb_is_nonlinear(skb)` for clarity and consistency with common kernel patterns.
- The new use of `SKBFL_SHARED_FRAG` in the IPv4/IPv6 output paths is keyed off `!(flags & MSG_NO_SHARED_FRAGS)`; it may be worth double-checking and documenting at the call sites that this flag is always set/cleared intentionally, since downstream behavior now depends on it.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Member
Member
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Avenger-285714 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
This PR backports upstream networking hardening changes to ensure IPsec ESP and RxRPC decryption paths handle shared/non-linear sk_buff fragment layouts safely, avoiding in-place modifications on data that may be shared or externally mutable.
Changes:
- RxRPC: copy/linearize packets prior to in-place decryption when the skb is cloned or non-linear.
- IPv4/IPv6 output: when splicing pages into an skb (zero-copy), mark the skb as carrying potentially shared fragments unless
MSG_NO_SHARED_FRAGSis set. - IPv4/IPv6 ESP input: avoid skipping COW when the skb carries shared fragments, preventing unsafe assumptions about fragment writability/layout.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| net/rxrpc/conn_event.c | Copy/linearize RESPONSE packets when cloned or non-linear before security verification/decryption. |
| net/rxrpc/call_event.c | Copy/linearize DATA packets when cloned or non-linear before in-place decryption. |
| net/ipv6/ip6_output.c | Mark SKBFL_SHARED_FRAG on splice-page output unless MSG_NO_SHARED_FRAGS is set. |
| net/ipv6/esp6.c | Don’t skip COW for non-linear skbs if shared-frag semantics are present. |
| net/ipv4/ip_output.c | Mark SKBFL_SHARED_FRAG on splice-page output unless MSG_NO_SHARED_FRAGS is set. |
| net/ipv4/esp4.c | Don’t skip COW for non-linear skbs if shared-frag semantics are present. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
249
to
250
| /* Copy the packet if shared so that we can do in-place | ||
| * decryption. |
Comment on lines
338
to
339
| /* Unshare the packet so that it can be | ||
| * modified by in-place decryption. |
Member
mainline inclusion from mainline-v7.1-rc3 category: bugfix MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). Fixes: cac2661 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30 ("esp6: Avoid skb_cow_data whenever possible") Fixes: 7da0dde ("ip, udp: Support MSG_SPLICE_PAGES") Fixes: 6d8192b ("ip6, udp6: Support MSG_SPLICE_PAGES") Reported-by: Hyunwoo Kim <imv4bel@gmail.com> Reported-by: Kuan-Ting Chen <h3xrabbit@gmail.com> Tested-by: Hyunwoo Kim <imv4bel@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Kuan-Ting Chen <h3xrabbit@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…are present maillist inclusion category: bugfix The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries paged fragments (skb->data_len != 0) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate so that any skb with non-linear data is also copied, ensuring the security handler always operates on a fully linear skb. The OOM/trace handling already in place is reused. Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Link: https://dirtyfrag.io/ Link: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 Link: https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ Link: https://github.com/V4bel/dirtyfrag/blob/master/exp.c Link: https://seclists.org/oss-sec/2026/q2/434 Link: V4bel/dirtyfrag#14 Link: https://afflicted.sh/blog/posts/copy-fail-2.html Link: https://almalinux.org/blog/2026-05-07-dirty-frag/ Link: https://www.phoronix.com/news/Dirty-Frag-Linux Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
opsiff
force-pushed
the
linux-6.18.y-2026-05-08-fix
branch
from
f3a684f to
e6df349
Compare
Member
Author
|
Merged with Link and commit msg update. |
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Link: https://github.com/V4bel/dirtyfrag
Summary by Sourcery
Harden IPv4/IPv6 IPsec ESP and rxrpc handling of shared/non-linear skbuff fragments to safely support shared frags during transmission and decryption.
Bug Fixes: