Skip to content

[ciqlts9_2] Multiple patches tested (4 commits)#1205

Merged
PlaidCat merged 4 commits into
ciqlts9_2from
{shreeya_rxrpc_esp}_ciqlts9_2
May 8, 2026
Merged

[ciqlts9_2] Multiple patches tested (4 commits)#1205
PlaidCat merged 4 commits into
ciqlts9_2from
{shreeya_rxrpc_esp}_ciqlts9_2

Conversation

@ciq-kernel-automation

@ciq-kernel-automation ciq-kernel-automation Bot commented May 8, 2026

Copy link
Copy Markdown

Local test

[rnicolescu@localhost kernel-src-tree]$ ls /etc/modprobe.d/
kvm.conf  lockd.conf  vhost.conf
[rnicolescu@localhost kernel-src-tree]$ uname -r
5.14.0-shreeya_rxrpc_esp_ciqlts9_2-02d804f2ef09+
[rnicolescu@localhost kernel-src-tree]$ git log -1 --format=%h
02d804f2ef09
[rnicolescu@localhost kernel-src-tree]$ ./dirtyfrag/exp --force-rxrpc
[ 1369.923746] NET: Registered PF_RXRPC protocol family
[ 1369.924070] Key type rxrpc registered
[ 1369.924308] Key type rxrpc_s registered
[ 1371.724877] [exp   ]     verify = -71
[ 1372.251108] [exp   ]     verify = -71
[ 1372.756541] [exp   ]     verify = -71
[ 1373.646053] [exp   ]     verify = -71
[ 1374.172461] [exp   ]     verify = -71
[ 1374.697925] [exp   ]     verify = -71
[ 1380.252354] [exp   ]     verify = -71
[ 1380.778177] [exp   ]     verify = -71
[ 1381.304406] [exp   ]     verify = -71
[ 1382.936872] [exp   ]     verify = -71
[ 1383.462810] [exp   ]     verify = -71
dirtyfrag: failed (rc=4)
[rnicolescu@localhost kernel-src-tree]$ id
uid=1000(rnicolescu) gid=1000(rnicolescu) groups=1000(rnicolescu) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

xfrm: esp: avoid in-place decrypt on shared skb frags

cve CVE-2026-43284
commit-author Kuan-Ting Chen <h3xrabbit@gmail.com>
commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
upstream-diff |
	While this kernel lacks MSG_SPLICE_PAGES, it still has udp_sendpage().
	Upstream didn't patch udp_sendpage() because sendpage was removed
	entirely in favor of MSG_SPLICE_PAGES. In this kernel, splice() can
	still attach a page cache page to an IPv4 datagram via sendpage.
	Therefore, udp_sendpage() must be patched instead. And there is no
	patch for IPv6 datagrams because it isn't affected; there's no
	sendpage callback for IPv6 UDP.
rxrpc: Fix potential UAF after skb_unshare() failure

cve-pre CVE-2026-43500
commit-author David Howells <dhowells@redhat.com>
commit 1f2740150f904bfa60e4bad74d65add3ccb5e7f8
upstream-diff |
	Upstream's rxrpc_input_call_event() pulls skbs from a per-call queue
	in a loop, so the unshare block sits inside that loop alongside
	rxrpc_free_skb() and saw_ack bookkeeping. This kernel's version
	receives a single skb as a function parameter and doesn't free
	it (the caller in rxrpc_io_thread() does). As such, the adapted
	unshare block wraps the existing rxrpc_input_call_packet() call
	site, creates and frees a copy when needed, and drops the loop
	and queue-drain logic that doesn't exist here.
rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets

cve-pre CVE-2026-43500
commit-author David Howells <dhowells@redhat.com>
commit 55b2984c96c37f909bbfe8851f13152693951382
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

cve CVE-2026-43500
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit -
commit-source https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel
upstream-diff |
	The conn_event.c hunk is dropped entirely. Upstream wraps the
	conn->security->verify_response() call inside a new
	rxrpc_verify_response() function that copies non-linear skbs before
	in-place decryption. This kernel doesn't have that wrapper; the
	security op is called directly from rxrpc_process_event(), so there
	is no call site to patch. The call_event.c hunk applies as-is.

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 24m 40s 25m 34s
aarch64 17m 3s 17m 50s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 174 24 ciqlts9_2 ✅ No regressions
aarch64 137 31 ciqlts9_2 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1439 81 ciqlts9_2 ✅ No regressions
aarch64 1409 83 ciqlts9_2 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 25550493358

@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label May 8, 2026
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25563044081

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 2cb9048a0f9 (xfrm: esp: avoid in-place decrypt on shared skb frags) does not reference a CVE but
    upstream commit f4c50a4034e6 is associated with CVE-2026-43284

  • ❗ PR commit 02d804f2ef0 (rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present) references upstream commit
    544687651fe5 which does not exist in the upstream Linux kernel.

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 2cb9048a0f9 (xfrm: esp: avoid in-place decrypt on shared skb frags) → upstream f4c50a4034e6
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1438,9 +1438,6 @@
 			goto error;
 		}
 
-		if (!(flags & MSG_NO_SHARED_FRAGS))
-			skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
-
 		if (skb->ip_summed == CHECKSUM_NONE) {
 			__wsum csum;
 			csum = csum_page(page, offset, len);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1233,6 +1233,8 @@
 			if (err < 0)
 				goto error;
 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
 			wmem_alloc_delta += copy;
 		} else if (!zc) {
 			int i = skb_shinfo(skb)->nr_frags;

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1230,6 +1230,6 @@
-			goto error;
-		}
-
-		if (skb->ip_summed == CHECKSUM_NONE) {
-			__wsum csum;
-			csum = csum_page(page, offset, len);
+			if (err < 0)
+				goto error;
+			copy = err;
+			wmem_alloc_delta += copy;
+		} else if (!zc) {
+			int i = skb_shinfo(skb)->nr_frags;

================================================================================
*    ONLY IN PATCH2 - files not modified by patch1                             *
================================================================================

--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -915,7 +915,8 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
 			nfrags = 1;
 
 			goto skip_cow;
-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
 			nfrags = skb_shinfo(skb)->nr_frags;
 			nfrags++;
 
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1794,6 +1794,8 @@ alloc_new_skb:
 			if (err < 0)
 				goto error;
 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
 			wmem_alloc_delta += copy;
 		} else if (!zc) {
 			int i = skb_shinfo(skb)->nr_frags;
  • ⚠️ PR commit dedcadf20eb (rxrpc: Fix potential UAF after skb_unshare() failure) → upstream 1f2740150f90
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -134,7 +136,6 @@
 	EM(rxrpc_skb_new_error_report,		"NEW error-rpt") \
 	EM(rxrpc_skb_new_jumbo_subpacket,	"NEW jumbo-sub") \
 	EM(rxrpc_skb_new_unshared,		"NEW unshared ") \
-	EM(rxrpc_skb_put_call_rx,		"PUT call-rx  ") \
 	EM(rxrpc_skb_put_conn_secured,		"PUT conn-secd") \
 	EM(rxrpc_skb_put_conn_work,		"PUT conn-work") \
 	EM(rxrpc_skb_put_error_report,		"PUT error-rep") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -398,28 +398,6 @@
 	if (skb && skb->mark == RXRPC_SKB_MARK_ERROR)
 		goto out;
 
-	if (skb) {
-		struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-
-		if (sp->hdr.securityIndex != 0 &&
-		    skb_cloned(skb)) {
-			/* Unshare the packet so that it can be
-			 * modified by in-place decryption.
-			 */
-			struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
-
-			if (nskb) {
-				rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
-				rxrpc_input_call_packet(call, nskb);
-				rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
-			} else {
-				rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
-			}
-		} else {
-			rxrpc_input_call_packet(call, skb);
-		}
-	}
-
 	/* If we see our async-event poke, check for timeout trippage. */
 	now = jiffies;
 	t = READ_ONCE(call->expect_rx_by);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -162,8 +162,6 @@
 	E_(rxrpc_call_poke_timer_now,		"Timer-now")
 
 #define rxrpc_skb_traces \
-	EM(rxrpc_skb_eaten_by_unshare,		"ETN unshare  ") \
-	EM(rxrpc_skb_eaten_by_unshare_nomem,	"ETN unshar-nm") \
 	EM(rxrpc_skb_get_call_rx,		"GET call-rx  ") \
 	EM(rxrpc_skb_get_conn_secured,		"GET conn-secd") \
 	EM(rxrpc_skb_get_conn_work,		"GET conn-work") \
@@ -190,6 +188,7 @@
 	EM(rxrpc_skb_put_purge,			"PUT purge    ") \
 	EM(rxrpc_skb_put_purge_oob,		"PUT purge-oob") \
 	EM(rxrpc_skb_put_response,		"PUT response ") \
+	EM(rxrpc_skb_put_response_copy,		"PUT resp-cpy ") \
 	EM(rxrpc_skb_put_rotate,		"PUT rotate   ") \
 	EM(rxrpc_skb_put_unknown,		"PUT unknown  ") \
 	EM(rxrpc_skb_see_conn_work,		"SEE conn-work") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,24 @@
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			rxrpc_input_call_packet(call, skb);
+			if (sp->hdr.securityIndex != 0 &&
+			    skb_cloned(skb)) {
+				/* Unshare the packet so that it can be
+				 * modified by in-place decryption.
+				 */
+				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
+
+				if (nskb) {
+					rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+					rxrpc_input_call_packet(call, nskb);
+					rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
+				} else {
+					/* OOM - Drop the packet. */
+					rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+				}
+			} else {
+				rxrpc_input_call_packet(call, skb);
+			}
 			rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
 			did_receive = true;
 		}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -124,4 +124,5 @@
 	EM(rxrpc_skb_eaten_by_unshare,		"ETN unshare  ") \
 	EM(rxrpc_skb_eaten_by_unshare_nomem,	"ETN unshar-nm") \
+	EM(rxrpc_skb_get_call_rx,		"GET call-rx  ") \
 	EM(rxrpc_skb_get_conn_secured,		"GET conn-secd") \
 	EM(rxrpc_skb_get_conn_work,		"GET conn-work") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -331,4 +329,7 @@
 
-	/* If we see our async-event poke, check for timeout trippage. */
-	now = jiffies;
-	t = READ_ONCE(call->expect_rx_by);
+			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
+
+			rxrpc_input_call_packet(call, skb);
+			rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
+			did_receive = true;
+		}
  • ⚠️ PR commit 08ebb7e37c7 (rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets) → upstream 55b2984c96c3
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -401,8 +401,7 @@
 	if (skb) {
 		struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 
-		if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
-		    sp->hdr.securityIndex != 0 &&
+		if (sp->hdr.securityIndex != 0 &&
 		    skb_cloned(skb)) {
 			/* Unshare the packet so that it can be
 			 * modified by in-place decryption.

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,8 @@
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			if (sp->hdr.securityIndex != 0 &&
+			if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
+			    sp->hdr.securityIndex != 0 &&
 			    skb_cloned(skb)) {
 				/* Unshare the packet so that it can be
 				 * modified by in-place decryption.

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -331,5 +329,7 @@
 
-		if (sp->hdr.securityIndex != 0 &&
-		    skb_cloned(skb)) {
-			/* Unshare the packet so that it can be
-			 * modified by in-place decryption.
+			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
+
+			if (sp->hdr.securityIndex != 0 &&
+			    skb_cloned(skb)) {
+				/* Unshare the packet so that it can be
+				 * modified by in-place decryption.
  • ❌ PR commit 02d804f2ef0 (rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present)544687651fe5
    Error: Failed to generate patch for upstream commit: Git command failed: format-patch -1 --stdout 544687651fe57721c5e4e76380ed8ef8fdfdc98b
    fatal: bad object 544687651fe57721c5e4e76380ed8ef8fdfdc98b

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25563044081

PlaidCat and others added 4 commits May 8, 2026 17:50
cve CVE-2026-43284
commit-author Kuan-Ting Chen <h3xrabbit@gmail.com>
commit f4c50a4
upstream-diff |
	While this kernel lacks MSG_SPLICE_PAGES, it still has udp_sendpage().
	Upstream didn't patch udp_sendpage() because sendpage was removed
	entirely in favor of MSG_SPLICE_PAGES. In this kernel, splice() can
	still attach a page cache page to an IPv4 datagram via sendpage.
	Therefore, udp_sendpage() must be patched instead. And there is no
	patch for IPv6 datagrams because it isn't affected; there's no
	sendpage callback for IPv6 UDP.

MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().

Fixes: cac2661 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30 ("esp6: Avoid skb_cow_data whenever possible")
Fixes: 7da0dde ("ip, udp: Support MSG_SPLICE_PAGES")
Fixes: 6d8192b ("ip6, udp6: Support MSG_SPLICE_PAGES")
	Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
	Reported-by: Kuan-Ting Chen <h3xrabbit@gmail.com>
	Tested-by: Hyunwoo Kim <imv4bel@gmail.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Kuan-Ting Chen <h3xrabbit@gmail.com>
	Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit f4c50a4)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-43500
commit-author David Howells <dhowells@redhat.com>
commit 1f27401
upstream-diff |
	Upstream's rxrpc_input_call_event() pulls skbs from a per-call queue
	in a loop, so the unshare block sits inside that loop alongside
	rxrpc_free_skb() and saw_ack bookkeeping. This kernel's version
	receives a single skb as a function parameter and doesn't free
	it (the caller in rxrpc_io_thread() does). As such, the adapted
	unshare block wraps the existing rxrpc_input_call_packet() call
	site, creates and frees a copy when needed, and drops the loop
	and queue-drain logic that doesn't exist here.

	Upstream already had rxrpc_skb_put_call_rx and rxrpc_skb_get_call_rx
	trace constants from a prior refactor not present in this tree.
	rxrpc_skb_put_call_rx is added here since the new skb_copy path
	needs it; rxrpc_skb_get_call_rx is omitted since nothing uses it.

	Several trace constants added by upstream (rxrpc_skb_put_purge_oob,
	rxrpc_skb_put_response, rxrpc_skb_put_response_copy) don't apply
	since the code they trace doesn't exist in this kernel.

If skb_unshare() fails to unshare a packet due to allocation failure in
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
will be NULL'd out.  This will likely cause the call to
trace_rxrpc_rx_done() to oops.

Fix this by moving the unsharing down to where rxrpc_input_call_event()
calls rxrpc_input_call_packet().  There are a number of places prior to
that where we ignore DATA packets for a variety of reasons (such as the
call already being complete) for which an unshare is then avoided.

And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.

Fixes: 2d1faf7 ("rxrpc: Simplify skbuff accounting in receive path")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
	Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-4-dhowells@redhat.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 1f27401)
	Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
	Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-43500
commit-author David Howells <dhowells@redhat.com>
commit 55b2984

Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
ABORT, etc..

And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.

Fixes: 1f27401 ("rxrpc: Fix potential UAF after skb_unshare() failure")
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
	Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 55b2984)
	Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
cve CVE-2026-43500
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit -
commit-source https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel
upstream-diff |
	The conn_event.c hunk is dropped entirely. Upstream wraps the
	conn->security->verify_response() call inside a new
	rxrpc_verify_response() function that copies non-linear skbs before
	in-place decryption. This kernel doesn't have that wrapper; the
	security op is called directly from rxrpc_process_event(), so there
	is no call site to patch. The call_event.c hunk applies as-is.

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true.  An skb
that is not cloned but still carries paged fragments (skb->data_len != 0)
falls through to the in-place decryption path, which binds the frag
pages directly into the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate so that any skb with non-linear data is also copied,
ensuring the security handler always operates on a fully linear skb.
The OOM/trace handling already in place is reused.

Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
(cherry picked from commit 544687651fe57721c5e4e76380ed8ef8fdfdc98b)
	Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
@roxanan1996 roxanan1996 force-pushed the {shreeya_rxrpc_esp}_ciqlts9_2 branch from 02d804f to a6153c8 Compare May 8, 2026 15:55
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25565845522

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 6a8e01ce8e2 (xfrm: esp: avoid in-place decrypt on shared skb frags) → upstream f4c50a4034e6
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1438,9 +1438,6 @@
 			goto error;
 		}
 
-		if (!(flags & MSG_NO_SHARED_FRAGS))
-			skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
-
 		if (skb->ip_summed == CHECKSUM_NONE) {
 			__wsum csum;
 			csum = csum_page(page, offset, len);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1233,6 +1233,8 @@
 			if (err < 0)
 				goto error;
 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
 			wmem_alloc_delta += copy;
 		} else if (!zc) {
 			int i = skb_shinfo(skb)->nr_frags;

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1230,6 +1230,6 @@
-			goto error;
-		}
-
-		if (skb->ip_summed == CHECKSUM_NONE) {
-			__wsum csum;
-			csum = csum_page(page, offset, len);
+			if (err < 0)
+				goto error;
+			copy = err;
+			wmem_alloc_delta += copy;
+		} else if (!zc) {
+			int i = skb_shinfo(skb)->nr_frags;

================================================================================
*    ONLY IN PATCH2 - files not modified by patch1                             *
================================================================================

--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -915,7 +915,8 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
 			nfrags = 1;
 
 			goto skip_cow;
-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
 			nfrags = skb_shinfo(skb)->nr_frags;
 			nfrags++;
 
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1794,6 +1794,8 @@ alloc_new_skb:
 			if (err < 0)
 				goto error;
 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
 			wmem_alloc_delta += copy;
 		} else if (!zc) {
 			int i = skb_shinfo(skb)->nr_frags;
  • ⚠️ PR commit e514b29f61e (rxrpc: Fix potential UAF after skb_unshare() failure) → upstream 1f2740150f90
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -134,7 +136,6 @@
 	EM(rxrpc_skb_new_error_report,		"NEW error-rpt") \
 	EM(rxrpc_skb_new_jumbo_subpacket,	"NEW jumbo-sub") \
 	EM(rxrpc_skb_new_unshared,		"NEW unshared ") \
-	EM(rxrpc_skb_put_call_rx,		"PUT call-rx  ") \
 	EM(rxrpc_skb_put_conn_secured,		"PUT conn-secd") \
 	EM(rxrpc_skb_put_conn_work,		"PUT conn-work") \
 	EM(rxrpc_skb_put_error_report,		"PUT error-rep") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -398,28 +398,6 @@
 	if (skb && skb->mark == RXRPC_SKB_MARK_ERROR)
 		goto out;
 
-	if (skb) {
-		struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-
-		if (sp->hdr.securityIndex != 0 &&
-		    skb_cloned(skb)) {
-			/* Unshare the packet so that it can be
-			 * modified by in-place decryption.
-			 */
-			struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
-
-			if (nskb) {
-				rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
-				rxrpc_input_call_packet(call, nskb);
-				rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
-			} else {
-				rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
-			}
-		} else {
-			rxrpc_input_call_packet(call, skb);
-		}
-	}
-
 	/* If we see our async-event poke, check for timeout trippage. */
 	now = jiffies;
 	t = READ_ONCE(call->expect_rx_by);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -162,8 +162,6 @@
 	E_(rxrpc_call_poke_timer_now,		"Timer-now")
 
 #define rxrpc_skb_traces \
-	EM(rxrpc_skb_eaten_by_unshare,		"ETN unshare  ") \
-	EM(rxrpc_skb_eaten_by_unshare_nomem,	"ETN unshar-nm") \
 	EM(rxrpc_skb_get_call_rx,		"GET call-rx  ") \
 	EM(rxrpc_skb_get_conn_secured,		"GET conn-secd") \
 	EM(rxrpc_skb_get_conn_work,		"GET conn-work") \
@@ -190,6 +188,7 @@
 	EM(rxrpc_skb_put_purge,			"PUT purge    ") \
 	EM(rxrpc_skb_put_purge_oob,		"PUT purge-oob") \
 	EM(rxrpc_skb_put_response,		"PUT response ") \
+	EM(rxrpc_skb_put_response_copy,		"PUT resp-cpy ") \
 	EM(rxrpc_skb_put_rotate,		"PUT rotate   ") \
 	EM(rxrpc_skb_put_unknown,		"PUT unknown  ") \
 	EM(rxrpc_skb_see_conn_work,		"SEE conn-work") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,24 @@
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			rxrpc_input_call_packet(call, skb);
+			if (sp->hdr.securityIndex != 0 &&
+			    skb_cloned(skb)) {
+				/* Unshare the packet so that it can be
+				 * modified by in-place decryption.
+				 */
+				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
+
+				if (nskb) {
+					rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+					rxrpc_input_call_packet(call, nskb);
+					rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
+				} else {
+					/* OOM - Drop the packet. */
+					rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+				}
+			} else {
+				rxrpc_input_call_packet(call, skb);
+			}
 			rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
 			did_receive = true;
 		}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -124,4 +124,5 @@
 	EM(rxrpc_skb_eaten_by_unshare,		"ETN unshare  ") \
 	EM(rxrpc_skb_eaten_by_unshare_nomem,	"ETN unshar-nm") \
+	EM(rxrpc_skb_get_call_rx,		"GET call-rx  ") \
 	EM(rxrpc_skb_get_conn_secured,		"GET conn-secd") \
 	EM(rxrpc_skb_get_conn_work,		"GET conn-work") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -331,4 +329,7 @@
 
-	/* If we see our async-event poke, check for timeout trippage. */
-	now = jiffies;
-	t = READ_ONCE(call->expect_rx_by);
+			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
+
+			rxrpc_input_call_packet(call, skb);
+			rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
+			did_receive = true;
+		}
  • ⚠️ PR commit 15802eaaf0b (rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets) → upstream 55b2984c96c3
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -401,8 +401,7 @@
 	if (skb) {
 		struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 
-		if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
-		    sp->hdr.securityIndex != 0 &&
+		if (sp->hdr.securityIndex != 0 &&
 		    skb_cloned(skb)) {
 			/* Unshare the packet so that it can be
 			 * modified by in-place decryption.

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,8 @@
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			if (sp->hdr.securityIndex != 0 &&
+			if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
+			    sp->hdr.securityIndex != 0 &&
 			    skb_cloned(skb)) {
 				/* Unshare the packet so that it can be
 				 * modified by in-place decryption.

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -331,5 +329,7 @@
 
-		if (sp->hdr.securityIndex != 0 &&
-		    skb_cloned(skb)) {
-			/* Unshare the packet so that it can be
-			 * modified by in-place decryption.
+			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
+
+			if (sp->hdr.securityIndex != 0 &&
+			    skb_cloned(skb)) {
+				/* Unshare the packet so that it can be
+				 * modified by in-place decryption.

This is an automated interdiff check for backported commits.

@roxanan1996 roxanan1996 requested a review from a team May 8, 2026 16:04

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25565845522

@PlaidCat PlaidCat merged commit ff384b8 into ciqlts9_2 May 8, 2026
4 of 5 checks passed
@roxanan1996 roxanan1996 deleted the {shreeya_rxrpc_esp}_ciqlts9_2 branch June 8, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

3 participants