From da37a1d1d2d7a1a94b892f88a18d556a85758a09 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Mon, 11 May 2026 18:26:04 +0530 Subject: [PATCH] coreos-sources: Add the patch for dirty frag Signed-off-by: Sayan Chowdhury --- .../coreos-sources-6.6.127.ebuild | 1 + ...in-place-decrypt-on-shared-skb-frags.patch | 105 ++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0004-xfrm-esp-avoid-in-place-decrypt-on-shared-skb-frags.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.127.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.127.ebuild index fceb4414e3..1ebfe9d732 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.127.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.127.ebuild @@ -38,4 +38,5 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \ ${PATCH_DIR}/z0002-revert-pahole-flags.patch \ ${PATCH_DIR}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch \ + ${PATCH_DIR}/z0004-xfrm-esp-avoid-in-place-decrypt-on-shared-skb-frags.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0004-xfrm-esp-avoid-in-place-decrypt-on-shared-skb-frags.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0004-xfrm-esp-avoid-in-place-decrypt-on-shared-skb-frags.patch new file mode 100644 index 0000000000..d251e532f3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0004-xfrm-esp-avoid-in-place-decrypt-on-shared-skb-frags.patch @@ -0,0 +1,105 @@ +From 50ed1e7873100f77abad20fd31c51029bc49cd03 Mon Sep 17 00:00:00 2001 +From: Kuan-Ting Chen +Date: Mon, 4 May 2026 23:27:12 +0800 +Subject: xfrm: esp: avoid in-place decrypt on shared skb frags + +commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 upstream. + +MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP +marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), +so later paths that may modify packet data can first make a private +copy. The IPv4/IPv6 datagram append paths did not set this flag when +splicing pages into UDP skbs. + +That leaves an ESP-in-UDP packet made from shared pipe pages looking +like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW +fast path for uncloned skbs without a frag_list and decrypts in place +over data that is not owned privately by the skb. + +Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching +TCP. Also make ESP input fall back to skb_cow_data() when the flag is +present, so ESP does not decrypt externally backed frags in place. +Private nonlinear skb frags still use the existing fast path. + +This intentionally does not change ESP output. In esp_output_head(), +the path that appends the ESP trailer to existing skb tailroom without +calling skb_cow_data() is not reachable for nonlinear skbs: +skb_tailroom() returns zero when skb->data_len is nonzero, while ESP +tailen is positive. Thus ESP output will either use the separate +destination-frag path or fall back to skb_cow_data(). + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") +Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") +Reported-by: Hyunwoo Kim +Reported-by: Kuan-Ting Chen +Tested-by: Hyunwoo Kim +Cc: stable@vger.kernel.org +Signed-off-by: Kuan-Ting Chen +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/esp4.c | 3 ++- + net/ipv4/ip_output.c | 2 ++ + net/ipv6/esp6.c | 3 ++- + net/ipv6/ip6_output.c | 2 ++ + 4 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 4256c7ee59397..d307e487b3a4d 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -873,7 +873,8 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index ff8040101193a..305d0e2786a2a 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1230,6 +1230,8 @@ alloc_new_skb: + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index f3305154745ec..3a5fd0da87026 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -921,7 +921,8 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 74145d05ddd22..a824c707dffff 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1829,6 +1829,8 @@ alloc_new_skb: + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +-- +cgit 1.3-korg +