From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 22 May 2026 08:00:01 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.6.141~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20b35e06274f5545042fb5a4ce48348f66fe585d;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	net-skbuff-preserve-shared-frag-marker-during-coalescing.patch
---

diff --git a/queue-6.1/net-skbuff-preserve-shared-frag-marker-during-coalescing.patch b/queue-6.1/net-skbuff-preserve-shared-frag-marker-during-coalescing.patch
new file mode 100644
index 0000000000..541f6e35aa
--- /dev/null
+++ b/queue-6.1/net-skbuff-preserve-shared-frag-marker-during-coalescing.patch
@@ -0,0 +1,48 @@
+From f84eca5817390257cef78013d0112481c503b4a3 Mon Sep 17 00:00:00 2001
+From: William Bowling <vakzz@zellic.io>
+Date: Wed, 13 May 2026 04:16:35 +0000
+Subject: net: skbuff: preserve shared-frag marker during coalescing
+
+From: William Bowling <vakzz@zellic.io>
+
+commit f84eca5817390257cef78013d0112481c503b4a3 upstream.
+
+skb_try_coalesce() can attach paged frags from @from to @to.  If @from
+has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
+externally-owned or page-cache-backed frags, but the shared-frag marker
+is currently lost.
+
+That breaks the invariant relied on by later in-place writers.  In
+particular, ESP input checks skb_has_shared_frag() before deciding
+whether an uncloned nonlinear skb can skip skb_cow_data().  If TCP
+receive coalescing has moved shared frags into an unmarked skb, ESP can
+see skb_has_shared_frag() as false and decrypt in place over page-cache
+backed frags.
+
+Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
+frags.  The tailroom copy path does not need the marker because it copies
+bytes into @to's linear data rather than transferring frag descriptors.
+
+Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
+Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
+Signed-off-by: William Bowling <vakzz@zellic.io>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://patch.msgid.link/20260513041635.1289541-1-vakzz@zellic.io
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5512,6 +5512,8 @@ bool skb_try_coalesce(struct sk_buff *to
+ 	       from_shinfo->frags,
+ 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
+ 	to_shinfo->nr_frags += from_shinfo->nr_frags;
++	if (from_shinfo->nr_frags)
++		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
+ 
+ 	if (!skb_cloned(from))
+ 		from_shinfo->nr_frags = 0;
diff --git a/queue-6.1/series b/queue-6.1/series
index 901eda07cf..999069e9f6 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -832,3 +832,4 @@ drm-gma500-oaktrail_lvds-fix-hang-on-init-failure.patch
 drm-gma500-oaktrail_lvds-fix-i2c-adapter-leaks-on-init.patch
 io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch
 net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
+net-skbuff-preserve-shared-frag-marker-during-coalescing.patch