Re: [PATCH] af_unix: mark MSG_SPLICE_PAGES frags shared
From: Kuniyuki Iwashima <kuniyu@google.com>
Date: 2026-07-02 02:18:25
Also in:
lkml
On Wed, Jul 1, 2026 at 7:05 PM 钱一铭 [off-list ref] wrote:
Thanks, I agree plain AF_UNIX does not by itself provide the writer side. The concern was that MSG_SPLICE_PAGES imports externally owned pages into skb frags, while unlike TCP/UDP/KCM this path does not mark them with SKBFL_SHARED_FRAG. I checked the AF_UNIX sockmap path as well, but I do not currently have a concrete in-tree chain where those frags reach a writer that skips COW based on skb_has_shared_frag(). So this should be treated as a defensive consistency cleanup rather than a security fix.
Hmm, if it's not exploitable, let's not add that. It's rather confusing to future readers.
I will drop the Fixes tag and the duplicate Reported-by tags in v2. Kuniyuki Iwashima [off-list ref] 于2026年6月30日周二 23:51写道:quoted
On Tue, Jun 30, 2026 at 12:06 AM Yiming Qian [off-list ref] wrote:quoted
unix_stream_sendmsg() splices external pages directly into skb frags when MSG_SPLICE_PAGES is set, but it does not propagate SKBFL_SHARED_FRAG afterward.I think it doesn't matter with the plain AF_UNIX. Please elaborate on the scenario where this could be a problem. e.g. sockmap ?quoted
That leaves later writers without the shared-frag marker even though the skb still references externally owned pages. Set the marker after a successful skb_splice_from_iter() call. Fixes: a0dbf5f818f90 ("af_unix: Support MSG_SPLICE_PAGES") Reported-by: Yiming Qian <redacted> Reported-by: Can Liu <redacted>Reported-by is not needed when it's identical to SOB tag.quoted
Signed-off-by: Yiming Qian <redacted> Signed-off-by: Can Liu <redacted> --- net/unix/af_unix.c | 1 + 1 file changed, 1 insertion(+)diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index f7a9d55eee8a1..f2cd0f8ec0914 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c@@ -2458,6 +2458,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, goto out_free; size = err; + skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; refcount_add(size, &sk->sk_wmem_alloc); } else { skb_put(skb, size - data_len); --2.34.1