FROMLIST: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

maillist inclusion
category: bugfix

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true.  An skb
that is not cloned but still carries paged fragments (skb->data_len != 0)
falls through to the in-place decryption path, which binds the frag
pages directly into the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate so that any skb with non-linear data is also copied,
ensuring the security handler always operates on a fully linear skb.
The OOM/trace handling already in place is reused.

Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://dirtyfrag.io/
Link: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
Link: https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
Link: https://github.com/V4bel/dirtyfrag/blob/master/exp.c
Link: https://seclists.org/oss-sec/2026/q2/434
Link: V4bel/dirtyfrag#14
Link: https://afflicted.sh/blog/posts/copy-fail-2.html
Link: https://almalinux.org/blog/2026-05-07-dirty-frag/
Link: https://www.phoronix.com/news/Dirty-Frag-Linux
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

Author: V4bel

net/rxrpc/call_event.c

@@ -334,7 +334,7 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
 
 			if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
 			    sp->hdr.securityIndex != 0 &&
-			    skb_cloned(skb)) {
+			    (skb_cloned(skb) || skb->data_len)) {
 				/* Unshare the packet so that it can be
 				 * modified by in-place decryption.
 				 */

net/rxrpc/conn_event.c

@@ -245,7 +245,7 @@ static int rxrpc_verify_response(struct rxrpc_connection *conn,
 {
 	int ret;
 
-	if (skb_cloned(skb)) {
+	if (skb_cloned(skb) || skb->data_len) {
 		/* Copy the packet if shared so that we can do in-place
 		 * decryption.
 		 */