Merge pull request 'Apply Dirty Frag fixes' (#37) from metalefty/raspberrypi:a9 into a9

Reviewed-on: rpms/raspberrypi2#37
2026-05-08 13:05:37 +00:00 · 2026-05-08 13:05:37 +00:00 · 7e436cbe54
commit 7e436cbe54
parent 15cf77c3f3 68486b4b3a
3 changed files with 155 additions and 1 deletions
--- a/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+++ b/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
@ -0,0 +1,77 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags
+
+Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10
+(6.12 kernel).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.55.1.el10_1.
+
+ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like
+ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW
+fast path and decrypts in place over data that is not owned privately
+by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG
+matching TCP, and make ESP input fall back to skb_cow_data() when the
+flag is present.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")
+Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")
+(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/ipv4/esp4.c       | 3 ++-
+ net/ipv4/ip_output.c  | 2 ++
+ net/ipv6/esp6.c       | 3 ++-
+ net/ipv6/ip6_output.c | 2 ++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
+@@ -908,7 +908,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
+@@ -1236,6 +1236,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
+@@ -950,7 +950,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
+@@ -1769,6 +1769,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--
+2.43.0
--- a/SOURCES/1102-rxrpc-linearize-paged-frags.patch
+++ b/SOURCES/1102-rxrpc-linearize-paged-frags.patch
@ -0,0 +1,68 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags
+
+AlmaLinux-specific backport of the intent of the upstream rxrpc fix
+posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
+(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem).
+
+The upstream patch can not be cherry-picked against this 6.12 tree:
+its target lines were introduced by upstream commit d0d5c0cd1e71
+("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not
+present here. The age-equivalent code path on AlmaLinux 10 is the
+centralized skb_unshare() in net/rxrpc/io_thread.c that is run for
+every DATA packet with a non-zero securityIndex before in-place
+decryption.
+
+skb_unshare() only handles cloned skbs. An skb that is non-cloned but
+carries paged fragments (skb->data_len != 0) — e.g. pages attached via
+udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying
+rxrpc traffic — slips through and is decrypted in place over data the
+skb does not own privately. With kernel-modules-partner installed
+(rxrpc.ko enabled), this is exploitable.
+
+Replace the unconditional skb_unshare() with skb_copy() whenever the
+skb is cloned OR carries paged fragments. skb_copy() always returns a
+freshly allocated linear skb, so subsequent in-place decryption only
+touches kernel-owned memory. The original skb is consumed explicitly
+(skb_unshare did this internally via consume_skb()).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no
+rejects) against kernel-6.12.0-124.55.1.el10_1.
+
+Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()")
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/rxrpc/io_thread.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/rxrpc/io_thread.c
+++ b/net/rxrpc/io_thread.c
+@@ -235,16 +235,18 @@
+ 		 * decryption.
+ 		 */
+ 		if (sp->hdr.securityIndex != 0) {
+-			skb = skb_unshare(skb, GFP_ATOMIC);
+-			if (!skb) {
+-				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+-				*_skb = NULL;
+-				return just_discard;
+-			}
+			if (skb_cloned(skb) || skb->data_len) {
+				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
+
+				if (!nskb) {
+					rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+					return just_discard;
+				}
+ 
+-			if (skb != *_skb) {
+ 				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
+-				*_skb = skb;
+				consume_skb(*_skb);
+				*_skb = nskb;
+				skb = nskb;
+ 				rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
+ 				sp = rxrpc_skb(skb);
+ 			}
+--
+2.43.0
--- a/SPECS/raspberrypi2.spec
+++ b/SPECS/raspberrypi2.spec
@ -11,7 +11,7 @@ ExclusiveArch: aarch64

 %define local_version v8
 %define bcmmodel 2711
-%define extra_version 4
+%define extra_version 5

 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now.
 # Be careful to change this not to disturb the seamless package update.
@ -54,6 +54,9 @@ Source2002:    kvm_stat.logrotate
 # AlmaLinux patches
 ## CVE-2026-31431
 Patch1100:     1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch
+## Dirty Frag
+Patch1101:     1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+Patch1102:     1102-rxrpc-linearize-paged-frags.patch

 BuildRequires: kmod, patch, bash, coreutils, tar
 BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk
@ -234,6 +237,8 @@ glibc package.
 %patch -P 100 -p1
 %patch -P 101 -p1
 %patch -P 1100 -p1
+%patch -P 1101 -p1
+%patch -P 1102 -p1
 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
 perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig
 perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig
@ -538,6 +543,10 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
 %endif

 %changelog
+* Fri May 08 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.5
+- rxrpc: linearize incoming DATA packet when it has paged frags
+- xfrm: esp: avoid in-place decrypt on shared skb frags
+
 * Thu Apr 30 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.4
 - Update CVE-2026-31431 patch to include more upstream commits