From 68486b4b3abfbda24ee92d20fe722608bd2dc0ac Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 8 May 2026 08:35:16 +0000 Subject: [PATCH] Apply Dirty Frag fixes (cherry picked from commit ea0ac154cff027ef3fa87729f5131cddf2fcb236) --- ...id-in-place-decrypt-shared-skb-frags.patch | 77 +++++++++++++++++++ .../1102-rxrpc-linearize-paged-frags.patch | 68 ++++++++++++++++ SPECS/raspberrypi2.spec | 11 ++- 3 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch create mode 100644 SOURCES/1102-rxrpc-linearize-paged-frags.patch diff --git a/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch new file mode 100644 index 0000000..0fe6a56 --- /dev/null +++ b/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch @@ -0,0 +1,77 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags + +Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10 +(6.12 kernel). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.55.1.el10_1. + +ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like +ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW +fast path and decrypts in place over data that is not owned privately +by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG +matching TCP, and make ESP input fall back to skb_cow_data() when the +flag is present. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") +Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") +(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) +Signed-off-by: Andrew Lukoshko +--- + net/ipv4/esp4.c | 3 ++- + net/ipv4/ip_output.c | 2 ++ + net/ipv6/esp6.c | 3 ++- + net/ipv6/ip6_output.c | 2 ++ + 4 files changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -908,7 +908,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1236,6 +1236,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -950,7 +950,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1769,6 +1769,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +-- +2.43.0 diff --git a/SOURCES/1102-rxrpc-linearize-paged-frags.patch b/SOURCES/1102-rxrpc-linearize-paged-frags.patch new file mode 100644 index 0000000..c57902b --- /dev/null +++ b/SOURCES/1102-rxrpc-linearize-paged-frags.patch @@ -0,0 +1,68 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags + +AlmaLinux-specific backport of the intent of the upstream rxrpc fix +posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ +(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem). + +The upstream patch can not be cherry-picked against this 6.12 tree: +its target lines were introduced by upstream commit d0d5c0cd1e71 +("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not +present here. The age-equivalent code path on AlmaLinux 10 is the +centralized skb_unshare() in net/rxrpc/io_thread.c that is run for +every DATA packet with a non-zero securityIndex before in-place +decryption. + +skb_unshare() only handles cloned skbs. An skb that is non-cloned but +carries paged fragments (skb->data_len != 0) — e.g. pages attached via +udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying +rxrpc traffic — slips through and is decrypted in place over data the +skb does not own privately. With kernel-modules-partner installed +(rxrpc.ko enabled), this is exploitable. + +Replace the unconditional skb_unshare() with skb_copy() whenever the +skb is cloned OR carries paged fragments. skb_copy() always returns a +freshly allocated linear skb, so subsequent in-place decryption only +touches kernel-owned memory. The original skb is consumed explicitly +(skb_unshare did this internally via consume_skb()). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no +rejects) against kernel-6.12.0-124.55.1.el10_1. + +Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()") +Signed-off-by: Andrew Lukoshko +--- + net/rxrpc/io_thread.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/net/rxrpc/io_thread.c ++++ b/net/rxrpc/io_thread.c +@@ -235,16 +235,18 @@ + * decryption. + */ + if (sp->hdr.securityIndex != 0) { +- skb = skb_unshare(skb, GFP_ATOMIC); +- if (!skb) { +- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); +- *_skb = NULL; +- return just_discard; +- } ++ if (skb_cloned(skb) || skb->data_len) { ++ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); ++ ++ if (!nskb) { ++ rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); ++ return just_discard; ++ } + +- if (skb != *_skb) { + rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); +- *_skb = skb; ++ consume_skb(*_skb); ++ *_skb = nskb; ++ skb = nskb; + rxrpc_new_skb(skb, rxrpc_skb_new_unshared); + sp = rxrpc_skb(skb); + } +-- +2.43.0 diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 2acf450..0b875d0 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 4 +%define extra_version 5 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -54,6 +54,9 @@ Source2002: kvm_stat.logrotate # AlmaLinux patches ## CVE-2026-31431 Patch1100: 1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch +## Dirty Frag +Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +Patch1102: 1102-rxrpc-linearize-paged-frags.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -234,6 +237,8 @@ glibc package. %patch -P 100 -p1 %patch -P 101 -p1 %patch -P 1100 -p1 +%patch -P 1101 -p1 +%patch -P 1102 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -538,6 +543,10 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Fri May 08 2026 Koichiro Iwao - 6.12.47-20250916.v8.5 +- rxrpc: linearize incoming DATA packet when it has paged frags +- xfrm: esp: avoid in-place decrypt on shared skb frags + * Thu Apr 30 2026 Koichiro Iwao - 6.12.47-20250916.v8.4 - Update CVE-2026-31431 patch to include more upstream commits