From 08f074dc92472e5cabbe906ecb3b08f238f4e5e2 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Tue, 19 May 2026 17:53:35 +0000
Subject: [PATCH] Bump version to 5.14.0-687.5.3 and add Dirty Frag + ptrace
 fixes

Apply on a9-beta the same four local patches that were carried on
the a9 branch until upstream landed them via the CKI Backport Bot
in 5.14.0-611.55.1.el9_7. Blobs imported verbatim from a9 history:

  1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
    CVE-2026-43284 -- el9 backport of upstream f4c50a4034e6.
  1101-rxrpc-linearize-paged-frags.patch
    CVE-2026-43500.
  1102-net-skbuff-propagate-shared-frag-marker.patch
    CVE-2026-46300 ("Fragnesia") -- v3 sibling to the xfrm/esp fix,
    propagates SKBFL_SHARED_FRAG through __pskb_copy_fclone(),
    skb_try_coalesce(), skb_shift(), skb_gro_receive() and
    skb_gro_receive_list().
  1103-ptrace-require-cap-on-mm-less-task.patch
    CVE-2026-46333; kABI-safe replacement for upstream 31e62c2ebbfd
    which would alter task_struct.

All four verified to apply with `patch -p1 -F0` against the
5.14.0-687.5.1.el9_8 source tree (offsets only, no fuzz, no
rejects). Release bumped 687.5.1 -> 687.5.3 with a single new
changelog stanza.
---
 ...id-in-place-decrypt-shared-skb-frags.patch |  75 +++++++++++
 .../1101-rxrpc-linearize-paged-frags.patch    |  68 ++++++++++
 ...-skbuff-propagate-shared-frag-marker.patch | 122 ++++++++++++++++++
 ...3-ptrace-require-cap-on-mm-less-task.patch |  55 ++++++++
 SPECS/kernel.spec                             |  18 ++-
 5 files changed, 337 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 create mode 100644 SOURCES/1101-rxrpc-linearize-paged-frags.patch
 create mode 100644 SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch
 create mode 100644 SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch

diff --git a/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
new file mode 100644
index 000000000..0e0572306
--- /dev/null
+++ b/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
@@ -0,0 +1,75 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 9] xfrm: esp: avoid in-place decrypt on shared skb frags
+
+Backport of upstream commit f4c50a4034e6 ("xfrm: esp: avoid in-place
+decrypt on shared skb frags") for AlmaLinux 9 (5.14 kernel).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-5.14.0-611.54.1.el9_7.
+
+ESP-in-UDP packets built from caller-owned pages (e.g. pipe pages
+attached via udp_sendpage(2) -> ip_append_page() -> skb_append_pagefrags())
+look like ordinary uncloned nonlinear skbs. ESP input then takes the
+no-COW fast path and decrypts in place over data that is not owned
+privately by the skb.
+
+Tree adaptation:
+  * Upstream patches __ip_append_data() / __ip6_append_data(), the
+    MSG_SPLICE_PAGES branch added by 7da0dde68486 / 6d8192bd69bb.
+    That feature has not been wired into UDP send paths on this tree
+    (no caller of skb_splice_from_iter in net/ipv{4,6}/).
+  * The age-equivalent producer is ip_append_page() (udp_sendpage).
+    Mark frags there with SKBFL_SHARED_FRAG so skb_has_shared_frag()
+    fires for these skbs.
+  * UDPv6 has no .sendpage op in this tree, so the esp6 hunk is
+    defense-in-depth in case a later backport adds one.
+  * The esp4/esp6 receiver-side hunks are taken verbatim from
+    upstream.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/ipv4/esp4.c      | 3 ++-
+ net/ipv4/ip_output.c | 2 ++
+ net/ipv6/esp6.c      | 3 ++-
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -920,7 +920,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1467,6 +1467,8 @@
+ 			err = -EMSGSIZE;
+ 			goto error;
+ 		}
++		if (!(flags & MSG_NO_SHARED_FRAGS))
++			skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 
+ 		if (skb->ip_summed == CHECKSUM_NONE) {
+ 			__wsum csum;
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -960,7 +960,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--
+2.43.0
diff --git a/SOURCES/1101-rxrpc-linearize-paged-frags.patch b/SOURCES/1101-rxrpc-linearize-paged-frags.patch
new file mode 100644
index 000000000..49761a31a
--- /dev/null
+++ b/SOURCES/1101-rxrpc-linearize-paged-frags.patch
@@ -0,0 +1,68 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 9] rxrpc: linearize incoming DATA packet when it has paged frags
+
+AlmaLinux-specific backport of the intent of the upstream rxrpc fix
+posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
+(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem).
+
+The upstream patch can not be cherry-picked against this 5.14 tree:
+its target lines were introduced by upstream commit d0d5c0cd1e71
+("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not
+present here. The age-equivalent code path on AlmaLinux 9 is the
+centralized skb_unshare() in net/rxrpc/io_thread.c that is run for
+every DATA packet with a non-zero securityIndex before in-place
+decryption.
+
+skb_unshare() only handles cloned skbs. An skb that is non-cloned but
+carries paged fragments (skb->data_len != 0) — e.g. pages attached via
+udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying
+rxrpc traffic — slips through and is decrypted in place over data the
+skb does not own privately. With kernel-modules-partner installed
+(rxrpc.ko enabled), this is exploitable.
+
+Replace the unconditional skb_unshare() with skb_copy() whenever the
+skb is cloned OR carries paged fragments. skb_copy() always returns a
+freshly allocated linear skb, so subsequent in-place decryption only
+touches kernel-owned memory. The original skb is consumed explicitly
+(skb_unshare did this internally via consume_skb()).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no
+rejects) against kernel-5.14.0-611.54.1.el9_7.
+
+Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()")
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/rxrpc/io_thread.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/rxrpc/io_thread.c
++++ b/net/rxrpc/io_thread.c
+@@ -225,16 +225,18 @@
+ 		 * decryption.
+ 		 */
+ 		if (sp->hdr.securityIndex != 0) {
+-			skb = skb_unshare(skb, GFP_ATOMIC);
+-			if (!skb) {
+-				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+-				*_skb = NULL;
+-				return just_discard;
+-			}
++			if (skb_cloned(skb) || skb->data_len) {
++				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
++
++				if (!nskb) {
++					rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
++					return just_discard;
++				}
+ 
+-			if (skb != *_skb) {
+ 				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
+-				*_skb = skb;
++				consume_skb(*_skb);
++				*_skb = nskb;
++				skb = nskb;
+ 				rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
+ 				sp = rxrpc_skb(skb);
+ 			}
+--
+2.43.0
diff --git a/SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch b/SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch
new file mode 100644
index 000000000..849b2be32
--- /dev/null
+++ b/SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch
@@ -0,0 +1,122 @@
+From: Eduard Abdullin <eabdullin@almalinux.org>
+Subject: [PATCH AlmaLinux 9] net: skbuff: propagate shared-frag marker through frag-transfer helpers
+
+Backport of upstream v3 patch posted at
+https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/
+(sibling to upstream commit f4c50a4034e6 "xfrm: esp: avoid in-place
+decrypt on shared skb frags").
+
+Three frag-transfer helpers in net/core/skbuff.c
+(__pskb_copy_fclone(), skb_try_coalesce(), skb_shift()) and the
+GRO accumulator path in net/core/gro.c (skb_gro_receive()) and the
+UDP GRO list helper in net/ipv4/udp_offload.c
+(skb_gro_receive_list(), kept as a static helper on AlmaLinux 9)
+fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags
+when moving frag descriptors from source to destination.  As a
+result, the destination skb keeps a reference to the same
+externally-owned or page-cache-backed pages while reporting
+skb_has_shared_frag() as false.
+
+The mismatch is harmful in any in-place writer that uses
+skb_has_shared_frag() to decide whether shared pages must be detoured
+through skb_cow_data().  ESP input is one such writer (esp4.c,
+esp6.c).  Combined with an nft 'dup to <local>' rule, an
+nf_dup_ipv4() / xt_TEE caller, or ESP-over-UDP with UDP GRO, this
+lets an unprivileged user write into the page cache of a root-owned
+read-only file via authencesn-ESN stray writes (CVE-2026-46300,
+"Fragnesia").
+
+Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
+were actually moved from the source.  skb_copy() and skb_copy_expand()
+share skb_copy_header() too but linearize all paged data into freshly
+allocated head storage and emerge with nr_frags == 0, so
+skb_has_shared_frag() returns false on its own; they need no change.
+
+The same omission exists in skb_gro_receive() and
+skb_gro_receive_list().  The former moves the incoming skb's frag
+descriptors into the accumulator's last sub-skb via two paths plus a
+"merge:" fallback that chains the whole skb onto frag_list; the
+latter chains the incoming skb whole onto p's frag_list.  Downstream
+skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list()
+reuses each sub-skb's shinfo as the nskb -- both p and lp must carry
+the marker.
+
+Tree adaptation:
+  * Upstream v3 places skb_gro_receive_list() in net/core/gro.c.
+    AlmaLinux 9 still keeps it as a static helper in
+    net/ipv4/udp_offload.c (it has not been promoted to a global
+    GRO helper in this tree).  Apply the propagation hunk there
+    instead.
+  * Upstream skb_shift() uses skb_len_add() helpers (introduced in
+    v5.16); AlmaLinux 9 still has the open-coded
+    `skb->len -= shiftlen; ...` block.  The insertion point (right
+    after both ip_summed assignments) is the same.
+
+Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
+Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
+Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Reported-by: William Bowling <vakzz@zellic.io>
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Eduard Abdullin <eabdullin@almalinux.org>
+---
+ net/core/gro.c         | 2 ++
+ net/core/skbuff.c      | 6 ++++++
+ net/ipv4/udp_offload.c | 2 ++
+ 3 files changed, 10 insertions(+)
+
+--- a/net/core/gro.c
++++ b/net/core/gro.c
+@@ -222,10 +222,12 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
+ 	p->data_len += len;
+ 	p->truesize += delta_truesize;
+ 	p->len += len;
++	skb_shinfo(p)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG;
+ 	if (lp != p) {
+ 		lp->data_len += len;
+ 		lp->truesize += delta_truesize;
+ 		lp->len += len;
++		skb_shinfo(lp)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG;
+ 	}
+ 	NAPI_GRO_CB(skb)->same_flow = 1;
+ 	return 0;
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2026,6 +2026,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
+ 			skb_frag_ref(skb, i);
+ 		}
+ 		skb_shinfo(n)->nr_frags = i;
++		skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+ 	}
+
+ 	if (skb_has_frag_list(skb)) {
+@@ -4029,6 +4030,8 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen)
+ 	tgt->ip_summed = CHECKSUM_PARTIAL;
+ 	skb->ip_summed = CHECKSUM_PARTIAL;
+
++	skb_shinfo(tgt)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
++
+ 	/* Yak, is it really working this way? Some helper please? */
+ 	skb->len -= shiftlen;
+ 	skb->data_len -= shiftlen;
+@@ -5740,6 +5743,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+ 	       from_shinfo->frags,
+ 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
+ 	to_shinfo->nr_frags += from_shinfo->nr_frags;
++	if (from_shinfo->nr_frags)
++		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
+
+ 	if (!skb_cloned(from))
+ 		from_shinfo->nr_frags = 0;
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -487,6 +487,8 @@ static int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
+ 	p->truesize += skb->truesize;
+ 	p->len += skb->len;
+
++	skb_shinfo(p)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
++
+ 	NAPI_GRO_CB(skb)->same_flow = 1;
+
+ 	return 0;
+--
+2.43.0
diff --git a/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch b/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch
new file mode 100644
index 000000000..08b94e525
--- /dev/null
+++ b/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch
@@ -0,0 +1,55 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 9] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on RHEL/AlmaLinux 9 (the symtype
+signature of struct task_struct is referenced by stablelist exports
+such as set_cpus_allowed_ptr() and wake_up_process()), so we cannot
+import the field/exit_mm hunks as-is.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-5.14.0-611.54.1.el9_7.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -349,8 +349,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
++	if (mm) {
++		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
++		    !ptrace_has_cap(mm->user_ns, mode))
++			return -EPERM;
++	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
++		return -EPERM;
++	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 868614c4e..5028156a1 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -182,7 +182,7 @@ Summary: The Linux kernel
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 687.5.1%{?buildid}%{?dist}
+%define specrelease 687.5.3%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 5.14.0-687.5.1.el9_8
 
@@ -974,6 +974,10 @@ Patch2006: 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 Patch2008: 0001-Make-KVM-PMU-symbols-global-for-ppc64le-module-build.patch
 Patch2009: 0001-proc-fix-a-dentry-lock-race-between-release_task-and-lookup.patch
+Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+Patch1101: 1101-rxrpc-linearize-paged-frags.patch
+Patch1102: 1102-net-skbuff-propagate-shared-frag-marker.patch
+Patch1103: 1103-ptrace-require-cap-on-mm-less-task.patch
 
 Patch11111: ppc64le-kvm-support.patch
 
@@ -1720,6 +1724,10 @@ ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 ApplyPatch 0001-Make-KVM-PMU-symbols-global-for-ppc64le-module-build.patch
 ApplyPatch 0001-proc-fix-a-dentry-lock-race-between-release_task-and-lookup.patch
+ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+ApplyPatch 1101-rxrpc-linearize-paged-frags.patch
+ApplyPatch 1102-net-skbuff-propagate-shared-frag-marker.patch
+ApplyPatch 1103-ptrace-require-cap-on-mm-less-task.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -3795,6 +3803,14 @@ fi
 #
 #
 %changelog
+* Tue May 19 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.5.3
+- xfrm: esp: avoid in-place decrypt on shared skb frags (CVE-2026-43284)
+- rxrpc: linearize incoming DATA packet when it has paged frags (CVE-2026-43500)
+- net: skbuff: propagate shared-frag marker through frag-transfer helpers
+  (CVE-2026-46300 "Fragnesia")
+- ptrace: require CAP_SYS_PTRACE on mm-less tasks (CVE-2026-46333, kABI-safe
+  replacement for upstream 31e62c2ebbfd, Qualys Security Advisory)
+
 * Tue Apr 14 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.5.1
 - proc: fix a dentry lock race between release_task and lookup
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024