Bump version to 5.14.0-611.54.2
xfrm: esp: avoid in-place decrypt on shared skb frags (upstream commit f4c50a4034e6)
This commit is contained in:
parent
dbd2209812
commit
2530dd40b5
@ -0,0 +1,75 @@
|
||||
From: Andrew Lukoshko <alukoshko@almalinux.org>
|
||||
Subject: [PATCH AlmaLinux 9] xfrm: esp: avoid in-place decrypt on shared skb frags
|
||||
|
||||
Backport of upstream commit f4c50a4034e6 ("xfrm: esp: avoid in-place
|
||||
decrypt on shared skb frags") for AlmaLinux 9 (5.14 kernel).
|
||||
|
||||
Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
|
||||
against kernel-5.14.0-611.54.1.el9_7.
|
||||
|
||||
ESP-in-UDP packets built from caller-owned pages (e.g. pipe pages
|
||||
attached via udp_sendpage(2) -> ip_append_page() -> skb_append_pagefrags())
|
||||
look like ordinary uncloned nonlinear skbs. ESP input then takes the
|
||||
no-COW fast path and decrypts in place over data that is not owned
|
||||
privately by the skb.
|
||||
|
||||
Tree adaptation:
|
||||
* Upstream patches __ip_append_data() / __ip6_append_data(), the
|
||||
MSG_SPLICE_PAGES branch added by 7da0dde68486 / 6d8192bd69bb.
|
||||
That feature has not been wired into UDP send paths on this tree
|
||||
(no caller of skb_splice_from_iter in net/ipv{4,6}/).
|
||||
* The age-equivalent producer is ip_append_page() (udp_sendpage).
|
||||
Mark frags there with SKBFL_SHARED_FRAG so skb_has_shared_frag()
|
||||
fires for these skbs.
|
||||
* UDPv6 has no .sendpage op in this tree, so the esp6 hunk is
|
||||
defense-in-depth in case a later backport adds one.
|
||||
* The esp4/esp6 receiver-side hunks are taken verbatim from
|
||||
upstream.
|
||||
|
||||
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
|
||||
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
|
||||
(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
|
||||
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
|
||||
---
|
||||
net/ipv4/esp4.c | 3 ++-
|
||||
net/ipv4/ip_output.c | 2 ++
|
||||
net/ipv6/esp6.c | 3 ++-
|
||||
3 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/net/ipv4/esp4.c
|
||||
+++ b/net/ipv4/esp4.c
|
||||
@@ -920,7 +920,8 @@
|
||||
nfrags = 1;
|
||||
|
||||
goto skip_cow;
|
||||
- } else if (!skb_has_frag_list(skb)) {
|
||||
+ } else if (!skb_has_frag_list(skb) &&
|
||||
+ !skb_has_shared_frag(skb)) {
|
||||
nfrags = skb_shinfo(skb)->nr_frags;
|
||||
nfrags++;
|
||||
|
||||
--- a/net/ipv4/ip_output.c
|
||||
+++ b/net/ipv4/ip_output.c
|
||||
@@ -1467,6 +1467,8 @@
|
||||
err = -EMSGSIZE;
|
||||
goto error;
|
||||
}
|
||||
+ if (!(flags & MSG_NO_SHARED_FRAGS))
|
||||
+ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
|
||||
|
||||
if (skb->ip_summed == CHECKSUM_NONE) {
|
||||
__wsum csum;
|
||||
--- a/net/ipv6/esp6.c
|
||||
+++ b/net/ipv6/esp6.c
|
||||
@@ -960,7 +960,8 @@
|
||||
nfrags = 1;
|
||||
|
||||
goto skip_cow;
|
||||
- } else if (!skb_has_frag_list(skb)) {
|
||||
+ } else if (!skb_has_frag_list(skb) &&
|
||||
+ !skb_has_shared_frag(skb)) {
|
||||
nfrags = skb_shinfo(skb)->nr_frags;
|
||||
nfrags++;
|
||||
|
||||
--
|
||||
2.43.0
|
||||
@ -165,13 +165,13 @@ Summary: The Linux kernel
|
||||
# define buildid .local
|
||||
%define specversion 5.14.0
|
||||
%define patchversion 5.14
|
||||
%define pkgrelease 611.54.1
|
||||
%define pkgrelease 611.54.2
|
||||
%define kversion 5
|
||||
%define tarfile_release 5.14.0-611.54.1.el9_7
|
||||
# This is needed to do merge window version magic
|
||||
%define patchlevel 14
|
||||
# This allows pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 611.54.1%{?buildid}%{?dist}
|
||||
%define specrelease 611.54.2%{?buildid}%{?dist}
|
||||
# This defines the kabi tarball version
|
||||
%define kabiversion 5.14.0-611.54.1.el9_7
|
||||
|
||||
@ -956,6 +956,7 @@ Patch2004: 0004-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
|
||||
Patch2005: 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
|
||||
Patch2006: 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
|
||||
Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
|
||||
Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
|
||||
|
||||
Patch11111: ppc64le-kvm-support.patch
|
||||
|
||||
@ -1700,6 +1701,7 @@ ApplyPatch 0004-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
|
||||
ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
|
||||
ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
|
||||
ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
|
||||
ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
@ -3771,6 +3773,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu May 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.2
|
||||
- xfrm: esp: avoid in-place decrypt on shared skb frags
|
||||
|
||||
* Wed May 06 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.1
|
||||
- hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
- mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
|
||||
Loading…
Reference in New Issue
Block a user