From 2a779fc66c92c737e11d1f6fbc5e5e2d6cb752e7 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Fri, 8 May 2026 16:16:25 +0000
Subject: [PATCH] Apply Dirty Frag fixes (CVE-2026-43284, CVE-2026-43500)

Apply the same Patch1100 (xfrm/esp) and Patch1101 (rxrpc) shipped on
the AlmaLinux 10 main branch. Release is not bumped since 226 has not
yet shipped to users; a second changelog entry is added under the
existing 6.12.0-226 version.
---
 ...id-in-place-decrypt-shared-skb-frags.patch | 77 +++++++++++++++++++
 1101-rxrpc-linearize-paged-frags.patch        | 69 +++++++++++++++++
 kernel.spec                                   |  8 ++
 3 files changed, 154 insertions(+)
 create mode 100644 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 create mode 100644 1101-rxrpc-linearize-paged-frags.patch

diff --git a/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
new file mode 100644
index 000000000..0fe6a5691
--- /dev/null
+++ b/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
@@ -0,0 +1,77 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags
+
+Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10
+(6.12 kernel).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.55.1.el10_1.
+
+ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like
+ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW
+fast path and decrypts in place over data that is not owned privately
+by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG
+matching TCP, and make ESP input fall back to skb_cow_data() when the
+flag is present.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")
+Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")
+(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/ipv4/esp4.c       | 3 ++-
+ net/ipv4/ip_output.c  | 2 ++
+ net/ipv6/esp6.c       | 3 ++-
+ net/ipv6/ip6_output.c | 2 ++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -908,7 +908,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1236,6 +1236,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
++			if (!(flags & MSG_NO_SHARED_FRAGS))
++				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -950,7 +950,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1769,6 +1769,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
++			if (!(flags & MSG_NO_SHARED_FRAGS))
++				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--
+2.43.0
diff --git a/1101-rxrpc-linearize-paged-frags.patch b/1101-rxrpc-linearize-paged-frags.patch
new file mode 100644
index 000000000..71f881d12
--- /dev/null
+++ b/1101-rxrpc-linearize-paged-frags.patch
@@ -0,0 +1,69 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags
+
+AlmaLinux-specific backport of the intent of the upstream rxrpc fix
+posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ for the
+"Dirty Frag" class of bugs (sibling to upstream commit f4c50a4034e6 in
+the ESP/xfrm subsystem).
+
+The upstream patch can not be cherry-picked against this 6.12 tree:
+its target lines were introduced by upstream commit d0d5c0cd1e71
+("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not
+present here. The age-equivalent code path on AlmaLinux 10 is the
+centralized skb_unshare() in net/rxrpc/io_thread.c that is run for
+every DATA packet with a non-zero securityIndex before in-place
+decryption.
+
+skb_unshare() only handles cloned skbs. An skb that is non-cloned but
+carries paged fragments (skb->data_len != 0) — e.g. pages attached via
+udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying
+rxrpc traffic — slips through and is decrypted in place over data the
+skb does not own privately. With kernel-modules-partner installed
+(rxrpc.ko enabled), this is exploitable.
+
+Replace the unconditional skb_unshare() with skb_copy() whenever the
+skb is cloned OR carries paged fragments. skb_copy() always returns a
+freshly allocated linear skb, so subsequent in-place decryption only
+touches kernel-owned memory. The original skb is consumed explicitly
+(skb_unshare did this internally via consume_skb()).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no
+rejects) against kernel-6.12.0-124.55.1.el10_1.
+
+Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()")
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/rxrpc/io_thread.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/rxrpc/io_thread.c
++++ b/net/rxrpc/io_thread.c
+@@ -235,16 +235,18 @@
+ 		 * decryption.
+ 		 */
+ 		if (sp->hdr.securityIndex != 0) {
+-			skb = skb_unshare(skb, GFP_ATOMIC);
+-			if (!skb) {
+-				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+-				*_skb = NULL;
+-				return just_discard;
+-			}
++			if (skb_cloned(skb) || skb->data_len) {
++				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
++
++				if (!nskb) {
++					rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
++					return just_discard;
++				}
+ 
+-			if (skb != *_skb) {
+ 				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
+-				*_skb = skb;
++				consume_skb(*_skb);
++				*_skb = nskb;
++				skb = nskb;
+ 				rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
+ 				sp = rxrpc_skb(skb);
+ 			}
+--
+2.43.0
diff --git a/kernel.spec b/kernel.spec
index 1a523df60..b7656eef7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -1143,6 +1143,8 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 Patch2009: 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 Patch2010: 0001-Keep-fs-btrfs-files-in-modules-package.patch
+Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+Patch1101: 1101-rxrpc-linearize-paged-frags.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2038,6 +2040,8 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 ApplyPatch 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 ApplyPatch 0001-Keep-fs-btrfs-files-in-modules-package.patch
+ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+ApplyPatch 1101-rxrpc-linearize-paged-frags.patch
 
 %{log_msg "End of patch applications"}
 # END OF PATCH APPLICATIONS
@@ -4552,6 +4556,10 @@ fi\
 #
 #
 %changelog
+* Fri May 08 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-226
+- xfrm: esp: avoid in-place decrypt on shared skb frags
+- rxrpc: linearize incoming DATA packet when it has paged frags
+
 * Thu May 07 2026 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-226
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert