Add upstream ipv4/ipv6 fraggap paged-allocation fixes; bump to 211.28.2
This commit is contained in:
parent
66a31f23e0
commit
674503c679
@ -0,0 +1,56 @@
|
||||
From eca856950f7cb1a221e02b99d758409f2c5cec42 Mon Sep 17 00:00:00 2001
|
||||
From: Wongi Lee <qw3rtyp0@gmail.com>
|
||||
Date: Tue, 16 Jun 2026 22:38:29 +0900
|
||||
Subject: [PATCH] ipv4: account for fraggap on the paged allocation path
|
||||
|
||||
In __ip_append_data(), when the paged-allocation branch is taken,
|
||||
alloclen and pagedlen are computed as
|
||||
|
||||
alloclen = fragheaderlen + transhdrlen;
|
||||
pagedlen = datalen - transhdrlen;
|
||||
|
||||
datalen already includes fraggap, but the fraggap bytes carried over
|
||||
from the previous skb are copied into the new skb's linear area at
|
||||
offset transhdrlen by the subsequent skb_copy_and_csum_bits(). The
|
||||
linear area is therefore undersized by fraggap bytes while pagedlen is
|
||||
overstated by the same amount.
|
||||
|
||||
The non-paged branch sets alloclen to fraglen, which already accounts
|
||||
for fraggap because datalen does. Bring the paged branch in line by
|
||||
adding fraggap to alloclen and subtracting it from pagedlen.
|
||||
|
||||
After this adjustment, copy no longer collapses to -fraggap on the
|
||||
paged path, so remove the stale comment describing that old arithmetic.
|
||||
|
||||
Fixes: 8eb77cc73977 ("ipv4: avoid partial copy for zc")
|
||||
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
|
||||
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
|
||||
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
|
||||
Link: https://patch.msgid.link/ajFR1eLAIs42TN3g@DESKTOP-19IMU7U.localdomain
|
||||
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||
|
||||
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
|
||||
index 58f155e..7625bcc 100644
|
||||
--- a/net/ipv4/ip_output.c
|
||||
+++ b/net/ipv4/ip_output.c
|
||||
@@ -1123,8 +1123,8 @@ alloc_new_skb:
|
||||
!(rt->dst.dev->features & NETIF_F_SG)))
|
||||
alloclen = fraglen;
|
||||
else {
|
||||
- alloclen = fragheaderlen + transhdrlen;
|
||||
- pagedlen = datalen - transhdrlen;
|
||||
+ alloclen = fragheaderlen + transhdrlen + fraggap;
|
||||
+ pagedlen = datalen - transhdrlen - fraggap;
|
||||
}
|
||||
|
||||
alloclen += alloc_extra;
|
||||
@@ -1171,9 +1171,6 @@ alloc_new_skb:
|
||||
}
|
||||
|
||||
copy = datalen - transhdrlen - fraggap - pagedlen;
|
||||
- /* [!] NOTE: copy will be negative if pagedlen>0
|
||||
- * because then the equation reduces to -fraggap.
|
||||
- */
|
||||
if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
|
||||
err = -EFAULT;
|
||||
kfree_skb(skb);
|
||||
@ -0,0 +1,76 @@
|
||||
From 736b380e28d0480c7bc3e022f1950f31fe53a7c5 Mon Sep 17 00:00:00 2001
|
||||
From: Wongi Lee <qw3rtyp0@gmail.com>
|
||||
Date: Tue, 16 Jun 2026 22:46:17 +0900
|
||||
Subject: [PATCH] ipv6: account for fraggap on the paged allocation path
|
||||
|
||||
In __ip6_append_data(), when the paged-allocation branch is taken
|
||||
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
|
||||
computed as
|
||||
|
||||
alloclen = fragheaderlen + transhdrlen;
|
||||
pagedlen = datalen - transhdrlen;
|
||||
|
||||
datalen already includes fraggap (datalen = length + fraggap). When
|
||||
fraggap is non-zero, this is not the first skb and transhdrlen is zero.
|
||||
The fraggap bytes carried over from the previous skb are copied just past
|
||||
the fragment headers in the new skb's linear area. The linear area is
|
||||
therefore undersized by fraggap bytes while pagedlen is overstated by the
|
||||
same amount, and the copy writes past skb->end into the trailing
|
||||
skb_shared_info.
|
||||
|
||||
An unprivileged user can trigger this via a UDPv6 socket using
|
||||
MSG_MORE together with MSG_SPLICE_PAGES.
|
||||
|
||||
The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
|
||||
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
|
||||
__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
|
||||
copy value caused -EINVAL to be returned. That later commit allowed
|
||||
MSG_SPLICE_PAGES to proceed in this case, making the corruption
|
||||
triggerable.
|
||||
|
||||
The non-paged branch sets alloclen to fraglen, which already accounts
|
||||
for fraggap because datalen does. Bring the paged branch in line by
|
||||
adding fraggap to alloclen and subtracting it from pagedlen.
|
||||
|
||||
After this adjustment, copy no longer collapses to -fraggap on the
|
||||
paged path, so remove the stale comment describing that old arithmetic.
|
||||
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
|
||||
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
|
||||
|
||||
Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")
|
||||
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
|
||||
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
|
||||
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
|
||||
Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain
|
||||
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||
|
||||
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
|
||||
index 9f1e0e4f7464..368e4fa3b43c 100644
|
||||
--- a/net/ipv6/ip6_output.c
|
||||
+++ b/net/ipv6/ip6_output.c
|
||||
@@ -1667,8 +1667,8 @@ static int __ip6_append_data(struct sock *sk,
|
||||
!(rt->dst.dev->features & NETIF_F_SG)))
|
||||
alloclen = fraglen;
|
||||
else {
|
||||
- alloclen = fragheaderlen + transhdrlen;
|
||||
- pagedlen = datalen - transhdrlen;
|
||||
+ alloclen = fragheaderlen + transhdrlen + fraggap;
|
||||
+ pagedlen = datalen - transhdrlen - fraggap;
|
||||
}
|
||||
alloclen += alloc_extra;
|
||||
|
||||
@@ -1683,10 +1683,7 @@ static int __ip6_append_data(struct sock *sk,
|
||||
fraglen = datalen + fragheaderlen;
|
||||
|
||||
copy = datalen - transhdrlen - fraggap - pagedlen;
|
||||
- /* [!] NOTE: copy may be negative if pagedlen>0
|
||||
- * because then the equation may reduces to -fraggap.
|
||||
- */
|
||||
- if (copy < 0 && !(flags & MSG_SPLICE_PAGES)) {
|
||||
+ if (copy < 0) {
|
||||
err = -EINVAL;
|
||||
goto error;
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
13
kernel.spec
13
kernel.spec
@ -176,13 +176,13 @@ Summary: The Linux kernel
|
||||
%define specrpmversion 6.12.0
|
||||
%define specversion 6.12.0
|
||||
%define patchversion 6.12
|
||||
%define pkgrelease 211.28.1
|
||||
%define pkgrelease 211.28.2
|
||||
%define kversion 6
|
||||
%define tarfile_release 6.12.0-211.7.1.el10_2
|
||||
# This is needed to do merge window version magic
|
||||
%define patchlevel 12
|
||||
# This allows pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 211.28.1%{?buildid}%{?dist}
|
||||
%define specrelease 211.28.2%{?buildid}%{?dist}
|
||||
# This defines the kabi tarball version
|
||||
%define kabiversion 6.12.0-211.7.1.el10_2
|
||||
|
||||
@ -1418,6 +1418,8 @@ Patch1380: 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.pat
|
||||
Patch1381: 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch
|
||||
Patch1382: 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
|
||||
Patch1383: 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
|
||||
Patch1384: 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
Patch1385: 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%description
|
||||
@ -2558,6 +2560,8 @@ ApplyPatch 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.pat
|
||||
ApplyPatch 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch
|
||||
ApplyPatch 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
|
||||
ApplyPatch 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
|
||||
ApplyPatch 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
ApplyPatch 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
# Any further pre-build tree manipulations happen here.
|
||||
@ -5062,6 +5066,11 @@ fi\
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Jun 30 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.28.2
|
||||
- Add upstream ipv4/ipv6 fraggap paged-allocation fixes (1384-1385)
|
||||
eca856950f7c ipv4: account for fraggap on the paged allocation path
|
||||
736b380e28d0 ipv6: account for fraggap on the paged allocation path
|
||||
|
||||
* Fri Jun 26 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.28.1
|
||||
- Recreate RHEL 6.12.0-211.28.1 from CentOS Stream 10 and upstream stable backports (1375-1383)
|
||||
- Retain AlmaLinux ahead-of-RHEL fix for CVE-2026-46316 (1374)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user