Add upstream ipv4/ipv6 fraggap paged-allocation fixes; bump to 211.28.2

This commit is contained in:
Andrew Lukoshko 2026-06-30 08:51:21 +00:00
parent 66a31f23e0
commit 674503c679
3 changed files with 143 additions and 2 deletions

View File

@ -0,0 +1,56 @@
From eca856950f7cb1a221e02b99d758409f2c5cec42 Mon Sep 17 00:00:00 2001
From: Wongi Lee <qw3rtyp0@gmail.com>
Date: Tue, 16 Jun 2026 22:38:29 +0900
Subject: [PATCH] ipv4: account for fraggap on the paged allocation path
In __ip_append_data(), when the paged-allocation branch is taken,
alloclen and pagedlen are computed as
alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;
datalen already includes fraggap, but the fraggap bytes carried over
from the previous skb are copied into the new skb's linear area at
offset transhdrlen by the subsequent skb_copy_and_csum_bits(). The
linear area is therefore undersized by fraggap bytes while pagedlen is
overstated by the same amount.
The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.
After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Fixes: 8eb77cc73977 ("ipv4: avoid partial copy for zc")
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/ajFR1eLAIs42TN3g@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 58f155e..7625bcc 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1123,8 +1123,8 @@ alloc_new_skb:
!(rt->dst.dev->features & NETIF_F_SG)))
alloclen = fraglen;
else {
- alloclen = fragheaderlen + transhdrlen;
- pagedlen = datalen - transhdrlen;
+ alloclen = fragheaderlen + transhdrlen + fraggap;
+ pagedlen = datalen - transhdrlen - fraggap;
}
alloclen += alloc_extra;
@@ -1171,9 +1171,6 @@ alloc_new_skb:
}
copy = datalen - transhdrlen - fraggap - pagedlen;
- /* [!] NOTE: copy will be negative if pagedlen>0
- * because then the equation reduces to -fraggap.
- */
if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
err = -EFAULT;
kfree_skb(skb);

View File

@ -0,0 +1,76 @@
From 736b380e28d0480c7bc3e022f1950f31fe53a7c5 Mon Sep 17 00:00:00 2001
From: Wongi Lee <qw3rtyp0@gmail.com>
Date: Tue, 16 Jun 2026 22:46:17 +0900
Subject: [PATCH] ipv6: account for fraggap on the paged allocation path
In __ip6_append_data(), when the paged-allocation branch is taken
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
computed as
alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;
datalen already includes fraggap (datalen = length + fraggap). When
fraggap is non-zero, this is not the first skb and transhdrlen is zero.
The fraggap bytes carried over from the previous skb are copied just past
the fragment headers in the new skb's linear area. The linear area is
therefore undersized by fraggap bytes while pagedlen is overstated by the
same amount, and the copy writes past skb->end into the trailing
skb_shared_info.
An unprivileged user can trigger this via a UDPv6 socket using
MSG_MORE together with MSG_SPLICE_PAGES.
The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
copy value caused -EINVAL to be returned. That later commit allowed
MSG_SPLICE_PAGES to proceed in this case, making the corruption
triggerable.
The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.
After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 9f1e0e4f7464..368e4fa3b43c 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1667,8 +1667,8 @@ static int __ip6_append_data(struct sock *sk,
!(rt->dst.dev->features & NETIF_F_SG)))
alloclen = fraglen;
else {
- alloclen = fragheaderlen + transhdrlen;
- pagedlen = datalen - transhdrlen;
+ alloclen = fragheaderlen + transhdrlen + fraggap;
+ pagedlen = datalen - transhdrlen - fraggap;
}
alloclen += alloc_extra;
@@ -1683,10 +1683,7 @@ static int __ip6_append_data(struct sock *sk,
fraglen = datalen + fragheaderlen;
copy = datalen - transhdrlen - fraggap - pagedlen;
- /* [!] NOTE: copy may be negative if pagedlen>0
- * because then the equation may reduces to -fraggap.
- */
- if (copy < 0 && !(flags & MSG_SPLICE_PAGES)) {
+ if (copy < 0) {
err = -EINVAL;
goto error;
}
--
2.50.1 (Apple Git-155)

View File

@ -176,13 +176,13 @@ Summary: The Linux kernel
%define specrpmversion 6.12.0
%define specversion 6.12.0
%define patchversion 6.12
%define pkgrelease 211.28.1
%define pkgrelease 211.28.2
%define kversion 6
%define tarfile_release 6.12.0-211.7.1.el10_2
# This is needed to do merge window version magic
%define patchlevel 12
# This allows pkg_release to have configurable %%{?dist} tag
%define specrelease 211.28.1%{?buildid}%{?dist}
%define specrelease 211.28.2%{?buildid}%{?dist}
# This defines the kabi tarball version
%define kabiversion 6.12.0-211.7.1.el10_2
@ -1418,6 +1418,8 @@ Patch1380: 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.pat
Patch1381: 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch
Patch1382: 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
Patch1383: 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
Patch1384: 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
Patch1385: 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
# END OF PATCH DEFINITIONS
%description
@ -2558,6 +2560,8 @@ ApplyPatch 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.pat
ApplyPatch 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch
ApplyPatch 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
ApplyPatch 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
ApplyPatch 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
ApplyPatch 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
# END OF PATCH APPLICATIONS
# Any further pre-build tree manipulations happen here.
@ -5062,6 +5066,11 @@ fi\
#
#
%changelog
* Tue Jun 30 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.28.2
- Add upstream ipv4/ipv6 fraggap paged-allocation fixes (1384-1385)
eca856950f7c ipv4: account for fraggap on the paged allocation path
736b380e28d0 ipv6: account for fraggap on the paged allocation path
* Fri Jun 26 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.28.1
- Recreate RHEL 6.12.0-211.28.1 from CentOS Stream 10 and upstream stable backports (1375-1383)
- Retain AlmaLinux ahead-of-RHEL fix for CVE-2026-46316 (1374)