From 674503c6790b1f04dab9c9fed91faad37c1c3279 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 30 Jun 2026 08:51:21 +0000 Subject: [PATCH] Add upstream ipv4/ipv6 fraggap paged-allocation fixes; bump to 211.28.2 --- ...fraggap-on-the-paged-allocation-path.patch | 56 ++++++++++++++ ...fraggap-on-the-paged-allocation-path.patch | 76 +++++++++++++++++++ kernel.spec | 13 +++- 3 files changed, 143 insertions(+), 2 deletions(-) create mode 100644 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch create mode 100644 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch diff --git a/1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch b/1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch new file mode 100644 index 000000000..e63402fe7 --- /dev/null +++ b/1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch @@ -0,0 +1,56 @@ +From eca856950f7cb1a221e02b99d758409f2c5cec42 Mon Sep 17 00:00:00 2001 +From: Wongi Lee +Date: Tue, 16 Jun 2026 22:38:29 +0900 +Subject: [PATCH] ipv4: account for fraggap on the paged allocation path + +In __ip_append_data(), when the paged-allocation branch is taken, +alloclen and pagedlen are computed as + + alloclen = fragheaderlen + transhdrlen; + pagedlen = datalen - transhdrlen; + +datalen already includes fraggap, but the fraggap bytes carried over +from the previous skb are copied into the new skb's linear area at +offset transhdrlen by the subsequent skb_copy_and_csum_bits(). The +linear area is therefore undersized by fraggap bytes while pagedlen is +overstated by the same amount. + +The non-paged branch sets alloclen to fraglen, which already accounts +for fraggap because datalen does. Bring the paged branch in line by +adding fraggap to alloclen and subtracting it from pagedlen. + +After this adjustment, copy no longer collapses to -fraggap on the +paged path, so remove the stale comment describing that old arithmetic. + +Fixes: 8eb77cc73977 ("ipv4: avoid partial copy for zc") +Signed-off-by: Jungwoo Lee +Signed-off-by: Wongi Lee +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/ajFR1eLAIs42TN3g@DESKTOP-19IMU7U.localdomain +Signed-off-by: Jakub Kicinski + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 58f155e..7625bcc 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1123,8 +1123,8 @@ alloc_new_skb: + !(rt->dst.dev->features & NETIF_F_SG))) + alloclen = fraglen; + else { +- alloclen = fragheaderlen + transhdrlen; +- pagedlen = datalen - transhdrlen; ++ alloclen = fragheaderlen + transhdrlen + fraggap; ++ pagedlen = datalen - transhdrlen - fraggap; + } + + alloclen += alloc_extra; +@@ -1171,9 +1171,6 @@ alloc_new_skb: + } + + copy = datalen - transhdrlen - fraggap - pagedlen; +- /* [!] NOTE: copy will be negative if pagedlen>0 +- * because then the equation reduces to -fraggap. +- */ + if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) { + err = -EFAULT; + kfree_skb(skb); diff --git a/1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch b/1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch new file mode 100644 index 000000000..c9a75ee88 --- /dev/null +++ b/1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch @@ -0,0 +1,76 @@ +From 736b380e28d0480c7bc3e022f1950f31fe53a7c5 Mon Sep 17 00:00:00 2001 +From: Wongi Lee +Date: Tue, 16 Jun 2026 22:46:17 +0900 +Subject: [PATCH] ipv6: account for fraggap on the paged allocation path + +In __ip6_append_data(), when the paged-allocation branch is taken +(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are +computed as + + alloclen = fragheaderlen + transhdrlen; + pagedlen = datalen - transhdrlen; + +datalen already includes fraggap (datalen = length + fraggap). When +fraggap is non-zero, this is not the first skb and transhdrlen is zero. +The fraggap bytes carried over from the previous skb are copied just past +the fragment headers in the new skb's linear area. The linear area is +therefore undersized by fraggap bytes while pagedlen is overstated by the +same amount, and the copy writes past skb->end into the trailing +skb_shared_info. + +An unprivileged user can trigger this via a UDPv6 socket using +MSG_MORE together with MSG_SPLICE_PAGES. + +The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: +avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix +__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative +copy value caused -EINVAL to be returned. That later commit allowed +MSG_SPLICE_PAGES to proceed in this case, making the corruption +triggerable. + +The non-paged branch sets alloclen to fraglen, which already accounts +for fraggap because datalen does. Bring the paged branch in line by +adding fraggap to alloclen and subtracting it from pagedlen. + +After this adjustment, copy no longer collapses to -fraggap on the +paged path, so remove the stale comment describing that old arithmetic. +Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES +case, remove the MSG_SPLICE_PAGES exception from the negative copy check. + +Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc") +Signed-off-by: Jungwoo Lee +Signed-off-by: Wongi Lee +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain +Signed-off-by: Jakub Kicinski + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 9f1e0e4f7464..368e4fa3b43c 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1667,8 +1667,8 @@ static int __ip6_append_data(struct sock *sk, + !(rt->dst.dev->features & NETIF_F_SG))) + alloclen = fraglen; + else { +- alloclen = fragheaderlen + transhdrlen; +- pagedlen = datalen - transhdrlen; ++ alloclen = fragheaderlen + transhdrlen + fraggap; ++ pagedlen = datalen - transhdrlen - fraggap; + } + alloclen += alloc_extra; + +@@ -1683,10 +1683,7 @@ static int __ip6_append_data(struct sock *sk, + fraglen = datalen + fragheaderlen; + + copy = datalen - transhdrlen - fraggap - pagedlen; +- /* [!] NOTE: copy may be negative if pagedlen>0 +- * because then the equation may reduces to -fraggap. +- */ +- if (copy < 0 && !(flags & MSG_SPLICE_PAGES)) { ++ if (copy < 0) { + err = -EINVAL; + goto error; + } +-- +2.50.1 (Apple Git-155) + diff --git a/kernel.spec b/kernel.spec index 9b16ff044..5d4e3db9c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 211.28.1 +%define pkgrelease 211.28.2 %define kversion 6 %define tarfile_release 6.12.0-211.7.1.el10_2 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 211.28.1%{?buildid}%{?dist} +%define specrelease 211.28.2%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-211.7.1.el10_2 @@ -1418,6 +1418,8 @@ Patch1380: 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.pat Patch1381: 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch Patch1382: 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch Patch1383: 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch +Patch1384: 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch +Patch1385: 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch # END OF PATCH DEFINITIONS %description @@ -2558,6 +2560,8 @@ ApplyPatch 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.pat ApplyPatch 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch ApplyPatch 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch ApplyPatch 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch +ApplyPatch 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch +ApplyPatch 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5062,6 +5066,11 @@ fi\ # # %changelog +* Tue Jun 30 2026 Andrew Lukoshko - 6.12.0-211.28.2 +- Add upstream ipv4/ipv6 fraggap paged-allocation fixes (1384-1385) + eca856950f7c ipv4: account for fraggap on the paged allocation path + 736b380e28d0 ipv6: account for fraggap on the paged allocation path + * Fri Jun 26 2026 Andrew Lukoshko - 6.12.0-211.28.1 - Recreate RHEL 6.12.0-211.28.1 from CentOS Stream 10 and upstream stable backports (1375-1383) - Retain AlmaLinux ahead-of-RHEL fix for CVE-2026-46316 (1374)