Reapply Dirty Frag + ptrace fixes dropped during 6.12.0-228 import

The Debrand commit on top of the kernel-6.12.0-228.el10 import wiped
out our four local patches. Restore them verbatim from the parent
(bc942b9e7):

  1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch (CVE-2026-43284)
  1101-rxrpc-linearize-paged-frags.patch (CVE-2026-43500)
  1102-net-skbuff-propagate-shared-frag-marker.patch
  1103-ptrace-require-cap-on-mm-less-task.patch

Patch declarations, ApplyPatch entries and a changelog stanza added
under the existing 6.12.0-228 version; release is not bumped.

1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch

@@ -0,0 +1,77 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags
+
+Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10
+(6.12 kernel).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.55.1.el10_1.
+
+ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like
+ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW
+fast path and decrypts in place over data that is not owned privately
+by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG
+matching TCP, and make ESP input fall back to skb_cow_data() when the
+flag is present.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")
+Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")
+(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/ipv4/esp4.c       | 3 ++-
+ net/ipv4/ip_output.c  | 2 ++
+ net/ipv6/esp6.c       | 3 ++-
+ net/ipv6/ip6_output.c | 2 ++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -908,7 +908,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1236,6 +1236,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
++			if (!(flags & MSG_NO_SHARED_FRAGS))
++				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -950,7 +950,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1769,6 +1769,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
++			if (!(flags & MSG_NO_SHARED_FRAGS))
++				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--
+2.43.0

1101-rxrpc-linearize-paged-frags.patch

@@ -0,0 +1,69 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags
+
+AlmaLinux-specific backport of the intent of the upstream rxrpc fix
+posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ for the
+"Dirty Frag" class of bugs (sibling to upstream commit f4c50a4034e6 in
+the ESP/xfrm subsystem).
+
+The upstream patch can not be cherry-picked against this 6.12 tree:
+its target lines were introduced by upstream commit d0d5c0cd1e71
+("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not
+present here. The age-equivalent code path on AlmaLinux 10 is the
+centralized skb_unshare() in net/rxrpc/io_thread.c that is run for
+every DATA packet with a non-zero securityIndex before in-place
+decryption.
+
+skb_unshare() only handles cloned skbs. An skb that is non-cloned but
+carries paged fragments (skb->data_len != 0) — e.g. pages attached via
+udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying
+rxrpc traffic — slips through and is decrypted in place over data the
+skb does not own privately. With kernel-modules-partner installed
+(rxrpc.ko enabled), this is exploitable.
+
+Replace the unconditional skb_unshare() with skb_copy() whenever the
+skb is cloned OR carries paged fragments. skb_copy() always returns a
+freshly allocated linear skb, so subsequent in-place decryption only
+touches kernel-owned memory. The original skb is consumed explicitly
+(skb_unshare did this internally via consume_skb()).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no
+rejects) against kernel-6.12.0-124.55.1.el10_1.
+
+Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()")
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/rxrpc/io_thread.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/rxrpc/io_thread.c
++++ b/net/rxrpc/io_thread.c
+@@ -235,16 +235,18 @@
+ 		 * decryption.
+ 		 */
+ 		if (sp->hdr.securityIndex != 0) {
+-			skb = skb_unshare(skb, GFP_ATOMIC);
+-			if (!skb) {
+-				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+-				*_skb = NULL;
+-				return just_discard;
+-			}
++			if (skb_cloned(skb) || skb->data_len) {
++				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
++
++				if (!nskb) {
++					rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
++					return just_discard;
++				}
+ 
+-			if (skb != *_skb) {
+ 				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
+-				*_skb = skb;
++				consume_skb(*_skb);
++				*_skb = nskb;
++				skb = nskb;
+ 				rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
+ 				sp = rxrpc_skb(skb);
+ 			}
+--
+2.43.0

1102-net-skbuff-propagate-shared-frag-marker.patch

@@ -0,0 +1,105 @@
+From: Eduard Abdullin <eabdullin@almalinux.org>
+Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through frag-transfer helpers
+
+Backport of upstream v3 patch posted at
+https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/
+(sibling to upstream commit f4c50a4034e6 "xfrm: esp: avoid in-place
+decrypt on shared skb frags").
+
+Three frag-transfer helpers (__pskb_copy_fclone(), skb_try_coalesce(),
+and skb_shift()) and the GRO accumulator helpers (skb_gro_receive()
+and skb_gro_receive_list()) fail to propagate the SKBFL_SHARED_FRAG
+bit in skb_shinfo()->flags when moving frag descriptors from source
+to destination.  As a result, the destination skb keeps a reference
+to the same externally-owned or page-cache-backed pages while
+reporting skb_has_shared_frag() as false.
+
+The mismatch is harmful in any in-place writer that uses
+skb_has_shared_frag() to decide whether shared pages must be detoured
+through skb_cow_data().  ESP input is one such writer (esp4.c,
+esp6.c).  Combined with an nft 'dup to <local>' rule, an
+nf_dup_ipv4() / xt_TEE caller, or ESP-over-UDP with UDP GRO, this
+lets an unprivileged user write into the page cache of a root-owned
+read-only file via authencesn-ESN stray writes (CVE-2026-46300,
+"Fragnesia").
+
+Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
+were actually moved from the source.  skb_copy() and skb_copy_expand()
+share skb_copy_header() too but linearize all paged data into freshly
+allocated head storage and emerge with nr_frags == 0, so
+skb_has_shared_frag() returns false on its own; they need no change.
+
+The same omission exists in skb_gro_receive() and
+skb_gro_receive_list().  The former moves the incoming skb's frag
+descriptors into the accumulator's last sub-skb via two paths plus a
+"merge:" fallback that chains the whole skb onto frag_list; the
+latter chains the incoming skb whole onto p's frag_list.  Downstream
+skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list()
+reuses each sub-skb's shinfo as the nskb -- both p and lp must carry
+the marker.
+
+Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
+Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
+Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Reported-by: William Bowling <vakzz@zellic.io>
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Eduard Abdullin <eabdullin@almalinux.org>
+---
+ net/core/gro.c    | 4 ++++
+ net/core/skbuff.c | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+--- a/net/core/gro.c
++++ b/net/core/gro.c
+@@ -213,10 +213,12 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
+ 	p->data_len += len;
+ 	p->truesize += delta_truesize;
+ 	p->len += len;
++	skb_shinfo(p)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG;
+ 	if (lp != p) {
+ 		lp->data_len += len;
+ 		lp->truesize += delta_truesize;
+ 		lp->len += len;
++		skb_shinfo(lp)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG;
+ 	}
+ 	NAPI_GRO_CB(skb)->same_flow = 1;
+ 	return 0;
+@@ -244,6 +246,8 @@ int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
+ 	p->truesize += skb->truesize;
+ 	p->len += skb->len;
+
++	skb_shinfo(p)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
++
+ 	NAPI_GRO_CB(skb)->same_flow = 1;
+
+ 	return 0;
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
+ 			skb_frag_ref(skb, i);
+ 		}
+ 		skb_shinfo(n)->nr_frags = i;
++		skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+ 	}
+
+ 	if (skb_has_frag_list(skb)) {
+@@ -4198,6 +4199,8 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen)
+ 	tgt->ip_summed = CHECKSUM_PARTIAL;
+ 	skb->ip_summed = CHECKSUM_PARTIAL;
+
++	skb_shinfo(tgt)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
++
+ 	skb_len_add(skb, -shiftlen);
+ 	skb_len_add(tgt, shiftlen);
+
+@@ -6028,6 +6031,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+ 	       from_shinfo->frags,
+ 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
+ 	to_shinfo->nr_frags += from_shinfo->nr_frags;
++	if (from_shinfo->nr_frags)
++		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
+
+ 	if (!skb_cloned(from))
+ 		from_shinfo->nr_frags = 0;
+--
+2.43.0

1103-ptrace-require-cap-on-mm-less-task.patch

@@ -0,0 +1,55 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10s] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on AlmaLinux 10s (the symtype
+signature of struct task_struct is referenced by hundreds of
+stablelist exports), so we cannot import the field/exit_mm hunks
+as-is.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-227.el10.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
++	if (mm) {
++		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
++		    !ptrace_has_cap(mm->user_ns, mode))
++			return -EPERM;
++	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
++		return -EPERM;
++	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0

kernel.spec

@@ -1143,6 +1143,10 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 Patch2009: 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 Patch2010: 0001-Keep-fs-btrfs-files-in-modules-package.patch
+Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+Patch1101: 1101-rxrpc-linearize-paged-frags.patch
+Patch1102: 1102-net-skbuff-propagate-shared-frag-marker.patch
+Patch1103: 1103-ptrace-require-cap-on-mm-less-task.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2038,6 +2042,10 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 ApplyPatch 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 ApplyPatch 0001-Keep-fs-btrfs-files-in-modules-package.patch
+ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+ApplyPatch 1101-rxrpc-linearize-paged-frags.patch
+ApplyPatch 1102-net-skbuff-propagate-shared-frag-marker.patch
+ApplyPatch 1103-ptrace-require-cap-on-mm-less-task.patch
 
 %{log_msg "End of patch applications"}
 # END OF PATCH APPLICATIONS
@@ -4552,6 +4560,12 @@ fi\
 #
 #
 %changelog
+* Tue May 19 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-228
+- xfrm: esp: avoid in-place decrypt on shared skb frags (CVE-2026-43284)
+- rxrpc: linearize incoming DATA packet when it has paged frags (CVE-2026-43500)
+- net: skbuff: propagate shared-frag marker through frag-transfer helpers
+- ptrace: require CAP_SYS_PTRACE on mm-less tasks (kABI-safe Qualys fix)
+
 * Sat May 16 2026 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-228
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert