Bump version to 6.12.0-124.56.2

net: skbuff: propagate shared-frag marker through pskb_copy() Sibling fix to upstream commit f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags") which is already part of the 124.56.1 rebase. __pskb_copy_fclone() and skb_try_coalesce() shallow-copied frag descriptors without propagating SKBFL_SHARED_FRAG, so destinations referencing externally-owned pages reported skb_has_shared_frag() as false. Combined with an nft 'dup to <local>' rule (or any other nf_dup_ipv4 / xt_TEE caller), this lets an unprivileged user write into the page cache of a root-owned read-only file via ESP-input in-place decryption. Backport of https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/
2026-05-13 13:18:59 +00:00 · 2026-05-13 13:18:59 +00:00 · c3f0a68cfa
commit c3f0a68cfa
parent 0beec5c537
2 changed files with 71 additions and 2 deletions
--- a/1100-net-skbuff-propagate-shared-frag-marker.patch
+++ b/1100-net-skbuff-propagate-shared-frag-marker.patch
@ -0,0 +1,64 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through pskb_copy()
+
+Backport of upstream patch posted at
+https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/
+(sibling to the xfrm/esp shared-frag fix upstream commit f4c50a4034e6,
+already merged into 6.12.0-124.56.1 via the c10s import).
+
+__pskb_copy_fclone() shallow-copies the source's frag descriptors and
+bumps each page's refcount via skb_frag_ref(), then defers the rest
+of the shinfo metadata to skb_copy_header().  That helper only carries
+over gso_{size,segs,type} and never touches skb_shinfo()->flags, so
+the destination skb keeps a reference to the same externally-owned or
+page-cache-backed pages while reporting skb_has_shared_frag() as
+false.
+
+The mismatch is harmful in any in-place writer that uses
+skb_has_shared_frag() to decide whether shared pages must be detoured
+through skb_cow_data().  ESP input is one such writer (esp4.c,
+esp6.c), and a single nft 'dup to <local>' rule -- or any other
+nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
+skb in esp_input() with the marker stripped, letting an unprivileged
+user write into the page cache of a root-owned read-only file via
+authencesn-ESN stray writes.
+
+Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
+were actually moved from the source.  skb_copy() and skb_copy_expand()
+share skb_copy_header() too but linearize all paged data into freshly
+allocated head storage and emerge with nr_frags == 0, so
+skb_has_shared_frag() returns false on its own; they need no change.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.56.1.el10_1.
+
+Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
+Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
+Reported-by: William Bowling <vakzz@zellic.io>
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/core/skbuff.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
+@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
+ 			skb_frag_ref(skb, i);
+ 		}
+ 		skb_shinfo(n)->nr_frags = i;
+		skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+ 	}
+
+ 	if (skb_has_frag_list(skb)) {
+@@ -6028,6 +6029,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+ 	       from_shinfo->frags,
+ 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
+ 	to_shinfo->nr_frags += from_shinfo->nr_frags;
+	if (from_shinfo->nr_frags)
+		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
+
+ 	if (!skb_cloned(from))
+ 		from_shinfo->nr_frags = 0;
+--
+2.43.0
--- a/kernel.spec
+++ b/kernel.spec
@ -176,13 +176,13 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 124.56.1
+%define pkgrelease 124.56.2
 %define kversion 6
 %define tarfile_release 6.12.0-124.56.1.el10_1
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 124.56.1%{?buildid}%{?dist}
+%define specrelease 124.56.2%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 6.12.0-124.56.1.el10_1

@ -1128,6 +1128,7 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 Patch2009: 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 Patch2010: 0010-Bring-back-deprecated-pci-ids-to-aacraid-driver.patch
+Patch1100: 1100-net-skbuff-propagate-shared-frag-marker.patch

 # END OF PATCH DEFINITIONS

@ -1989,6 +1990,7 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 ApplyPatch 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 ApplyPatch 0010-Bring-back-deprecated-pci-ids-to-aacraid-driver.patch
+ApplyPatch 1100-net-skbuff-propagate-shared-frag-marker.patch

 %{log_msg "End of patch applications"}
 # END OF PATCH APPLICATIONS
@ -4377,6 +4379,9 @@ fi\
 #
 #
 %changelog
+* Wed May 13 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.56.2
+- net: skbuff: propagate shared-frag marker through pskb_copy()
+
 * Wed May 13 2026 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.56.1
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert