cbd86e4598
net: skbuff: propagate shared-frag marker through frag-transfer helpers Replace 611.54.4's partial fix (which was a backport of Hyunwoo Kim's v1 patch covering only __pskb_copy_fclone() and skb_try_coalesce()) with a backport of the upstream v3 patch: https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/ v3 also covers skb_shift() (the new hunk added in v2) and skb_gro_receive() / skb_gro_receive_list() (the audit follow-up suggested by Sultan Alsawaf in agVpIsaSherjHTYg@sultan-box). All five sites moved frag descriptors between skbs without propagating the SKBFL_SHARED_FRAG marker, so destinations could end up referencing externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. Combined with ESP-over-UDP and UDP GRO, or any nf_dup_ipv4 / xt_TEE caller, this lets an unprivileged user trigger in-place ESP decryption over root-owned page-cache pages (CVE-2026-46300, "Fragnesia"). Tree-adapted: skb_gro_receive_list() is still a static helper in net/ipv4/udp_offload.c on RHEL 9 (not promoted to a global GRO helper in net/core/gro.c as in upstream v3); skb_shift() still uses the open-coded skb->len -= shiftlen block instead of skb_len_add(). |
||
|---|---|---|
| .. | ||
| kernel.spec | ||