6.12-stable patches

added patches:
	net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch

diff --git a/queue-6.12/net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch b/queue-6.12/net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch
new file mode 100644 (file)
index 0000000..27a1b48
--- /dev/null
+++ b/queue-6.12/net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch
@@ -0,0 +1,58 @@
+From 0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516 Mon Sep 17 00:00:00 2001
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+Date: Fri, 3 Apr 2026 09:45:12 +0800
+Subject: net: skb: fix cross-cache free of KFENCE-allocated skb head
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+commit 0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516 upstream.
+
+SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2
+value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc
+bucket sizes. This ensures that skb_kfree_head() can reliably use
+skb_end_offset to distinguish skb heads allocated from
+skb_small_head_cache vs. generic kmalloc caches.
+
+However, when KFENCE is enabled, kfence_ksize() returns the exact
+requested allocation size instead of the slab bucket size. If a caller
+(e.g. bpf_test_init) allocates skb head data via kzalloc() and the
+requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then
+slab_build_skb() -> ksize() returns that exact value. After subtracting
+skb_shared_info overhead, skb_end_offset ends up matching
+SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free
+the object to skb_small_head_cache instead of back to the original
+kmalloc cache, resulting in a slab cross-cache free:
+
+  kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected
+  skbuff_small_head but got kmalloc-1k
+
+Fix this by always calling kfree(head) in skb_kfree_head(). This keeps
+the free path generic and avoids allocator-specific misclassification
+for KFENCE objects.
+
+Fixes: bf9f1baa279f ("net: add dedicated kmem_cache for typical/small skb->head")
+Reported-by: Antonius <antonius@bluedragonsec.com>
+Closes: https://lore.kernel.org/netdev/CAK8a0jxC5L5N7hq-DT2_NhUyjBxrPocoiDazzsBk4TGgT1r4-A@mail.gmail.com/
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260403014517.142550-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -1072,10 +1072,7 @@ static int skb_pp_frag_ref(struct sk_buf
+ 
+ static void skb_kfree_head(void *head, unsigned int end_offset)
+ {
+-      if (end_offset == SKB_SMALL_HEAD_HEADROOM)
+-              kmem_cache_free(net_hotdata.skb_small_head_cache, head);
+-      else
+-              kfree(head);
++      kfree(head);
+ }
+ 
+ static void skb_free_head(struct sk_buff *skb)

diff --git a/queue-6.12/series b/queue-6.12/series
index 0c8fdb2846e369460031a6201a4d04659fd8ff27..e6ed54d675a95b4b6af9cf3c3cc3f6081d1cd3aa 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -66,3 +66,4 @@ rxrpc-reject-undecryptable-rxkad-response-tickets.patch
 rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch
 rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch
 rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch
+net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch