]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.18-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 30 Jun 2026 09:48:43 +0000 (11:48 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 30 Jun 2026 09:48:43 +0000 (11:48 +0200)
added patches:
ipv6-account-for-fraggap-on-the-paged-allocation-path.patch

queue-6.18/ipv6-account-for-fraggap-on-the-paged-allocation-path.patch [new file with mode: 0644]
queue-6.18/series

diff --git a/queue-6.18/ipv6-account-for-fraggap-on-the-paged-allocation-path.patch b/queue-6.18/ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
new file mode 100644 (file)
index 0000000..e6f5072
--- /dev/null
@@ -0,0 +1,79 @@
+From 736b380e28d0480c7bc3e022f1950f31fe53a7c5 Mon Sep 17 00:00:00 2001
+From: Wongi Lee <qw3rtyp0@gmail.com>
+Date: Tue, 16 Jun 2026 22:46:17 +0900
+Subject: ipv6: account for fraggap on the paged allocation path
+
+From: Wongi Lee <qw3rtyp0@gmail.com>
+
+commit 736b380e28d0480c7bc3e022f1950f31fe53a7c5 upstream.
+
+In __ip6_append_data(), when the paged-allocation branch is taken
+(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
+computed as
+
+       alloclen = fragheaderlen + transhdrlen;
+       pagedlen = datalen - transhdrlen;
+
+datalen already includes fraggap (datalen = length + fraggap). When
+fraggap is non-zero, this is not the first skb and transhdrlen is zero.
+The fraggap bytes carried over from the previous skb are copied just past
+the fragment headers in the new skb's linear area. The linear area is
+therefore undersized by fraggap bytes while pagedlen is overstated by the
+same amount, and the copy writes past skb->end into the trailing
+skb_shared_info.
+
+An unprivileged user can trigger this via a UDPv6 socket using
+MSG_MORE together with MSG_SPLICE_PAGES.
+
+The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
+avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
+__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
+copy value caused -EINVAL to be returned. That later commit allowed
+MSG_SPLICE_PAGES to proceed in this case, making the corruption
+triggerable.
+
+The non-paged branch sets alloclen to fraglen, which already accounts
+for fraggap because datalen does. Bring the paged branch in line by
+adding fraggap to alloclen and subtracting it from pagedlen.
+
+After this adjustment, copy no longer collapses to -fraggap on the
+paged path, so remove the stale comment describing that old arithmetic.
+Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
+case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
+
+Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")
+Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
+Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c |    9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1648,8 +1648,8 @@ alloc_new_skb:
+                                 !(rt->dst.dev->features & NETIF_F_SG)))
+                               alloclen = fraglen;
+                       else {
+-                              alloclen = fragheaderlen + transhdrlen;
+-                              pagedlen = datalen - transhdrlen;
++                              alloclen = fragheaderlen + transhdrlen + fraggap;
++                              pagedlen = datalen - transhdrlen - fraggap;
+                       }
+                       alloclen += alloc_extra;
+@@ -1664,10 +1664,7 @@ alloc_new_skb:
+                       fraglen = datalen + fragheaderlen;
+                       copy = datalen - transhdrlen - fraggap - pagedlen;
+-                      /* [!] NOTE: copy may be negative if pagedlen>0
+-                       * because then the equation may reduces to -fraggap.
+-                       */
+-                      if (copy < 0 && !(flags & MSG_SPLICE_PAGES)) {
++                      if (copy < 0) {
+                               err = -EINVAL;
+                               goto error;
+                       }
index 996c90fee378fdda82cfbd9df1ecc2440e3e9ada..649ed85b9cf54813da49ce9747b2c81cdffbb7e2 100644 (file)
@@ -29,3 +29,4 @@ batman-adv-tt-track-roam-count-per-vid.patch
 batman-adv-dat-prevent-false-sharing-between-vlans.patch
 batman-adv-tvlv-enforce-2-byte-alignment.patch
 batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch
+ipv6-account-for-fraggap-on-the-paged-allocation-path.patch