From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 13:20:54 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5508d8fdbfed6ec7ebd12e11ba7f0f3f27a2869b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch --- diff --git a/queue-6.12/net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch b/queue-6.12/net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch new file mode 100644 index 0000000000..27a1b48dfb --- /dev/null +++ b/queue-6.12/net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch @@ -0,0 +1,58 @@ +From 0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516 Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Fri, 3 Apr 2026 09:45:12 +0800 +Subject: net: skb: fix cross-cache free of KFENCE-allocated skb head + +From: Jiayuan Chen + +commit 0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516 upstream. + +SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 +value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc +bucket sizes. This ensures that skb_kfree_head() can reliably use +skb_end_offset to distinguish skb heads allocated from +skb_small_head_cache vs. generic kmalloc caches. + +However, when KFENCE is enabled, kfence_ksize() returns the exact +requested allocation size instead of the slab bucket size. If a caller +(e.g. bpf_test_init) allocates skb head data via kzalloc() and the +requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then +slab_build_skb() -> ksize() returns that exact value. After subtracting +skb_shared_info overhead, skb_end_offset ends up matching +SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free +the object to skb_small_head_cache instead of back to the original +kmalloc cache, resulting in a slab cross-cache free: + + kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected + skbuff_small_head but got kmalloc-1k + +Fix this by always calling kfree(head) in skb_kfree_head(). This keeps +the free path generic and avoids allocator-specific misclassification +for KFENCE objects. + +Fixes: bf9f1baa279f ("net: add dedicated kmem_cache for typical/small skb->head") +Reported-by: Antonius +Closes: https://lore.kernel.org/netdev/CAK8a0jxC5L5N7hq-DT2_NhUyjBxrPocoiDazzsBk4TGgT1r4-A@mail.gmail.com/ +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260403014517.142550-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -1072,10 +1072,7 @@ static int skb_pp_frag_ref(struct sk_buf + + static void skb_kfree_head(void *head, unsigned int end_offset) + { +- if (end_offset == SKB_SMALL_HEAD_HEADROOM) +- kmem_cache_free(net_hotdata.skb_small_head_cache, head); +- else +- kfree(head); ++ kfree(head); + } + + static void skb_free_head(struct sk_buff *skb) diff --git a/queue-6.12/series b/queue-6.12/series index 0c8fdb2846..e6ed54d675 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -66,3 +66,4 @@ rxrpc-reject-undecryptable-rxkad-response-tickets.patch rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch +net-skb-fix-cross-cache-free-of-kfence-allocated-skb-head.patch