Patch kernel to fix CVE-2026-43465#17426
Closed
omkhar wants to merge 1 commit into
Closed
Conversation
Upstream Author Dragos Tatulea <dtatulea@nvidia.com> (Nvidia); Reviewed-by Nimrod Oren <noren@nvidia.com>; Signed-off-by chain Tariq Toukan → Jakub Kicinski → Sasha Levin preserved byte-for-byte in the patch file. omkhar <omkhar@linkedin.com> is the AzureLinux 3.0 forward-porter. 6.6.y has no upstream backport (this fix landed in 6.18.y); the forward-port reverts xdp_update_skb_frags_info() → xdp_update_skb_shared_info() (API rename between 6.6 and 6.18). +5/-7 LoC in drivers/net/ethernet/mellanox/mlx5/core/en_rx.c. Code-correctness: mlx5e_skb_from_cqe_mpwrq_nonlinear shrank exactly 50 bytes (0xa3d → 0xa0b), matching removal of two frag_page -= page-pool subtractions. mlx5_ib auto-loaded mlx5_core in running patched kernel (refcnt=1, vermagic match). ftrace kprobe on the patched symbol fired 173,549× on patched (vs 4,428× baseline) during LTP-net run. LTP-net 0 patch-induced regressions. Signed-off-by: omkhar <omkhar@linkedin.com>
microsoft-github-policy-service
Bot
added
Packaging
3.0-dev
5 tasks
Author
|
Closing per the OOT policy I committed to on #17414 (comment): I only ask for OOT carry when there is a public PoC achieving LPE/RCE on a stock kernel, or active-in-the-wild signal. This backport is technically sound (verbatim upstream apply, LTP clean, The upstream fix carries Happy to reopen if a public PoC surfaces or if the Mariner / 3.0 kernel team disagrees with the bar. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport upstream fix for CVE-2026-43465 (mlx5e XDP multi-buf frag counting for striding RQ).
Upstream: torvalds/linux@db25c42 (v7.0).
Backport type: FORWARD-PORT. 6.6.y has no upstream backport (fix landed in 6.18.y via 7d7342a18fad). The forward-port reverts xdp_update_skb_frags_info() → xdp_update_skb_shared_info() for the 6.6 API. +5/-7 LoC in drivers/net/ethernet/mellanox/mlx5/core/en_rx.c. omkhar omkhar@linkedin.com is the AzureLinux 3.0 forward-porter (credited in the patch header).
Code-correctness: mlx5e_skb_from_cqe_mpwrq_nonlinear shrank exactly 50 bytes (0xa3d → 0xa0b), matching removal of two
frag_page -=page-pool subtractions. mlx5_core module shrank 208 bytes total.Auto-load bonus signal: mlx5_ib auto-loaded mlx5_core in the running fixed kernel (refcnt=1); vermagic matches; kprobe insertion on the patched symbol succeeded both bare and module-qualified. ftrace kprobe fired 173,549× on the patched symbol during LTP-net (vs 4,428× on baseline) — proves the patched code path is exercised.
LTP regression: baseline-vs-patched. 0 patch-induced regressions. The 2 failing tests (mc_cmds, mc_commo) are environmental (no IGMP querier on netvsc) and identical on both sides.