From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91CD43F0A8E for ; Fri, 8 May 2026 14:26:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250407; cv=none; b=S4VVkBdZmjpbUSODyE7BdXedpLgAVthfNGggVzCDoi3pAyLAUFXmeAq1zqmMJIzsHSJRNlG2jl+shGuLMUWPMc35pD+NMExpc5QHLmmmglZqtyIF/3UdJ1WHh91xEzBJB9UBrufl+HOIqqInbUuiLC10T1Uv3hwecAZC3XkJ7lE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250407; c=relaxed/simple; bh=v3dP0VGE64WHqP8K97FsGsYa0g2/7Mo79ruDMlG7Y4Y=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=aY0A71yqiqgKOn7ops3UiTHLd/601BVc1WskUJCkEbN+GEHWQS9XGMC/1TZSIqM2KzgkAuqQroWVekLufipp/zDPMe/LltZk4iQoWNI+6DJkkhORK1jC4bcI5mHS95lQJxBVcvFdyWOtu4iyMgPIGqrPaOsKbCcr7EwPHToQd2o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=t8V92pTu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="t8V92pTu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6AD7C2BCC7; Fri, 8 May 2026 14:26:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250407; bh=v3dP0VGE64WHqP8K97FsGsYa0g2/7Mo79ruDMlG7Y4Y=; h=From:To:Cc:Subject:Date:Reply-To:From; b=t8V92pTuSYJw0I/2/pwgxPUiQe/fjd4nNT+H857LHtABBCPWJ3l0Z9cI23mm+JTMy EW4/EYDXxQMi9RPmhS0oxkta+tPV9tV/gjrPpddkZ/G+LsT8ysvEfnpLnk9uKaKayq nTYbBu6RACgQ2TI5QXP6w7n6+Zbu3lcKfcREgQSQ= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43464: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ Date: Fri, 8 May 2026 16:23:13 +0200 Message-ID: <2026050802-CVE-2026-43464-5c7a@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4711; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=dIswHYGyw7wn1jFdTH0w7KWTC5WZ8ohOccB9HpGM/No=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P3blCdq2TX7tNiXn65a2GSGFM4r/tq44OqPgSsp8w dKPy59bdMSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBE3i9mmB/33sdEr8z3XvRq 56R2N3/xu2Jq/QwLTi7LvrqzVSXyyBql6JtCbtOu/ZwyCQA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. Such issue can be observed with the test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn't get tracked by the driver. This results in a negative pp_ref_count during page release and the following splat: WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] [...] Call Trace: mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 [...] do_syscall_64+0x57/0xc50 This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. The Linux kernel CVE team has assigned CVE-2026-43464 to this issue. Affected and fixed versions =========================== Issue introduced in 6.18 with commit afd5ba577c10639f62e8120df67dc70ea4b61176 and fixed in 6.18.19 with commit c74557495efb4bd0adefdfc8678ecdbc82a06da3 Issue introduced in 6.18 with commit afd5ba577c10639f62e8120df67dc70ea4b61176 and fixed in 6.19.9 with commit 03cb50e5b74fce8bf6d92b860371b66253cf0f8d Issue introduced in 6.18 with commit afd5ba577c10639f62e8120df67dc70ea4b61176 and fixed in 7.0 with commit a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa Issue introduced in 6.6.115 with commit 72328f25755ee966724f46e3a0e8e59bef2091ba Issue introduced in 6.12.56 with commit 0049fd63881505566824e88cfa624638f921c808 Issue introduced in 6.17.6 with commit d969645b9b7810289bf3c353ea06957373756b8e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43464 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/mellanox/mlx5/core/en_rx.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3 https://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d https://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa