From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 228923F0757 for ; Fri, 8 May 2026 14:26:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250410; cv=none; b=BfqN2lXroF6/yyiHjmFdsibTlxHeltXA1jOI7VrnMMnOA8pYppyV6V/67ZnrsYXKf1vpnTIueEH5S5PSZo7sji044xxFUV5qo67HjSNuUtD5vvvRfTLGTkSvA6k3L1+F3xuB1UYHY5urFqGHD4zmXSs4x/2sj5DlpTZUg1JuEow= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250410; c=relaxed/simple; bh=uA68G+pC3WAffLp1J/TzF+iQpCsHEFevNdBoFDbmRbE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=kM6lwB0q04XKFkcmRBNldvH84txC4tuMSH/VVCZMzdwsp/3ujpwQb1ATtDnCGYg0sB8NooFt+PFvbqYgNA2AjfrX0mLbFc2o0ujkZFx7O1W5PkOTzXlLPr2ulbDYiu2DIu2z09oOCUoUU2aVldR1zxEYpt2DcGE8HdyebO3urVw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=A/7DsGkS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="A/7DsGkS" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 60851C2BCB0; Fri, 8 May 2026 14:26:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250409; bh=uA68G+pC3WAffLp1J/TzF+iQpCsHEFevNdBoFDbmRbE=; h=From:To:Cc:Subject:Date:Reply-To:From; b=A/7DsGkSkqN7WYiUm+aO8sTlKbqyx2hIYaKh/FBcqYuY63yfVO0PsCsePsLhWBsdx MKBOiXAuw5KE0LAs2w+iYbez/xSPNjUtrKDW7E8SdpJsEyV9s4tNL7akFVzScLkcas OrLfs7AW1uu2LWGBi4+IW0Yk1Ahca+Fdh2W4Co8U= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43465: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ Date: Fri, 8 May 2026 16:23:14 +0200 Message-ID: <2026050802-CVE-2026-43465-291e@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5581; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=eXspEcUR+6OQxnqV/ZCcbKSaQ/XrAWB5P4PGyhxO/W0=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P3aX10/93LlzpmD4Ss2Jdt7+/9V//bf+bPv4q0Xtg Xjn7RElHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRM0cYFtzMm1506rFFSYlS CYd/R3musOxDV4b50de2uyT82PXE7CHvik8+v2r4GK8qAAA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb: - The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0. - The test sends one packet with no payload. - On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above. - The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63). - mlx5 device skips counting this fragment. Internal frag counter remains 0. - mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error. Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70 The problem applies for XDP_PASS as well which is handled in a different code path in the driver. This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. The Linux kernel CVE team has assigned CVE-2026-43465 to this issue. Affected and fixed versions =========================== Issue introduced in 6.18 with commit 87bcef158ac1faca1bd7e0104588e8e2956d10be and fixed in 6.18.19 with commit 7d7342a18fadcdb70a63b3c930dc63528ce51832 Issue introduced in 6.18 with commit 87bcef158ac1faca1bd7e0104588e8e2956d10be and fixed in 6.19.9 with commit 043bd62f748bc9fd98154037aa598cffbd3c667c Issue introduced in 6.18 with commit 87bcef158ac1faca1bd7e0104588e8e2956d10be and fixed in 7.0 with commit db25c42c2e1f9c0d136420fff5e5700f7e771a6f Issue introduced in 6.6.115 with commit 8b051d7f530e8a5237da242fbeafef02fec6b813 Issue introduced in 6.12.56 with commit cb9edd583e23979ee546981be963ad5f217e8b18 Issue introduced in 6.17.6 with commit f2557d7fa38e9475b38588f5c124476091480f53 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43465 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/mellanox/mlx5/core/en_rx.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832 https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f