net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ

XDP multi-buf programs can modify the layout of the XDP buffer when the
program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The
referenced commit in the fixes tag corrected the assumption in the mlx5
driver that the XDP buffer layout doesn't change during a program
execution. However, this fix introduced another issue: the dropped
fragments still need to be counted on the driver side to avoid page
fragment reference counting issues.

Such issue can be observed with the
test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of
3600 and shrinking by 256 bytes (an upcoming selftest patch): the last
fragment gets released by the XDP code but doesn't get tracked by the
driver. This results in a negative pp_ref_count during page release and
the following splat:

WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137
Modules linked in: [...]
CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]
[...]
Call Trace:
<TASK>
mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]
mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]
mlx5e_close_rq+0x50/0x60 [mlx5_core]
mlx5e_close_queues+0x36/0x2c0 [mlx5_core]
mlx5e_close_channel+0x1c/0x50 [mlx5_core]
mlx5e_close_channels+0x45/0x80 [mlx5_core]
mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]
mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]
netif_set_mtu_ext+0xf1/0x230
do_setlink.isra.0+0x219/0x1180
rtnl_newlink+0x79f/0xb60
rtnetlink_rcv_msg+0x213/0x3a0
netlink_rcv_skb+0x48/0xf0
netlink_unicast+0x24a/0x350
netlink_sendmsg+0x1ee/0x410
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x232/0x280
___sys_sendmsg+0x78/0xb0
__sys_sendmsg+0x5f/0xb0
[...]
do_syscall_64+0x57/0xc50

This patch fixes the issue by doing page frag counting on all the
original XDP buffer fragments for all relevant XDP actions (XDP_TX ,
XDP_REDIRECT and XDP_PASS). This is basically reverting to the original
counting before the commit in the fixes tag.

As frag_page is still pointing to the original tail, the nr_frags
parameter to xdp_update_skb_frags_info() needs to be calculated
in a different way to reflect the new nr_frags.

Basic Information

ID CVE-2026-43464

Source Linux

Published May 8, 2026 at 14:22

Modified May 11, 2026 at 06:34

Affected Product

Vendor Linux

Product Linux

Version afd5ba577c10639f62e8120df67dc70ea4b61176

Affected Versions Linux Linux afd5ba577c10639f62e8120df67dc70ea4b61176
Linux Linux afd5ba577c10639f62e8120df67dc70ea4b61176
Linux Linux afd5ba577c10639f62e8120df67dc70ea4b61176
Linux Linux 72328f25755ee966724f46e3a0e8e59bef2091ba
Linux Linux 0049fd63881505566824e88cfa624638f921c808
Linux Linux d969645b9b7810289bf3c353ea06957373756b8e
Linux Linux 6.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn't change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nSuch issue can be observed with the\ntest_xdp_native_adjst_tail_shrnk_data selftest when using a payload of\n3600 and shrinking by 256 bytes (an upcoming selftest patch): the last\nfragment gets released by the XDP code but doesn't get tracked by the\ndriver. This results in a negative pp_ref_count during page release and\nthe following splat:\n\n  WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137\n  Modules linked in: [...]\n  CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]\n  [...]\n  Call Trace:\n   <TASK>\n   mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]\n   mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]\n   mlx5e_close_rq+0x50/0x60 [mlx5_core]\n   mlx5e_close_queues+0x36/0x2c0 [mlx5_core]\n   mlx5e_close_channel+0x1c/0x50 [mlx5_core]\n   mlx5e_close_channels+0x45/0x80 [mlx5_core]\n   mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]\n   mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]\n   netif_set_mtu_ext+0xf1/0x230\n   do_setlink.isra.0+0x219/0x1180\n   rtnl_newlink+0x79f/0xb60\n   rtnetlink_rcv_msg+0x213/0x3a0\n   netlink_rcv_skb+0x48/0xf0\n   netlink_unicast+0x24a/0x350\n   netlink_sendmsg+0x1ee/0x410\n   __sock_sendmsg+0x38/0x60\n   ____sys_sendmsg+0x232/0x280\n   ___sys_sendmsg+0x78/0xb0\n   __sys_sendmsg+0x5f/0xb0\n   [...]\n   do_syscall_64+0x57/0xc50\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags.",
    "published": "2026-05-08T14:22:26.039Z",
    "modified": "2026-05-11T06:34:51.018Z",
    "type": "cve",
    "title": "net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3\nhttps://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d\nhttps://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa",
    "id": "CVE-2026-43464",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux afd5ba577c10639f62e8120df67dc70ea4b61176\nLinux Linux afd5ba577c10639f62e8120df67dc70ea4b61176\nLinux Linux afd5ba577c10639f62e8120df67dc70ea4b61176\nLinux Linux 72328f25755ee966724f46e3a0e8e59bef2091ba\nLinux Linux 0049fd63881505566824e88cfa624638f921c808\nLinux Linux d969645b9b7810289bf3c353ea06957373756b8e\nLinux Linux 6.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "afd5ba577c10639f62e8120df67dc70ea4b61176",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ_CVE-2026-43464

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply