APPLIED: [SRU][N][PATCH 0/1] CVE-2026-43465
Stefan Bader
stefan.bader at canonical.com
Tue Jul 14 15:01:56 UTC 2026
On 24/06/2026 03:12, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-43465
>
> [ Impact ]
>
> The mlx5 driver mishandles XDP multi-buf fragment counting for striding RQ.
> When an XDP multi-buf program changes the buffer layout via bpf_xdp_pull_data()
> or bpf_xdp_adjust_tail() and drops a tail fragment, the driver skips counting
> that fragment, leaving its internal frag counter out of sync with the page_pool
> reference count. This leads to negative page reference counting errors and
> triggers a warning splat when the RX queue is torn down, corrupting page_pool
> accounting and potentially destabilizing the system.
>
> [ Fix ]
>
> noble: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this fix would affect the mlx5e RX datapath, specifically XDP
> multi-buf handling for striding RQ. Incorrect fragment counting could
> reintroduce page_pool reference leaks or premature page releases, leading to
> memory corruption or crashes on systems using ConnectX hardware with XDP
> programs.
>
Applied to noble:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/954f0eba/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/954f0eba/attachment-0001.sig>
More information about the kernel-team
mailing list