CVE-2024-26640

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: add sanity checks to rx zerocopy<br /> <br /> TCP rx zerocopy intent is to map pages initially allocated<br /> from NIC drivers, not pages owned by a fs.<br /> <br /> This patch adds to can_map_frag() these additional checks:<br /> <br /> - Page must not be a compound one.<br /> - page-&gt;mapping must be NULL.<br /> <br /> This fixes the panic reported by ZhangPeng.<br /> <br /> syzbot was able to loopback packets built with sendfile(),<br /> mapping pages owned by an ext4 file to TCP rx zerocopy.<br /> <br /> r3 = socket$inet_tcp(0x2, 0x1, 0x0)<br /> mmap(&amp;(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)<br /> r4 = socket$inet_tcp(0x2, 0x1, 0x0)<br /> bind$inet(r4, &amp;(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)<br /> connect$inet(r4, &amp;(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)<br /> r5 = openat$dir(0xffffffffffffff9c, &amp;(0x7f00000000c0)=&amp;#39;./file0\x00&amp;#39;,<br /> 0x181e42, 0x0)<br /> fallocate(r5, 0x0, 0x0, 0x85b8)<br /> sendfile(r4, r5, 0x0, 0x8ba0)<br /> getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,<br /> &amp;(0x7f00000001c0)={&amp;(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,<br /> 0x0, 0x0, 0x0, 0x0}, &amp;(0x7f0000000440)=0x40)<br /> r6 = openat$dir(0xffffffffffffff9c, &amp;(0x7f00000000c0)=&amp;#39;./file0\x00&amp;#39;,<br /> 0x181e42, 0x0)