CVE-2026-23377

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz<br /> <br /> The only user of frag_size field in XDP RxQ info is<br /> bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead<br /> of DMA write size. Different assumptions in ice driver configuration lead<br /> to negative tailroom.<br /> <br /> This allows to trigger kernel panic, when using<br /> XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to<br /> 6912 and the requested offset to a huge value, e.g.<br /> XSK_UMEM__MAX_FRAME_SIZE * 100.<br /> <br /> Due to other quirks of the ZC configuration in ice, panic is not observed<br /> in ZC mode, but tailroom growing still fails when it should not.<br /> <br /> Use fill queue buffer truesize instead of DMA write size in XDP RxQ info.<br /> Fix ZC mode too by using the new helper.