In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpfxdppulldata() or bpfxdpadjusttail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues.
Such issue can be observed with the testxdpnativeadjsttailshrnkdata selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn't get tracked by the driver. This results in a negative pprefcount during page release and the following splat:
WARNING: include/net/pagepool/helpers.h:297 at mlx5epagereleasefragmented.isra.0+0x4a/0x50 [mlx5core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5epagereleasefragmented.isra.0+0x4a/0x50 [mlx5core] [...] Call Trace: <TASK> mlx5edeallocrxwqe+0xcb/0x1a0 [mlx5core] mlx5efreerxdescs+0x7f/0x110 [mlx5core] mlx5ecloserq+0x50/0x60 [mlx5core] mlx5eclosequeues+0x36/0x2c0 [mlx5core] mlx5eclosechannel+0x1c/0x50 [mlx5core] mlx5eclosechannels+0x45/0x80 [mlx5core] mlx5esafeswitchparams+0x1a5/0x230 [mlx5core] mlx5echangemtu+0xf3/0x2f0 [mlx5core] netifsetmtuext+0xf1/0x230 dosetlink.isra.0+0x219/0x1180 rtnlnewlink+0x79f/0xb60 rtnetlinkrcvmsg+0x213/0x3a0 netlinkrcvskb+0x48/0xf0 netlinkunicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 _syssendmsg+0x5f/0xb0 [...] dosyscall64+0x57/0xc50
This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDPTX , XDPREDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag.
As fragpage is still pointing to the original tail, the nrfrags parameter to xdpupdateskbfragsinfo() needs to be calculated in a different way to reflect the new nr_frags.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43464.json",
"cna_assigner": "Linux"
}