From 60c0a4e181a53917b8ab4dc573cfcfbbfdcd4d86 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Thu, 7 May 2026 22:38:28 -0700 Subject: [PATCH] kernel: disable DirtyFrag trigger modules --- .../recipes-kernel/linux/files/dstack-docker.cfg | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg index cb71c50..99f4607 100644 --- a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg +++ b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg @@ -26,7 +26,17 @@ CONFIG_BRIDGE_VLAN_FILTERING=y CONFIG_XFRM=y CONFIG_XFRM_USER=y CONFIG_XFRM_ALGO=y -CONFIG_INET_ESP=y +# Disable ESP transforms to mitigate DirtyFrag-style page-cache writes via esp4/esp6. +# Keep XFRM userspace support available for non-ESP networking features, but do +# not build the vulnerable ESP protocol handlers. +CONFIG_INET_ESP=n +CONFIG_INET6_ESP=n +CONFIG_XFRM_ESP=n + +# RxRPC is not needed by dstack and is another DirtyFrag trigger path. Keep it +# disabled even if future kernel feature sets would otherwise enable it. +CONFIG_AF_RXRPC=n +CONFIG_RXKAD=n CONFIG_NETFILTER_XT_MATCH_BPF=y CONFIG_CRYPTO_SEQIV=y CONFIG_IPVLAN=m