From: Simon Horman <horms@kernel.org>
To: dhowells@redhat.com
Cc: 'Simon Horman' <horms@kernel.org>,
netdev@vger.kernel.org, marc.dionne@auristor.com,
kuba@kernel.org, davem@davemloft.net, edumazet@google.com,
pabeni@redhat.com, linux-afs@lists.infradead.org,
linux-kernel@vger.kernel.org, jaltman@auristor.com,
stable@kernel.org
Subject: Re: [PATCH net 2/4] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
Date: Tue, 21 Apr 2026 21:38:33 +0100 [thread overview]
Message-ID: <20260421203833.745240-1-horms@kernel.org> (raw)
In-Reply-To: <20260420145900.1223732-3-dhowells@redhat.com>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
Subject: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
This commit modifies the RxRPC connection-level packet processor to unshare
RESPONSE packets before decryption. It introduces a new rxrpc_unshare_skb()
helper to safely unshare skbuffs passed via a double pointer and replaces
direct calls to skb_unshare().
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index 9a41ec708aeb9..3d56a5d233697 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
[ ... ]
> @@ -371,7 +379,7 @@ static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
> * connection that each one has when we've finished with it */
> while ((skb = skb_dequeue(&conn->rx_queue))) {
> rxrpc_see_skb(skb, rxrpc_skb_see_conn_work);
> - ret = rxrpc_process_event(conn, skb);
> + ret = rxrpc_process_event(conn, &skb);
> switch (ret) {
> case -ENOMEM:
> case -EAGAIN:
Looking at the code immediately following this hunk in
rxrpc_do_process_connection():
switch (ret) {
case -ENOMEM:
case -EAGAIN:
skb_queue_head(&conn->rx_queue, skb);
rxrpc_queue_conn(conn, rxrpc_conn_queue_retry_work);
break;
If rxrpc_process_event() fails with -ENOMEM because rxrpc_unshare_skb()
failed, rxrpc_unshare_skb() will have set *_skb = NULL.
Does this mean skb is NULL when we reach skb_queue_head()?
Since skb_queue_head() dereferences the skb parameter, this appears to
result in a NULL pointer dereference. Furthermore, since skb_unshare()
frees the original skb on allocation failure, the packet is already gone
and requeuing it wouldn't be possible anyway.
> diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c
> index 6979569319252..0592ce644fc3d 100644
> --- a/net/rxrpc/io_thread.c
> +++ b/net/rxrpc/io_thread.c
[ ... ]
> @@ -249,19 +249,10 @@ static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb)
> * decryption.
> */
> if (sp->hdr.securityIndex != 0) {
> - skb = skb_unshare(skb, GFP_ATOMIC);
> - if (!skb) {
> - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
> - *_skb = NULL;
> + skb = rxrpc_unshare_skb(_skb, GFP_ATOMIC);
> + if (!skb)
> return just_discard;
> - }
This isn't a new bug introduced by this patch, but since we are modifying
the unshare path here: when rxrpc_unshare_skb() fails, it sets *_skb = NULL
and returns just_discard.
Back in rxrpc_io_thread(), the packet is processed like this:
net/rxrpc/io_thread.c:rxrpc_io_thread() {
...
while ((skb = __skb_dequeue(&rx_queue))) {
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
switch (skb->mark) {
case RXRPC_SKB_MARK_PACKET:
skb->priority = 0;
if (!rxrpc_input_packet(local, &skb))
rxrpc_reject_packet(local, skb);
trace_rxrpc_rx_done(skb->mark, skb->priority);
...
If rxrpc_input_packet() sets skb to NULL and returns false (just_discard),
does this cause a NULL pointer dereference when trace_rxrpc_rx_done() tries
to access skb->mark?
next prev parent reply other threads:[~2026-04-21 20:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 14:58 [PATCH net 0/4] rxrpc: Miscellaneous fixes David Howells
2026-04-20 14:58 ` [PATCH net 1/4] rxrpc: Fix memory leaks in rxkad_verify_response() David Howells
2026-04-21 20:32 ` Simon Horman
2026-04-20 14:58 ` [PATCH net 2/4] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets David Howells
2026-04-21 20:38 ` Simon Horman [this message]
2026-04-21 20:58 ` David Howells
2026-04-20 14:58 ` [PATCH net 3/4] rxgk: Fix potential integer overflow in length check David Howells
2026-04-20 14:58 ` [PATCH net 4/4] rxrpc: Fix rxkad crypto unalignment handling David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421203833.745240-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.