[PATCH net 0/3] rxrpc: Better fix for DATA/RESPONSE decrypt vs splice()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
	Hyunwoo Kim <imv4bel@gmail.com>,
	Marc Dionne <marc.dionne@auristor.com>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
	linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH net 0/3] rxrpc: Better fix for DATA/RESPONSE decrypt vs splice()
Date: Mon, 11 May 2026 17:07:46 +0100	[thread overview]
Message-ID: <20260511160753.607296-1-dhowells@redhat.com> (raw)

Here are two patches containing better fixes for the in-place decryption of
DATA and RESPONSE packets that can corrupt pagecache spliced into UDP
packets and sent to an AF_RXRPC server [CVE-2026-43500].

[!] Note that Hyunwoo Kim's fix is included as that is a prerequisite for
the main patches to build.  This is in Linus's tree, but not yet net/main.

One patch fixes DATA decryption by having recvmsg unconditionally extract
the data into a flat bounce buffer and, if need be, decrypt it there.  It
doesn't seem to cause a performance problem to do this even on unencrypted
packets; for encrypted packets it makes sure the content is correctly
aligned for crypto which seems to get a small performance gain.

Further, it means that DATA packets are no longer copied in the I/O thread,
avoiding a slowdown of the protocol engine that runs there.

The other patch fixes RESPONSE decryption by having the connection event
handler worker copy the data to a flat buffer and, again, decrypt it there.
This simplifies RESPONSE handling.

With these two fixes, the data content of the received sk_buff no longer
gets altered.

David

The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes

David Howells (2):
  rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in
    recvmsg
  rxrpc: Fix RESPONSE packet verification to extract skb to a linear
    buffer

Hyunwoo Kim (1):
  rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

 net/rxrpc/ar-internal.h |  77 ++++++++++++++++--
 net/rxrpc/call_event.c  |  20 +----
 net/rxrpc/call_object.c |   2 +
 net/rxrpc/conn_event.c  |  32 ++++----
 net/rxrpc/insecure.c    |   8 +-
 net/rxrpc/protocol.h    |   1 -
 net/rxrpc/recvmsg.c     |  72 +++++++++++++----
 net/rxrpc/rxgk.c        | 175 ++++++++++++++--------------------------
 net/rxrpc/rxgk_app.c    |  91 +++++++++------------
 net/rxrpc/rxgk_common.h |  76 ++++++++---------
 net/rxrpc/rxkad.c       | 175 +++++++++++++++-------------------------
 11 files changed, 349 insertions(+), 380 deletions(-)

next             reply	other threads:[~2026-05-11 16:08 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-11 16:07 David Howells [this message]
2026-05-11 16:07 ` [PATCH net 1/3] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present David Howells
2026-05-11 16:07 ` [PATCH net 2/3] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg David Howells
2026-05-12  7:58   ` Jeffrey Altman
2026-05-13  8:01     ` David Howells
2026-05-13  8:13       ` David Howells
2026-05-13  8:38       ` David Laight
2026-05-13  9:48       ` Jeffrey Altman
2026-05-12 13:38   ` David Laight
2026-05-12 16:52     ` David Howells
2026-05-12 21:36       ` David Laight
2026-05-11 16:07 ` [PATCH net 3/3] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer David Howells
2026-05-12  8:22   ` Jeffrey Altman
2026-05-13  0:06   ` Jakub Kicinski
2026-05-13  7:35     ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260511160753.607296-1-dhowells@redhat.com \
    --to=dhowells@redhat.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=imv4bel@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-afs@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marc.dionne@auristor.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.