[PATCH 6.6.y 1/2] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Wentao Guan <guanwentao@uniontech.com>
To: gregkh@linuxfoundation.org
Cc: dhowells@redhat.com, imv4bel@gmail.com, jiayuan.chen@linux.dev,
	stable@vger.kernel.org, torvalds@linux-foundation.org,
	Marc Dionne <marc.dionne@auristor.com>,
	Jeffrey Altman <jaltman@auristor.com>,
	Simon Horman <horms@kernel.org>,
	linux-afs@lists.infradead.org, stable@kernel.org,
	Jakub Kicinski <kuba@kernel.org>,
	Wentao Guan <guanwentao@uniontech.com>
Subject: [PATCH 6.6.y 1/2] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
Date: Tue, 12 May 2026 23:21:59 +0800	[thread overview]
Message-ID: <20260512152159.90879-1-guanwentao@uniontech.com> (raw)
In-Reply-To: <2026051113-sponge-uproar-1d30@gregkh>

From: David Howells <dhowells@redhat.com>

The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).

Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 24481a7f573305706054c59e275371f8d0fe919f)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
---
NOTE:
Pls apply these pathes after commit in stable queue like:
(HEAD -> for-stable-queue) rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
(refs/patches/for-stable-queue/rxrpc-fix-rxrpc_input_call_event-to-only-unshare-dat.patch)
Subject: rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
---
---
 net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 82cc72123c9c9..6dcfaed1f7485 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
 		rxrpc_notify_socket(call);
 }
 
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+				 struct sk_buff *skb)
+{
+	int ret;
+
+	if (skb_cloned(skb)) {
+		/* Copy the packet if shared so that we can do in-place
+		 * decryption.
+		 */
+		struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+		if (nskb) {
+			rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+			ret = conn->security->verify_response(conn, nskb);
+			rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
+		} else {
+			/* OOM - Drop the packet. */
+			rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+			ret = -ENOMEM;
+		}
+	} else {
+		ret = conn->security->verify_response(conn, skb);
+	}
+
+	return ret;
+}
+
 /*
  * connection-level Rx packet processor
  */
@@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
 		}
 		spin_unlock(&conn->state_lock);
 
-		ret = conn->security->verify_response(conn, skb);
+		ret = rxrpc_verify_response(conn, skb);
 		if (ret < 0)
 			return ret;
 
-- 
2.30.2

next prev parent reply	other threads:[~2026-05-12 15:24 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-11  6:02 FAILED: patch "[PATCH] rxrpc: Also unshare DATA/RESPONSE packets when paged frags" failed to apply to 6.6-stable tree gregkh
2026-05-12 15:21 ` [PATCH 1/2] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Wentao Guan
2026-05-12 15:21 ` Wentao Guan [this message]
2026-05-12 15:22 ` [PATCH 6.6.y 2/2] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Wentao Guan

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:82cc72123c9c dfblob:6dcfaed1f748 )
 OR (
bs:"[PATCH 6.6.y 1/2] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260512152159.90879-1-guanwentao@uniontech.com \
    --to=guanwentao@uniontech.com \
    --cc=dhowells@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=horms@kernel.org \
    --cc=imv4bel@gmail.com \
    --cc=jaltman@auristor.com \
    --cc=jiayuan.chen@linux.dev \
    --cc=kuba@kernel.org \
    --cc=linux-afs@lists.infradead.org \
    --cc=marc.dionne@auristor.com \
    --cc=stable@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.