From: Simon Horman <horms@kernel.org>
To: dhowells@redhat.com
Cc: 'Simon Horman' <horms@kernel.org>,
netdev@vger.kernel.org, marc.dionne@auristor.com,
kuba@kernel.org, davem@davemloft.net, edumazet@google.com,
pabeni@redhat.com, linux-afs@lists.infradead.org,
linux-kernel@vger.kernel.org, jaltman@auristor.com,
stable@kernel.org
Subject: Re: [PATCH net 2/4] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
Date: Tue, 21 Apr 2026 21:38:33 +0100 [thread overview]
Message-ID: <20260421203833.745240-1-horms@kernel.org> (raw)
In-Reply-To: <20260420145900.1223732-3-dhowells@redhat.com>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
Subject: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
This commit modifies the RxRPC connection-level packet processor to unshare
RESPONSE packets before decryption. It introduces a new rxrpc_unshare_skb()
helper to safely unshare skbuffs passed via a double pointer and replaces
direct calls to skb_unshare().
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index 9a41ec708aeb9..3d56a5d233697 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
[ ... ]
> @@ -371,7 +379,7 @@ static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
> * connection that each one has when we've finished with it */
> while ((skb = skb_dequeue(&conn->rx_queue))) {
> rxrpc_see_skb(skb, rxrpc_skb_see_conn_work);
> - ret = rxrpc_process_event(conn, skb);
> + ret = rxrpc_process_event(conn, &skb);
> switch (ret) {
> case -ENOMEM:
> case -EAGAIN:
Looking at the code immediately following this hunk in
rxrpc_do_process_connection():
switch (ret) {
case -ENOMEM:
case -EAGAIN:
skb_queue_head(&conn->rx_queue, skb);
rxrpc_queue_conn(conn, rxrpc_conn_queue_retry_work);
break;
If rxrpc_process_event() fails with -ENOMEM because rxrpc_unshare_skb()
failed, rxrpc_unshare_skb() will have set *_skb = NULL.
Does this mean skb is NULL when we reach skb_queue_head()?
Since skb_queue_head() dereferences the skb parameter, this appears to
result in a NULL pointer dereference. Furthermore, since skb_unshare()
frees the original skb on allocation failure, the packet is already gone
and requeuing it wouldn't be possible anyway.
> diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c
> index 6979569319252..0592ce644fc3d 100644
> --- a/net/rxrpc/io_thread.c
> +++ b/net/rxrpc/io_thread.c
[ ... ]
> @@ -249,19 +249,10 @@ static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb)
> * decryption.
> */
> if (sp->hdr.securityIndex != 0) {
> - skb = skb_unshare(skb, GFP_ATOMIC);
> - if (!skb) {
> - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
> - *_skb = NULL;
> + skb = rxrpc_unshare_skb(_skb, GFP_ATOMIC);
> + if (!skb)
> return just_discard;
> - }
This isn't a new bug introduced by this patch, but since we are modifying
the unshare path here: when rxrpc_unshare_skb() fails, it sets *_skb = NULL
and returns just_discard.
Back in rxrpc_io_thread(), the packet is processed like this:
net/rxrpc/io_thread.c:rxrpc_io_thread() {
...
while ((skb = __skb_dequeue(&rx_queue))) {
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
switch (skb->mark) {
case RXRPC_SKB_MARK_PACKET:
skb->priority = 0;
if (!rxrpc_input_packet(local, &skb))
rxrpc_reject_packet(local, skb);
trace_rxrpc_rx_done(skb->mark, skb->priority);
...
If rxrpc_input_packet() sets skb to NULL and returns false (just_discard),
does this cause a NULL pointer dereference when trace_rxrpc_rx_done() tries
to access skb->mark?
next prev parent reply other threads:[~2026-04-21 20:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 14:58 [PATCH net 0/4] rxrpc: Miscellaneous fixes David Howells
2026-04-20 14:58 ` [PATCH net 1/4] rxrpc: Fix memory leaks in rxkad_verify_response() David Howells
2026-04-21 20:32 ` Simon Horman
2026-04-20 14:58 ` [PATCH net 2/4] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets David Howells
2026-04-21 20:38 ` Simon Horman [this message]
2026-04-21 20:58 ` David Howells
2026-04-20 14:58 ` [PATCH net 3/4] rxgk: Fix potential integer overflow in length check David Howells
2026-04-20 14:58 ` [PATCH net 4/4] rxrpc: Fix rxkad crypto unalignment handling David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421203833.745240-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox