From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC6043DA7FD for ; Tue, 14 Apr 2026 11:52:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776167541; cv=none; b=nEL6jO+rNixGIeMo1cp5Leyb+8EkeqqMS3L+DlThmYts9VnPhIbd4AxsPGgG/u+F3belw/ev6zGzrpx6vuBpsp6y/2NJhccxqtzwxbxtsV2o5ph2/vaTtZufQZpQJT1A30nfmuPYntM/V7Agcgg6atT2myuEOTcIoyhepETKFXE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776167541; c=relaxed/simple; bh=yV7k8BaLQHTvZnyy5R6NOwARz6C0CTCj7rFP+xzkRg0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GZyzPcMYWTB5sa8qZJjnFT6chPmZjp1Ss3yC8iIM39PH9b8QuUAcXsGsK1YJlVI6mxxa5RCRvqfIk0p+CrGtxczS6Yify8uO+GolB3YdkZty7mHDUd0kuw8wZiwvBCLWSaXmJW7ktmYrJ2lL1w0ITEAEJTg7afRZx01fuoyg56k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=B/x6eo4S; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="B/x6eo4S" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6477C19425; Tue, 14 Apr 2026 11:52:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776167541; bh=yV7k8BaLQHTvZnyy5R6NOwARz6C0CTCj7rFP+xzkRg0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=B/x6eo4SmnaP9IzkiMTpO+pP/qkuAGUaC22uWl1FQ1pzzklAKBbGdOB2gOe4nRGFd ZKmbNN/fWUH529wjONYcNZunehnHbSwXKQ5oZDP5RQ5f3LilF1bNou54wqNT1OZbWP 3wREkJYYqsEUn4QR9GFGxqLM/5VzYmNSJQ6Hb2oXUoebJXG0OuN5aAkZz4KA5IN6o3 xUQZbbbtWNkqqYUrfAc0FiLGH1dKolzFur7i0TlmfjCsKuP/dUp+e74gkwnX14D6a7 F6uCz8y8oPmy0LaUMw1d8gMk8GkMQ1D0J2uzlRibYhXab8NYUPMMd4oJqCmF4pchKB /JW+xy6XbaV0Q== From: Sasha Levin To: stable@vger.kernel.org Cc: Wang Jie , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Yang Yang , David Howells , Marc Dionne , Jeffrey Altman , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin Subject: [PATCH 5.15.y] rxrpc: only handle RESPONSE during service challenge Date: Tue, 14 Apr 2026 07:52:18 -0400 Message-ID: <20260414115218.537085-1-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <2026041312-unwomanly-blissful-b6ce@gregkh> References: <2026041312-unwomanly-blissful-b6ce@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Wang Jie [ Upstream commit c43ffdcfdbb5567b1f143556df8a04b4eeea041c ] Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Signed-off-by: Jie Wang Signed-off-by: Yang Yang Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Simon Horman cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260408121252.2249051-21-dhowells@redhat.com Signed-off-by: Jakub Kicinski [ adapted to spin_lock_bh usage, 3-arg verify_response(), and direct rxrpc_call_is_secure() ] Signed-off-by: Sasha Levin --- net/rxrpc/conn_event.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 5d91ef562ff78..293922df2a891 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -293,6 +293,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, u32 *_abort_code) { struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + bool secured = false; __be32 wtmp; u32 abort_code; int loop, ret; @@ -337,6 +338,13 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, _abort_code); case RXRPC_PACKET_TYPE_RESPONSE: + spin_lock_bh(&conn->state_lock); + if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) { + spin_unlock_bh(&conn->state_lock); + return 0; + } + spin_unlock_bh(&conn->state_lock); + ret = conn->security->verify_response(conn, skb, _abort_code); if (ret < 0) return ret; @@ -348,17 +356,18 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, spin_lock(&conn->bundle->channel_lock); spin_lock_bh(&conn->state_lock); - if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) { conn->state = RXRPC_CONN_SERVICE; - spin_unlock_bh(&conn->state_lock); + secured = true; + } + spin_unlock_bh(&conn->state_lock); + + if (secured) { for (loop = 0; loop < RXRPC_MAXCALLS; loop++) rxrpc_call_is_secure( rcu_dereference_protected( conn->channels[loop].call, lockdep_is_held(&conn->bundle->channel_lock))); - } else { - spin_unlock_bh(&conn->state_lock); } spin_unlock(&conn->bundle->channel_lock); -- 2.53.0