From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Yifan Wu <yifanwucs@gmail.com>,
Juefei Pu <tomapufckgml@gmail.com>,
Yuan Tan <yuantan098@gmail.com>, Xin Liu <bird@lzu.edu.cn>,
Jie Wang <jiewang2024@lzu.edu.cn>, Yang Yang <n05ec@lzu.edu.cn>,
David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jeffrey Altman <jaltman@auristor.com>,
Simon Horman <horms@kernel.org>,
linux-afs@lists.infradead.org, stable@kernel.org,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 13/35] rxrpc: only handle RESPONSE during service challenge
Date: Fri, 24 Apr 2026 15:31:20 +0200 [thread overview]
Message-ID: <20260424132414.436666103@linuxfoundation.org> (raw)
In-Reply-To: <20260424132411.427029259@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Jie <jiewang2024@lzu.edu.cn>
[ Upstream commit c43ffdcfdbb5567b1f143556df8a04b4eeea041c ]
Only process RESPONSE packets while the service connection is still in
RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
running response verification and security initialization, then use a local
secured flag to decide whether to queue the secured-connection work after
the state transition. This keeps duplicate or late RESPONSE packets from
re-running the setup path and removes the unlocked post-transition state
test.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jie Wang <jiewang2024@lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-21-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted spin_lock_irq/spin_unlock_irq calls to spin_lock/spin_unlock ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/conn_event.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -233,6 +233,7 @@ static int rxrpc_process_event(struct rx
struct sk_buff *skb)
{
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+ bool secured = false;
int ret;
if (conn->state == RXRPC_CONN_ABORTED)
@@ -245,6 +246,13 @@ static int rxrpc_process_event(struct rx
return conn->security->respond_to_challenge(conn, skb);
case RXRPC_PACKET_TYPE_RESPONSE:
+ spin_lock(&conn->state_lock);
+ if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) {
+ spin_unlock(&conn->state_lock);
+ return 0;
+ }
+ spin_unlock(&conn->state_lock);
+
ret = conn->security->verify_response(conn, skb);
if (ret < 0)
return ret;
@@ -255,11 +263,13 @@ static int rxrpc_process_event(struct rx
return ret;
spin_lock(&conn->state_lock);
- if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING)
+ if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
conn->state = RXRPC_CONN_SERVICE;
+ secured = true;
+ }
spin_unlock(&conn->state_lock);
- if (conn->state == RXRPC_CONN_SERVICE) {
+ if (secured) {
/* Offload call state flipping to the I/O thread. As
* we've already received the packet, put it on the
* front of the queue.
next prev parent reply other threads:[~2026-04-24 13:44 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 13:31 [PATCH 6.12 00/35] 6.12.84-rc1 review Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 01/35] mm/userfaultfd: fix hugetlb fault mutex hash calculation Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 02/35] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 03/35] ima: verify if the segment size has changed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 04/35] ima: do not copy measurement list to kdump kernel Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 05/35] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 06/35] rust: warn on bindgen < 0.69.5 and libclang >= 19.1 Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 07/35] net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 08/35] drm/amdgpu: replace PASID IDR with XArray Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 09/35] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 10/35] mm/pagewalk: fix race between concurrent split and refault Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 11/35] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 12/35] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
2026-04-24 13:31 ` Greg Kroah-Hartman [this message]
2026-04-24 13:31 ` [PATCH 6.12 14/35] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 15/35] f2fs: fix to avoid memory leak in f2fs_rename() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 16/35] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 17/35] fuse: Check for large folio with SPLICE_F_MOVE Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 18/35] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 19/35] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 20/35] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 21/35] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 22/35] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 23/35] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 24/35] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 25/35] ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 26/35] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 27/35] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 28/35] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 29/35] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 30/35] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 31/35] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 32/35] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 33/35] crypto: ccp: Dont attempt to copy PDH cert " Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 34/35] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 35/35] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing Greg Kroah-Hartman
2026-04-24 16:29 ` [PATCH 6.12 00/35] 6.12.84-rc1 review Peter Schneider
2026-04-24 19:36 ` Pavel Machek
2026-04-24 20:17 ` Florian Fainelli
2026-04-24 21:52 ` Mark Brown
2026-04-24 22:27 ` Shuah Khan
2026-04-25 3:27 ` Barry K. Nathan
2026-04-25 5:14 ` Christian Van
2026-04-25 7:33 ` Brett A C Sheffield
2026-04-25 12:24 ` Miguel Ojeda
2026-04-25 20:06 ` Ron Economos
2026-04-25 21:32 ` Francesco Dolcini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424132414.436666103@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bird@lzu.edu.cn \
--cc=dhowells@redhat.com \
--cc=horms@kernel.org \
--cc=jaltman@auristor.com \
--cc=jiewang2024@lzu.edu.cn \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=n05ec@lzu.edu.cn \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox