From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCA9C38759F for ; Fri, 1 May 2026 12:04:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777637062; cv=none; b=fei+pp4dDFNlWc6kvK0+CKpx4G1JaJtxrQarKgN70ZBh27cBa6xgx3ENwgIGlVMPdN61E8lyeCax5lRR6T4QWcGjZ0Y8Wlpj9vlN2zCRj5pTgZhV9iln/SeuASp0O2A00lDq/zoSPpz7GVdO7iEWfT71eroHyUKcu46we8CasUQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777637062; c=relaxed/simple; bh=kyIsf9xwvUD1GB4eVnDknZl9OcBHrXDAROhQWtkprB4=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=dvsWI943HtDQIDErtJ4BZjTFh45ys/6Ts8xCjW78FDtgw567/aD0QQ5ET3crikINysrlc+sgItg8TIu8bG2Mogb7QqYJk+IhCOxvbQPVPYmw8J0dzk8oj4dMwElJvm08uGjvFGnaCnxXBOBjo2DrnlOaLOLDlvsVw4yqPAhZ12Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=f2ln7Gxv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="f2ln7Gxv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 20EBBC2BCB4; Fri, 1 May 2026 12:04:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1777637062; bh=kyIsf9xwvUD1GB4eVnDknZl9OcBHrXDAROhQWtkprB4=; h=Subject:To:Cc:From:Date:From; b=f2ln7Gxv2hDvVBq9XUN6cxDvZzWlGjQLkB8IrIzHqms0Kvgu0F+W28i6NcS6EBkXO zJXEaKBYlVf38iK83bwcJ1tdDEcv9VW3C3XCt+oeWAYJ/Qer7dZpQxdlu9Mdd7wQIg URUlfLAxOqsIQ/5w1uybXgrpig66lykB+YVgJnDE= Subject: FAILED: patch "[PATCH] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA" failed to apply to 6.6-stable tree To: dhowells@redhat.com,horms@kernel.org,jaltman@auristor.com,kuba@kernel.org,marc.dionne@auristor.com Cc: From: Date: Fri, 01 May 2026 14:04:11 +0200 Message-ID: <2026050111-freemason-speed-b71c@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 55b2984c96c37f909bbfe8851f13152693951382 # git commit -s git send-email --to '' --in-reply-to '2026050111-freemason-speed-b71c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 55b2984c96c37f909bbfe8851f13152693951382 Mon Sep 17 00:00:00 2001 From: David Howells Date: Thu, 23 Apr 2026 21:09:06 +0100 Subject: [PATCH] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK, ABORT, etc.. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer. Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure") Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Simon Horman cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com Signed-off-by: Jakub Kicinski diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c index cc8f9dfa44e8..fdd683261226 100644 --- a/net/rxrpc/call_event.c +++ b/net/rxrpc/call_event.c @@ -332,7 +332,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call) saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK; - if (sp->hdr.securityIndex != 0 && + if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA && + sp->hdr.securityIndex != 0 && skb_cloned(skb)) { /* Unshare the packet so that it can be * modified by in-place decryption.