Re: [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

[Greg KH <gregkh@linuxfoundation.org>]

On Sun, May 03, 2026 at 10:17:23AM -0400, Sasha Levin wrote:
> From: David Howells <dhowells@redhat.com>
> 
> [ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ]
> 
> The security operations that verify the RESPONSE packets decrypt bits of it
> in place - however, the sk_buff may be shared with a packet sniffer, which
> would lead to the sniffer seeing an apparently corrupt packet (actually
> decrypted).
> 
> Fix this by handing a copy of the packet off to the specific security
> handler if the packet was cloned.
> 
> Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
> Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Marc Dionne <marc.dionne@auristor.com>
> cc: Jeffrey Altman <jaltman@auristor.com>
> cc: Simon Horman <horms@kernel.org>
> cc: linux-afs@lists.infradead.org
> cc: stable@kernel.org
> Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  include/trace/events/rxrpc.h |  2 ++
>  net/rxrpc/conn_event.c       | 29 ++++++++++++++++++++++++++++-
>  2 files changed, 30 insertions(+), 1 deletion(-)
> 
> diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
> index 3eb806f7bc6a5..c5533176d770d 100644
> --- a/include/trace/events/rxrpc.h
> +++ b/include/trace/events/rxrpc.h
> @@ -146,12 +146,14 @@
>  	EM(rxrpc_skb_put_jumbo_subpacket,	"PUT jumbo-sub") \
>  	EM(rxrpc_skb_put_last_nack,		"PUT last-nack") \
>  	EM(rxrpc_skb_put_purge,			"PUT purge    ") \
> +	EM(rxrpc_skb_put_response_copy,		"PUT resp-cpy ") \
>  	EM(rxrpc_skb_put_rotate,		"PUT rotate   ") \
>  	EM(rxrpc_skb_put_unknown,		"PUT unknown  ") \
>  	EM(rxrpc_skb_see_conn_work,		"SEE conn-work") \
>  	EM(rxrpc_skb_see_recvmsg,		"SEE recvmsg  ") \
>  	EM(rxrpc_skb_see_reject,		"SEE reject   ") \
>  	EM(rxrpc_skb_see_rotate,		"SEE rotate   ") \
> +	EM(rxrpc_skb_see_unshare_nomem,		"SEE unshar-nm") \
>  	E_(rxrpc_skb_see_version,		"SEE version  ")
>  
>  #define rxrpc_local_traces \
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index 6ef2dc1aa8cc2..6d7b064661d88 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
> @@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
>  		rxrpc_notify_socket(call);
>  }
>  
> +static int rxrpc_verify_response(struct rxrpc_connection *conn,
> +				 struct sk_buff *skb)
> +{
> +	int ret;
> +
> +	if (skb_cloned(skb)) {
> +		/* Copy the packet if shared so that we can do in-place
> +		 * decryption.
> +		 */
> +		struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
> +
> +		if (nskb) {
> +			rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
> +			ret = conn->security->verify_response(conn, nskb);
> +			rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
> +		} else {
> +			/* OOM - Drop the packet. */
> +			rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
> +			ret = -ENOMEM;
> +		}
> +	} else {
> +		ret = conn->security->verify_response(conn, skb);
> +	}
> +
> +	return ret;
> +}
> +
>  /*
>   * connection-level Rx packet processor
>   */
> @@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
>  		}
>  		spin_unlock(&conn->state_lock);
>  
> -		ret = conn->security->verify_response(conn, skb);
> +		ret = rxrpc_verify_response(conn, skb);
>  		if (ret < 0)
>  			return ret;
>  
> -- 
> 2.53.0
> 
> 

Does not apply :(