* FAILED: patch "[PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE" failed to apply to 6.12-stable tree
@ 2026-05-01 12:07 gregkh
2026-05-03 14:17 ` [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Sasha Levin
0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2026-05-01 12:07 UTC (permalink / raw)
To: dhowells, horms, jaltman, kuba, marc.dionne; +Cc: stable
The patch below does not apply to the 6.12-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y
git checkout FETCH_HEAD
git cherry-pick -x 24481a7f573305706054c59e275371f8d0fe919f
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2026050142-gag-tasting-5084@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 24481a7f573305706054c59e275371f8d0fe919f Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 22 Apr 2026 17:14:33 +0100
Subject: [PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE
packets
The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).
Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 9a41ec708aeb..aee977291d90 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -240,6 +240,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
rxrpc_notify_socket(call);
}
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+ struct sk_buff *skb)
+{
+ int ret;
+
+ if (skb_cloned(skb)) {
+ /* Copy the packet if shared so that we can do in-place
+ * decryption.
+ */
+ struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+ if (nskb) {
+ rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+ ret = conn->security->verify_response(conn, nskb);
+ rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
+ } else {
+ /* OOM - Drop the packet. */
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+ ret = -ENOMEM;
+ }
+ } else {
+ ret = conn->security->verify_response(conn, skb);
+ }
+
+ return ret;
+}
+
/*
* connection-level Rx packet processor
*/
@@ -270,7 +297,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
}
spin_unlock_irq(&conn->state_lock);
- ret = conn->security->verify_response(conn, skb);
+ ret = rxrpc_verify_response(conn, skb);
if (ret < 0)
return ret;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
2026-05-01 12:07 FAILED: patch "[PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE" failed to apply to 6.12-stable tree gregkh
@ 2026-05-03 14:17 ` Sasha Levin
2026-05-04 12:04 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2026-05-03 14:17 UTC (permalink / raw)
To: stable
Cc: David Howells, Marc Dionne, Jeffrey Altman, Simon Horman,
linux-afs, stable, Jakub Kicinski, Sasha Levin
From: David Howells <dhowells@redhat.com>
[ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ]
The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).
Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/rxrpc.h | 2 ++
net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
index 3eb806f7bc6a5..c5533176d770d 100644
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -146,12 +146,14 @@
EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \
EM(rxrpc_skb_put_last_nack, "PUT last-nack") \
EM(rxrpc_skb_put_purge, "PUT purge ") \
+ EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \
EM(rxrpc_skb_put_rotate, "PUT rotate ") \
EM(rxrpc_skb_put_unknown, "PUT unknown ") \
EM(rxrpc_skb_see_conn_work, "SEE conn-work") \
EM(rxrpc_skb_see_recvmsg, "SEE recvmsg ") \
EM(rxrpc_skb_see_reject, "SEE reject ") \
EM(rxrpc_skb_see_rotate, "SEE rotate ") \
+ EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \
E_(rxrpc_skb_see_version, "SEE version ")
#define rxrpc_local_traces \
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 6ef2dc1aa8cc2..6d7b064661d88 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
rxrpc_notify_socket(call);
}
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+ struct sk_buff *skb)
+{
+ int ret;
+
+ if (skb_cloned(skb)) {
+ /* Copy the packet if shared so that we can do in-place
+ * decryption.
+ */
+ struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+ if (nskb) {
+ rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+ ret = conn->security->verify_response(conn, nskb);
+ rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
+ } else {
+ /* OOM - Drop the packet. */
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+ ret = -ENOMEM;
+ }
+ } else {
+ ret = conn->security->verify_response(conn, skb);
+ }
+
+ return ret;
+}
+
/*
* connection-level Rx packet processor
*/
@@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
}
spin_unlock(&conn->state_lock);
- ret = conn->security->verify_response(conn, skb);
+ ret = rxrpc_verify_response(conn, skb);
if (ret < 0)
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
2026-05-03 14:17 ` [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Sasha Levin
@ 2026-05-04 12:04 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2026-05-04 12:04 UTC (permalink / raw)
To: Sasha Levin
Cc: stable, David Howells, Marc Dionne, Jeffrey Altman, Simon Horman,
linux-afs, stable, Jakub Kicinski
On Sun, May 03, 2026 at 10:17:23AM -0400, Sasha Levin wrote:
> From: David Howells <dhowells@redhat.com>
>
> [ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ]
>
> The security operations that verify the RESPONSE packets decrypt bits of it
> in place - however, the sk_buff may be shared with a packet sniffer, which
> would lead to the sniffer seeing an apparently corrupt packet (actually
> decrypted).
>
> Fix this by handing a copy of the packet off to the specific security
> handler if the packet was cloned.
>
> Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
> Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Marc Dionne <marc.dionne@auristor.com>
> cc: Jeffrey Altman <jaltman@auristor.com>
> cc: Simon Horman <horms@kernel.org>
> cc: linux-afs@lists.infradead.org
> cc: stable@kernel.org
> Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> include/trace/events/rxrpc.h | 2 ++
> net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++-
> 2 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
> index 3eb806f7bc6a5..c5533176d770d 100644
> --- a/include/trace/events/rxrpc.h
> +++ b/include/trace/events/rxrpc.h
> @@ -146,12 +146,14 @@
> EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \
> EM(rxrpc_skb_put_last_nack, "PUT last-nack") \
> EM(rxrpc_skb_put_purge, "PUT purge ") \
> + EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \
> EM(rxrpc_skb_put_rotate, "PUT rotate ") \
> EM(rxrpc_skb_put_unknown, "PUT unknown ") \
> EM(rxrpc_skb_see_conn_work, "SEE conn-work") \
> EM(rxrpc_skb_see_recvmsg, "SEE recvmsg ") \
> EM(rxrpc_skb_see_reject, "SEE reject ") \
> EM(rxrpc_skb_see_rotate, "SEE rotate ") \
> + EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \
> E_(rxrpc_skb_see_version, "SEE version ")
>
> #define rxrpc_local_traces \
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index 6ef2dc1aa8cc2..6d7b064661d88 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
> @@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
> rxrpc_notify_socket(call);
> }
>
> +static int rxrpc_verify_response(struct rxrpc_connection *conn,
> + struct sk_buff *skb)
> +{
> + int ret;
> +
> + if (skb_cloned(skb)) {
> + /* Copy the packet if shared so that we can do in-place
> + * decryption.
> + */
> + struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
> +
> + if (nskb) {
> + rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
> + ret = conn->security->verify_response(conn, nskb);
> + rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
> + } else {
> + /* OOM - Drop the packet. */
> + rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
> + ret = -ENOMEM;
> + }
> + } else {
> + ret = conn->security->verify_response(conn, skb);
> + }
> +
> + return ret;
> +}
> +
> /*
> * connection-level Rx packet processor
> */
> @@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
> }
> spin_unlock(&conn->state_lock);
>
> - ret = conn->security->verify_response(conn, skb);
> + ret = rxrpc_verify_response(conn, skb);
> if (ret < 0)
> return ret;
>
> --
> 2.53.0
>
>
Does not apply :(
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-04 12:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-01 12:07 FAILED: patch "[PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE" failed to apply to 6.12-stable tree gregkh
2026-05-03 14:17 ` [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Sasha Levin
2026-05-04 12:04 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox