* FAILED: patch "[PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE" failed to apply to 6.12-stable tree
@ 2026-05-01 12:07 gregkh
2026-05-03 14:17 ` [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Sasha Levin
0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2026-05-01 12:07 UTC (permalink / raw)
To: dhowells, horms, jaltman, kuba, marc.dionne; +Cc: stable
The patch below does not apply to the 6.12-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y
git checkout FETCH_HEAD
git cherry-pick -x 24481a7f573305706054c59e275371f8d0fe919f
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2026050142-gag-tasting-5084@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 24481a7f573305706054c59e275371f8d0fe919f Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 22 Apr 2026 17:14:33 +0100
Subject: [PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE
packets
The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).
Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 9a41ec708aeb..aee977291d90 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -240,6 +240,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
rxrpc_notify_socket(call);
}
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+ struct sk_buff *skb)
+{
+ int ret;
+
+ if (skb_cloned(skb)) {
+ /* Copy the packet if shared so that we can do in-place
+ * decryption.
+ */
+ struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+ if (nskb) {
+ rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+ ret = conn->security->verify_response(conn, nskb);
+ rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
+ } else {
+ /* OOM - Drop the packet. */
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+ ret = -ENOMEM;
+ }
+ } else {
+ ret = conn->security->verify_response(conn, skb);
+ }
+
+ return ret;
+}
+
/*
* connection-level Rx packet processor
*/
@@ -270,7 +297,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
}
spin_unlock_irq(&conn->state_lock);
- ret = conn->security->verify_response(conn, skb);
+ ret = rxrpc_verify_response(conn, skb);
if (ret < 0)
return ret;
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets 2026-05-01 12:07 FAILED: patch "[PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE" failed to apply to 6.12-stable tree gregkh @ 2026-05-03 14:17 ` Sasha Levin 2026-05-04 12:04 ` Greg KH 0 siblings, 1 reply; 3+ messages in thread From: Sasha Levin @ 2026-05-03 14:17 UTC (permalink / raw) To: stable Cc: David Howells, Marc Dionne, Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski, Sasha Levin From: David Howells <dhowells@redhat.com> [ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ] The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: Jeffrey Altman <jaltman@auristor.com> cc: Simon Horman <horms@kernel.org> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- include/trace/events/rxrpc.h | 2 ++ net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 3eb806f7bc6a5..c5533176d770d 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -146,12 +146,14 @@ EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \ EM(rxrpc_skb_put_last_nack, "PUT last-nack") \ EM(rxrpc_skb_put_purge, "PUT purge ") \ + EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \ EM(rxrpc_skb_put_rotate, "PUT rotate ") \ EM(rxrpc_skb_put_unknown, "PUT unknown ") \ EM(rxrpc_skb_see_conn_work, "SEE conn-work") \ EM(rxrpc_skb_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_skb_see_reject, "SEE reject ") \ EM(rxrpc_skb_see_rotate, "SEE rotate ") \ + EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \ E_(rxrpc_skb_see_version, "SEE version ") #define rxrpc_local_traces \ diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 6ef2dc1aa8cc2..6d7b064661d88 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call) rxrpc_notify_socket(call); } +static int rxrpc_verify_response(struct rxrpc_connection *conn, + struct sk_buff *skb) +{ + int ret; + + if (skb_cloned(skb)) { + /* Copy the packet if shared so that we can do in-place + * decryption. + */ + struct sk_buff *nskb = skb_copy(skb, GFP_NOFS); + + if (nskb) { + rxrpc_new_skb(nskb, rxrpc_skb_new_unshared); + ret = conn->security->verify_response(conn, nskb); + rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy); + } else { + /* OOM - Drop the packet. */ + rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem); + ret = -ENOMEM; + } + } else { + ret = conn->security->verify_response(conn, skb); + } + + return ret; +} + /* * connection-level Rx packet processor */ @@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, } spin_unlock(&conn->state_lock); - ret = conn->security->verify_response(conn, skb); + ret = rxrpc_verify_response(conn, skb); if (ret < 0) return ret; -- 2.53.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets 2026-05-03 14:17 ` [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Sasha Levin @ 2026-05-04 12:04 ` Greg KH 0 siblings, 0 replies; 3+ messages in thread From: Greg KH @ 2026-05-04 12:04 UTC (permalink / raw) To: Sasha Levin Cc: stable, David Howells, Marc Dionne, Jeffrey Altman, Simon Horman, linux-afs, stable, Jakub Kicinski On Sun, May 03, 2026 at 10:17:23AM -0400, Sasha Levin wrote: > From: David Howells <dhowells@redhat.com> > > [ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ] > > The security operations that verify the RESPONSE packets decrypt bits of it > in place - however, the sk_buff may be shared with a packet sniffer, which > would lead to the sniffer seeing an apparently corrupt packet (actually > decrypted). > > Fix this by handing a copy of the packet off to the specific security > handler if the packet was cloned. > > Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") > Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com > Signed-off-by: David Howells <dhowells@redhat.com> > cc: Marc Dionne <marc.dionne@auristor.com> > cc: Jeffrey Altman <jaltman@auristor.com> > cc: Simon Horman <horms@kernel.org> > cc: linux-afs@lists.infradead.org > cc: stable@kernel.org > Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com > Signed-off-by: Jakub Kicinski <kuba@kernel.org> > Signed-off-by: Sasha Levin <sashal@kernel.org> > --- > include/trace/events/rxrpc.h | 2 ++ > net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++- > 2 files changed, 30 insertions(+), 1 deletion(-) > > diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h > index 3eb806f7bc6a5..c5533176d770d 100644 > --- a/include/trace/events/rxrpc.h > +++ b/include/trace/events/rxrpc.h > @@ -146,12 +146,14 @@ > EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \ > EM(rxrpc_skb_put_last_nack, "PUT last-nack") \ > EM(rxrpc_skb_put_purge, "PUT purge ") \ > + EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \ > EM(rxrpc_skb_put_rotate, "PUT rotate ") \ > EM(rxrpc_skb_put_unknown, "PUT unknown ") \ > EM(rxrpc_skb_see_conn_work, "SEE conn-work") \ > EM(rxrpc_skb_see_recvmsg, "SEE recvmsg ") \ > EM(rxrpc_skb_see_reject, "SEE reject ") \ > EM(rxrpc_skb_see_rotate, "SEE rotate ") \ > + EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \ > E_(rxrpc_skb_see_version, "SEE version ") > > #define rxrpc_local_traces \ > diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c > index 6ef2dc1aa8cc2..6d7b064661d88 100644 > --- a/net/rxrpc/conn_event.c > +++ b/net/rxrpc/conn_event.c > @@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call) > rxrpc_notify_socket(call); > } > > +static int rxrpc_verify_response(struct rxrpc_connection *conn, > + struct sk_buff *skb) > +{ > + int ret; > + > + if (skb_cloned(skb)) { > + /* Copy the packet if shared so that we can do in-place > + * decryption. > + */ > + struct sk_buff *nskb = skb_copy(skb, GFP_NOFS); > + > + if (nskb) { > + rxrpc_new_skb(nskb, rxrpc_skb_new_unshared); > + ret = conn->security->verify_response(conn, nskb); > + rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy); > + } else { > + /* OOM - Drop the packet. */ > + rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem); > + ret = -ENOMEM; > + } > + } else { > + ret = conn->security->verify_response(conn, skb); > + } > + > + return ret; > +} > + > /* > * connection-level Rx packet processor > */ > @@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, > } > spin_unlock(&conn->state_lock); > > - ret = conn->security->verify_response(conn, skb); > + ret = rxrpc_verify_response(conn, skb); > if (ret < 0) > return ret; > > -- > 2.53.0 > > Does not apply :( ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-04 12:04 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-01 12:07 FAILED: patch "[PATCH] rxrpc: Fix conn-level packet handling to unshare RESPONSE" failed to apply to 6.12-stable tree gregkh 2026-05-03 14:17 ` [PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Sasha Levin 2026-05-04 12:04 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox