Patch "rxrpc: reject undecryptable rxkad response tickets" has been added to the 6.1-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Thu Apr 23 04:24:44 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: reject undecryptable rxkad response tickets

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-reject-undecryptable-rxkad-response-tickets.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-237838-greg=kroah.com at vger.kernel.org Tue Apr 14 13:56:27 2026
From: Sasha Levin <sashal at kernel.org>
Date: Tue, 14 Apr 2026 07:52:36 -0400
Subject: rxrpc: reject undecryptable rxkad response tickets
To: stable at vger.kernel.org
Cc: Yuqi Xu <xuyuqiabc at gmail.com>, Yifan Wu <yifanwucs at gmail.com>, Juefei Pu <tomapufckgml at gmail.com>, Yuan Tan <yuantan098 at gmail.com>, Xin Liu <bird at lzu.edu.cn>, Ren Wei <enjou1224z at gmail.com>, Ren Wei <n05ec at lzu.edu.cn>, David Howells <dhowells at redhat.com>, Marc Dionne <marc.dionne at auristor.com>, Simon Horman <horms at kernel.org>, linux-afs at lists.infradead.org, stable at kernel.org, Jakub Kicinski <kuba at kernel.org>, Sasha Levin <sashal at kernel.org>
Message-ID: <20260414115236.537968-1-sashal at kernel.org>

From: Yuqi Xu <xuyuqiabc at gmail.com>

[ Upstream commit fe4447cd95623b1cfacc15f280aab73a6d7340b2 ]

rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then
parses the buffer as plaintext without checking whether
crypto_skcipher_decrypt() succeeded.

A malformed RESPONSE can therefore use a non-block-aligned ticket
length, make the decrypt operation fail, and still drive the ticket
parser with attacker-controlled bytes.

Check the decrypt result and abort the connection with RXKADBADTICKET
when ticket decryption fails.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs at gmail.com>
Reported-by: Juefei Pu <tomapufckgml at gmail.com>
Co-developed-by: Yuan Tan <yuantan098 at gmail.com>
Signed-off-by: Yuan Tan <yuantan098 at gmail.com>
Suggested-by: Xin Liu <bird at lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z at gmail.com>
Signed-off-by: Yuqi Xu <xuyuqiabc at gmail.com>
Signed-off-by: Ren Wei <n05ec at lzu.edu.cn>
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-12-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
[ adapted `rxrpc_abort_conn()` call to existing `goto other_error` error-handling pattern ]
Signed-off-by: Sasha Levin <sashal at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/rxkad.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -1013,8 +1013,13 @@ static int rxkad_decrypt_ticket(struct r
 	sg_init_one(&sg[0], ticket, ticket_len);
 	skcipher_request_set_callback(req, 0, NULL, NULL);
 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
-	crypto_skcipher_decrypt(req);
+	ret = crypto_skcipher_decrypt(req);
 	skcipher_request_free(req);
+	if (ret < 0) {
+		abort_code = RXKADBADTICKET;
+		ret = -EPROTO;
+		goto other_error;
+	}
 
 	p = ticket;
 	end = p + ticket_len;


Patches currently in stable-queue which might be from sashal at kernel.org are

queue-6.1/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch
queue-6.1/e1000-check-return-value-of-e1000_read_eeprom.patch
queue-6.1/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
queue-6.1/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
queue-6.1/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch
queue-6.1/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
queue-6.1/hid-roccat-fix-use-after-free-in-roccat_report_event.patch
queue-6.1/revert-net-ixp4xx_eth-convert-to-ndo_hwtstamp_get-an.patch
queue-6.1/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch
queue-6.1/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
queue-6.1/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
queue-6.1/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
queue-6.1/net-sched-act_csum-validate-nested-vlan-headers.patch
queue-6.1/rxrpc-proc-size-address-buffers-for-pispc-output.patch
queue-6.1/revert-net-ethernet-xscale-check-for-ptp-support-pro.patch
queue-6.1/bonding-check-xdp-prog-when-set-bond-mode.patch
queue-6.1/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
queue-6.1/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
queue-6.1/rxrpc-reject-undecryptable-rxkad-response-tickets.patch
queue-6.1/bonding-return-detailed-error-when-loading-native-xd.patch
queue-6.1/can-mcp251x-add-error-handling-for-power-enable-in-o.patch
queue-6.1/asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch
queue-6.1/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
queue-6.1/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
queue-6.1/ocfs2-validate-inline-data-i_size-during-inode-read.patch
queue-6.1/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
queue-6.1/revert-dmaengine-idxd-fix-not-releasing-workqueue-on.patch
queue-6.1/btrfs-tracepoints-get-correct-superblock-from-dentry.patch
queue-6.1/checkpatch-add-support-for-assisted-by-tag.patch
queue-6.1/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
queue-6.1/pci-endpoint-pci-epf-vntb-remove-duplicate-resource-.patch
queue-6.1/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
queue-6.1/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch
queue-6.1/revert-drm-fix-use-after-free-on-framebuffers-and-pr.patch
queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch
queue-6.1/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
queue-6.1/net-add-proper-rcu-protection-to-proc-net-ptype.patch
queue-6.1/l2tp-drop-large-packets-with-udp-encap.patch
queue-6.1/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch
queue-6.1/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
queue-6.1/net-dsa-clean-up-fdb-mdb-vlan-entries-on-unbind.patch
queue-6.1/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch
queue-6.1/gpio-tegra-fix-irq_release_resources-calling-enable-.patch
queue-6.1/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
queue-6.1/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch
queue-6.1/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch
queue-6.1/scripts-generate_rust_analyzer.py-define-scripts.patch
queue-6.1/xfrm_user-fix-info-leak-in-build_mapping.patch
queue-6.1/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
queue-6.1/alsa-asihpi-avoid-write-overflow-check-warning.patch
queue-6.1/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
queue-6.1/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
queue-6.1/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch
queue-6.1/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
queue-6.1/asoc-soc-core-call-missing-init_list_head-for-card_a.patch
queue-6.1/net-lapbether-handle-netdev_pre_type_change.patch
queue-6.1/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
queue-6.1/ipv6-add-null-checks-for-idev-in-srv6-paths.patch
queue-6.1/drm-i915-psr-do-not-use-pipe_src-as-borders-for-su-a.patch
queue-6.1/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
queue-6.1/netfilter-conntrack-add-missing-netlink-policy-valid.patch
queue-6.1/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
queue-6.1/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
queue-6.1/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
queue-6.1/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
queue-6.1/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch
queue-6.1/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
queue-6.1/netfilter-xt_multiport-validate-range-encoding-in-ch.patch
queue-6.1/gfs2-improve-gfs2_consist_inode-usage.patch
queue-6.1/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
queue-6.1/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch
queue-6.1/drm-amdgpu-remove-two-invalid-bug_on-s.patch
queue-6.1/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
queue-6.1/xsk-tighten-umem-headroom-validation-to-account-for-.patch
queue-6.1/alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch
queue-6.1/scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch
queue-6.1/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
queue-6.1/drm-vc4-release-runtime-pm-reference-after-binding-v.patch
queue-6.1/net-sched-fix-tcf_layer_transport-handling-in-tcf_ge.patch
queue-6.1/ublk-fix-deadlock-when-reading-partition-table.patch
queue-6.1/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbm.patch
queue-6.1/soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch
queue-6.1/gfs2-validate-i_depth-for-exhash-directories.patch
queue-6.1/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
queue-6.1/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch
queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch
queue-6.1/epoll-use-refcount-to-reduce-ep_mutex-contention.patch
queue-6.1/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
queue-6.1/tracing-probe-reject-non-closed-empty-immediate-stri.patch
queue-6.1/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
queue-6.1/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch

More information about the linux-afs mailing list