Patch "rxrpc: only handle RESPONSE during service challenge" has been added to the 5.10-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Fri Apr 24 01:34:08 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: only handle RESPONSE during service challenge

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-only-handle-response-during-service-challenge.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-237841-greg=kroah.com at vger.kernel.org Tue Apr 14 14:04:27 2026
From: Sasha Levin <sashal at kernel.org>
Date: Tue, 14 Apr 2026 07:56:13 -0400
Subject: rxrpc: only handle RESPONSE during service challenge
To: stable at vger.kernel.org
Cc: Wang Jie <jiewang2024 at lzu.edu.cn>, Yifan Wu <yifanwucs at gmail.com>, Juefei Pu <tomapufckgml at gmail.com>, Yuan Tan <yuantan098 at gmail.com>, Xin Liu <bird at lzu.edu.cn>, Yang Yang <n05ec at lzu.edu.cn>, David Howells <dhowells at redhat.com>, Marc Dionne <marc.dionne at auristor.com>, Jeffrey Altman <jaltman at auristor.com>, Simon Horman <horms at kernel.org>, linux-afs at lists.infradead.org, stable at kernel.org, Jakub Kicinski <kuba at kernel.org>, Sasha Levin <sashal at kernel.org>
Message-ID: <20260414115613.548439-1-sashal at kernel.org>

From: Wang Jie <jiewang2024 at lzu.edu.cn>

[ Upstream commit c43ffdcfdbb5567b1f143556df8a04b4eeea041c ]

Only process RESPONSE packets while the service connection is still in
RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
running response verification and security initialization, then use a local
secured flag to decide whether to queue the secured-connection work after
the state transition. This keeps duplicate or late RESPONSE packets from
re-running the setup path and removes the unlocked post-transition state
test.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs at gmail.com>
Reported-by: Juefei Pu <tomapufckgml at gmail.com>
Co-developed-by: Yuan Tan <yuantan098 at gmail.com>
Signed-off-by: Yuan Tan <yuantan098 at gmail.com>
Suggested-by: Xin Liu <bird at lzu.edu.cn>
Signed-off-by: Jie Wang <jiewang2024 at lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec at lzu.edu.cn>
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-21-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
[ adapted to spin_lock_bh usage, 3-arg verify_response(), and direct rxrpc_call_is_secure() ]
Signed-off-by: Sasha Levin <sashal at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/conn_event.c |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -293,6 +293,7 @@ static int rxrpc_process_event(struct rx
 			       u32 *_abort_code)
 {
 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+	bool secured = false;
 	__be32 wtmp;
 	u32 abort_code;
 	int loop, ret;
@@ -337,6 +338,13 @@ static int rxrpc_process_event(struct rx
 							    _abort_code);
 
 	case RXRPC_PACKET_TYPE_RESPONSE:
+		spin_lock_bh(&conn->state_lock);
+		if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) {
+			spin_unlock_bh(&conn->state_lock);
+			return 0;
+		}
+		spin_unlock_bh(&conn->state_lock);
+
 		ret = conn->security->verify_response(conn, skb, _abort_code);
 		if (ret < 0)
 			return ret;
@@ -351,17 +359,18 @@ static int rxrpc_process_event(struct rx
 
 		spin_lock(&conn->bundle->channel_lock);
 		spin_lock_bh(&conn->state_lock);
-
 		if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
 			conn->state = RXRPC_CONN_SERVICE;
-			spin_unlock_bh(&conn->state_lock);
+			secured = true;
+		}
+		spin_unlock_bh(&conn->state_lock);
+
+		if (secured) {
 			for (loop = 0; loop < RXRPC_MAXCALLS; loop++)
 				rxrpc_call_is_secure(
 					rcu_dereference_protected(
 						conn->channels[loop].call,
 						lockdep_is_held(&conn->bundle->channel_lock)));
-		} else {
-			spin_unlock_bh(&conn->state_lock);
 		}
 
 		spin_unlock(&conn->bundle->channel_lock);


Patches currently in stable-queue which might be from sashal at kernel.org are

queue-5.10/e1000-check-return-value-of-e1000_read_eeprom.patch
queue-5.10/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
queue-5.10/revert-scsi-ufs-core-improve-scsi-abort-handling.patch
queue-5.10/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
queue-5.10/arm64-dts-imx8mq-librem5-set-regulators-boot-on.patch
queue-5.10/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
queue-5.10/drivers-base-free-devm-resources-when-unregistering-a-device.patch
queue-5.10/hid-roccat-fix-use-after-free-in-roccat_report_event.patch
queue-5.10/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
queue-5.10/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
queue-5.10/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
queue-5.10/media-uvcvideo-use-heuristic-to-find-stream-entity.patch
queue-5.10/drm-amd-display-add-null-checker-before-passing-vari.patch
queue-5.10/net-sched-act_csum-validate-nested-vlan-headers.patch
queue-5.10/net-tap-null-pointer-derefence-in-dev_parse_header_p.patch
queue-5.10/rxrpc-proc-size-address-buffers-for-pispc-output.patch
queue-5.10/scsi-ufs-core-improve-scsi-abort-handling.patch
queue-5.10/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
queue-5.10/rxrpc-reject-undecryptable-rxkad-response-tickets.patch
queue-5.10/can-mcp251x-add-error-handling-for-power-enable-in-o.patch
queue-5.10/mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflo.patch
queue-5.10/netfilter-nft_set_pipapo-do-not-rely-on-zero_size_pt.patch
queue-5.10/ocfs2-validate-inline-data-i_size-during-inode-read.patch
queue-5.10/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
queue-5.10/btrfs-tracepoints-get-correct-superblock-from-dentry.patch
queue-5.10/checkpatch-add-support-for-assisted-by-tag.patch
queue-5.10/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch
queue-5.10/rxrpc-fix-recvmsg-unconditional-requeue.patch
queue-5.10/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch
queue-5.10/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
queue-5.10/mips-mm-allocate-tlb_vpn-array-atomically.patch
queue-5.10/l2tp-drop-large-packets-with-udp-encap.patch
queue-5.10/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
queue-5.10/mips-mm-rewrite-tlb-uniquification-for-the-hidden-bi.patch
queue-5.10/net-lapbether-remove-trailing-whitespaces.patch
queue-5.10/rxrpc-fix-anonymous-key-handling.patch
queue-5.10/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
queue-5.10/drm-i915-gt-fix-refcount-underflow-in-intel_engine_p.patch
queue-5.10/xfrm_user-fix-info-leak-in-build_mapping.patch
queue-5.10/scsi-qla2xxx-fix-warning-message-due-to-adisc-being-.patch
queue-5.10/batman-adv-hold-claim-backbone-gateways-by-reference.patch
queue-5.10/acpi-property-constify-stubs-for-config_acpi-n-case.patch
queue-5.10/alsa-asihpi-avoid-write-overflow-check-warning.patch
queue-5.10/media-uvcvideo-mark-invalid-entities-with-id-uvc_inv.patch
queue-5.10/arm64-dts-imx8mq-librem5-r3-workaround-i2c1-issue-with-1ghz-cpu-voltage.patch
queue-5.10/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
queue-5.10/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
queue-5.10/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch
queue-5.10/asoc-soc-core-call-missing-init_list_head-for-card_a.patch
queue-5.10/net-lapbether-handle-netdev_pre_type_change.patch
queue-5.10/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch
queue-5.10/net-lapbether-close-the-lapb-device-before-its-under.patch
queue-5.10/arm64-dts-imx8mq-librem5-don-t-mark-buck3-as-always-on.patch
queue-5.10/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
queue-5.10/ipv6-add-null-checks-for-idev-in-srv6-paths.patch
queue-5.10/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
queue-5.10/x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch
queue-5.10/netfilter-conntrack-add-missing-netlink-policy-valid.patch
queue-5.10/scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch
queue-5.10/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
queue-5.10/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
queue-5.10/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
queue-5.10/netfilter-xt_multiport-validate-range-encoding-in-ch.patch
queue-5.10/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
queue-5.10/blk-cgroup-reinit-blkg_iostat_set-after-clearing-in-.patch
queue-5.10/net-lapbether-replace-comparison-to-null-with-lapbet.patch
queue-5.10/scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch
queue-5.10/thermal-int340x_thermal-handle-data_vault-when-the-v.patch
queue-5.10/xfrm-clear-trailing-padding-in-build_polexpire.patch
queue-5.10/ib-mad-don-t-call-to-function-that-might-sleep-while.patch
queue-5.10/mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch
queue-5.10/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
queue-5.10/xsk-tighten-umem-headroom-validation-to-account-for-.patch
queue-5.10/blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch
queue-5.10/alsa-usb-audio-fix-null-pointer-dereference-on-point.patch
queue-5.10/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
queue-5.10/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_le.patch
queue-5.10/gfs2-validate-i_depth-for-exhash-directories.patch
queue-5.10/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
queue-5.10/mips-always-record-segbits-in-cpu_data.vmbits.patch
queue-5.10/cifs-fix-connections-leak-when-tlink-setup-failed.patch
queue-5.10/drm-amd-display-do-not-add-mhard-float-to-calcs-dsc-and-dcn30-fp-files-for-clang.patch
queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch
queue-5.10/mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch
queue-5.10/fs-ocfs2-fix-comments-mentioning-i_mutex.patch
queue-5.10/bpf-sockmap-fix-an-infinite-loop-error-when-len-is-0.patch
queue-5.10/drm-amd-display-fix-memory-leak.patch
queue-5.10/media-uvcvideo-allow-extra-entities.patch
queue-5.10/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
queue-5.10/rxrpc-only-handle-response-during-service-challenge.patch
queue-5.10/net-sched-act_ct-fix-ref-leak-when-switching-zones.patch
queue-5.10/tracing-probe-reject-non-closed-empty-immediate-stri.patch
queue-5.10/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch

More information about the linux-afs mailing list