Patch "rxrpc: only handle RESPONSE during service challenge" has been added to the 6.6-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Fri Apr 24 01:34:52 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: only handle RESPONSE during service challenge

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-only-handle-response-during-service-challenge.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-237816-greg=kroah.com at vger.kernel.org Tue Apr 14 13:26:40 2026
From: Sasha Levin <sashal at kernel.org>
Date: Tue, 14 Apr 2026 07:25:21 -0400
Subject: rxrpc: only handle RESPONSE during service challenge
To: stable at vger.kernel.org
Cc: Wang Jie <jiewang2024 at lzu.edu.cn>, Yifan Wu <yifanwucs at gmail.com>, Juefei Pu <tomapufckgml at gmail.com>, Yuan Tan <yuantan098 at gmail.com>, Xin Liu <bird at lzu.edu.cn>, Yang Yang <n05ec at lzu.edu.cn>, David Howells <dhowells at redhat.com>, Marc Dionne <marc.dionne at auristor.com>, Jeffrey Altman <jaltman at auristor.com>, Simon Horman <horms at kernel.org>, linux-afs at lists.infradead.org, stable at kernel.org, Jakub Kicinski <kuba at kernel.org>, Sasha Levin <sashal at kernel.org>
Message-ID: <20260414112521.410826-2-sashal at kernel.org>

From: Wang Jie <jiewang2024 at lzu.edu.cn>

[ Upstream commit c43ffdcfdbb5567b1f143556df8a04b4eeea041c ]

Only process RESPONSE packets while the service connection is still in
RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
running response verification and security initialization, then use a local
secured flag to decide whether to queue the secured-connection work after
the state transition. This keeps duplicate or late RESPONSE packets from
re-running the setup path and removes the unlocked post-transition state
test.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs at gmail.com>
Reported-by: Juefei Pu <tomapufckgml at gmail.com>
Co-developed-by: Yuan Tan <yuantan098 at gmail.com>
Signed-off-by: Yuan Tan <yuantan098 at gmail.com>
Suggested-by: Xin Liu <bird at lzu.edu.cn>
Signed-off-by: Jie Wang <jiewang2024 at lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec at lzu.edu.cn>
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-21-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
[ adapted spin_lock_irq/spin_unlock_irq calls to spin_lock/spin_unlock ]
Signed-off-by: Sasha Levin <sashal at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/conn_event.c |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -233,6 +233,7 @@ static int rxrpc_process_event(struct rx
 			       struct sk_buff *skb)
 {
 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+	bool secured = false;
 	int ret;
 
 	if (conn->state == RXRPC_CONN_ABORTED)
@@ -245,6 +246,13 @@ static int rxrpc_process_event(struct rx
 		return conn->security->respond_to_challenge(conn, skb);
 
 	case RXRPC_PACKET_TYPE_RESPONSE:
+		spin_lock(&conn->state_lock);
+		if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) {
+			spin_unlock(&conn->state_lock);
+			return 0;
+		}
+		spin_unlock(&conn->state_lock);
+
 		ret = conn->security->verify_response(conn, skb);
 		if (ret < 0)
 			return ret;
@@ -255,11 +263,13 @@ static int rxrpc_process_event(struct rx
 			return ret;
 
 		spin_lock(&conn->state_lock);
-		if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING)
+		if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
 			conn->state = RXRPC_CONN_SERVICE;
+			secured = true;
+		}
 		spin_unlock(&conn->state_lock);
 
-		if (conn->state == RXRPC_CONN_SERVICE) {
+		if (secured) {
 			/* Offload call state flipping to the I/O thread.  As
 			 * we've already received the packet, put it on the
 			 * front of the queue.


Patches currently in stable-queue which might be from sashal at kernel.org are

queue-6.6/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch
queue-6.6/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch
queue-6.6/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch
queue-6.6/e1000-check-return-value-of-e1000_read_eeprom.patch
queue-6.6/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
queue-6.6/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
queue-6.6/iio-common-st_sensors-fix-use-of-uninitialize-device.patch
queue-6.6/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch
queue-6.6/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
queue-6.6/hid-roccat-fix-use-after-free-in-roccat_report_event.patch
queue-6.6/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch
queue-6.6/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch
queue-6.6/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
queue-6.6/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
queue-6.6/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
queue-6.6/net-sched-act_csum-validate-nested-vlan-headers.patch
queue-6.6/md-raid1-raid10-don-t-ignore-io-flags.patch
queue-6.6/objtool-remove-max-symbol-name-length-limitation.patch
queue-6.6/xsk-fix-xdp_umem_sg_flag-issues.patch
queue-6.6/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
queue-6.6/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
queue-6.6/can-mcp251x-add-error-handling-for-power-enable-in-o.patch
queue-6.6/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
queue-6.6/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
queue-6.6/ocfs2-validate-inline-data-i_size-during-inode-read.patch
queue-6.6/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
queue-6.6/btrfs-tracepoints-get-correct-superblock-from-dentry.patch
queue-6.6/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch
queue-6.6/checkpatch-add-support-for-assisted-by-tag.patch
queue-6.6/pci-endpoint-pci-epf-vntb-remove-duplicate-resource-.patch
queue-6.6/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
queue-6.6/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch
queue-6.6/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
queue-6.6/net-add-proper-rcu-protection-to-proc-net-ptype.patch
queue-6.6/l2tp-drop-large-packets-with-udp-encap.patch
queue-6.6/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch
queue-6.6/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch
queue-6.6/btrfs-merge-btrfs_orig_bbio_end_io-into-btrfs_bio_en.patch
queue-6.6/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
queue-6.6/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch
queue-6.6/net-ethernet-mtk_eth_soc-initialize-ppe-per-tag-laye.patch
queue-6.6/gpio-tegra-fix-irq_release_resources-calling-enable-.patch
queue-6.6/rxrpc-fix-anonymous-key-handling.patch
queue-6.6/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
queue-6.6/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch
queue-6.6/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch
queue-6.6/scripts-generate_rust_analyzer.py-define-scripts.patch
queue-6.6/revert-perf-unwind-libdw-fix-invalid-reference-count.patch
queue-6.6/xfrm_user-fix-info-leak-in-build_mapping.patch
queue-6.6/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
queue-6.6/alsa-asihpi-avoid-write-overflow-check-warning.patch
queue-6.6/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
queue-6.6/nfc-nci-complete-pending-data-exchange-on-device-clo.patch
queue-6.6/net-annotate-data-races-around-sk-sk_-data_ready-wri.patch
queue-6.6/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch
queue-6.6/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
queue-6.6/blktrace-fix-__this_cpu_read-write-in-preemptible-co.patch
queue-6.6/asoc-soc-core-call-missing-init_list_head-for-card_a.patch
queue-6.6/net-lapbether-handle-netdev_pre_type_change.patch
queue-6.6/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
queue-6.6/ipv6-add-null-checks-for-idev-in-srv6-paths.patch
queue-6.6/drm-i915-psr-do-not-use-pipe_src-as-borders-for-su-a.patch
queue-6.6/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
queue-6.6/netfilter-conntrack-add-missing-netlink-policy-valid.patch
queue-6.6/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
queue-6.6/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
queue-6.6/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
queue-6.6/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch
queue-6.6/net-skb-fix-cross-cache-free-of-kfence-allocated-skb.patch
queue-6.6/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
queue-6.6/netfilter-xt_multiport-validate-range-encoding-in-ch.patch
queue-6.6/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
queue-6.6/scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch
queue-6.6/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch
queue-6.6/xsk-respect-tailroom-for-zc-setups.patch
queue-6.6/kvm-nvmx-fold-requested-virtual-interrupt-check-into.patch
queue-6.6/net-txgbe-leave-space-for-null-terminators-on-proper.patch
queue-6.6/ice-fix-memory-leak-in-ice_set_ringparam.patch
queue-6.6/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
queue-6.6/xsk-tighten-umem-headroom-validation-to-account-for-.patch
queue-6.6/i40e-fix-preempt-count-leak-in-napi-poll-tracepoint.patch
queue-6.6/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch
queue-6.6/alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch
queue-6.6/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch
queue-6.6/drm-vc4-release-runtime-pm-reference-after-binding-v.patch
queue-6.6/net-sched-fix-tcf_layer_transport-handling-in-tcf_ge.patch
queue-6.6/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
queue-6.6/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch
queue-6.6/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
queue-6.6/xsk-validate-mtu-against-usable-frame-size-on-bind.patch
queue-6.6/rxrpc-only-handle-response-during-service-challenge.patch
queue-6.6/tracing-probe-reject-non-closed-empty-immediate-stri.patch
queue-6.6/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
queue-6.6/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch

More information about the linux-afs mailing list