Patch "rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer" has been added to the 6.12-stable tree

Sun Jun 7 00:38:06 PDT 2026

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer

to the 6.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-response-packet-verification-to-extract-skb-to-a-linear-buffer.patch
and it can be found in the queue-6.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-256789-greg=kroah.com at vger.kernel.org Fri May 29 23:42:18 2026
From: Sasha Levin <sashal at kernel.org>
Date: Fri, 29 May 2026 17:42:08 -0400
Subject: rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
To: stable at vger.kernel.org
Cc: David Howells <dhowells at redhat.com>, Hyunwoo Kim <imv4bel at gmail.com>, Simon Horman <horms at kernel.org>, Jiayuan Chen <jiayuan.chen at linux.dev>, linux-afs at lists.infradead.org, stable at kernel.org, Jeffrey Altman <jaltman at auristor.com>, Marc Dionne <marc.dionne at auristor.com>, Jakub Kicinski <kuba at kernel.org>, Sasha Levin <sashal at kernel.org>
Message-ID: <20260529214208.1792984-2-sashal at kernel.org>

From: David Howells <dhowells at redhat.com>

[ Upstream commit 8bfab4b6ffc2fe92da86300728fc8c3c7ebffb56 ]

This improves the fix for CVE-2026-43500.

Fix the verification of RESPONSE packets to avoid the problem of
overwriting a RESPONSE packet sent via splice to a local address by
extracting the contents of the UDP packet into a kmalloc'd linear buffer
rather than decrypting the data in place in the sk_buff (which may corrupt
the original buffer).

Fixes: 24481a7f5733 ("rxrpc: Fix conn-level packet handling to unshare RESPONSE packets")
Reported-by: Hyunwoo Kim <imv4bel at gmail.com>
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Simon Horman <horms at kernel.org>
cc: Jiayuan Chen <jiayuan.chen at linux.dev>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Reviewed-by: Jeffrey Altman <jaltman at auristor.com>
Tested-by: Marc Dionne <marc.dionne at auristor.com>
Link: https://patch.msgid.link/20260515230516.2718212-4-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Sasha Levin <sashal at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/ar-internal.h |    5 +++--
 net/rxrpc/conn_event.c  |   30 ++++++++++++------------------
 net/rxrpc/insecure.c    |    5 +++--
 net/rxrpc/rxkad.c       |   29 ++++++++++-------------------
 4 files changed, 28 insertions(+), 41 deletions(-)

--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -270,8 +270,9 @@ struct rxrpc_security {
 				    struct sk_buff *);
 
 	/* verify a response */
-	int (*verify_response)(struct rxrpc_connection *,
-			       struct sk_buff *);
+	int (*verify_response)(struct rxrpc_connection *conn,
+			       struct sk_buff *response_skb,
+			       void *response, unsigned int len);
 
 	/* clear connection security */
 	void (*clear)(struct rxrpc_connection *);
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -229,28 +229,22 @@ static void rxrpc_call_is_secure(struct
 static int rxrpc_verify_response(struct rxrpc_connection *conn,
 				 struct sk_buff *skb)
 {
+	unsigned int len = skb->len - sizeof(struct rxrpc_wire_header);
+	void *buffer;
 	int ret;
 
-	if (skb_cloned(skb) || skb_has_frag_list(skb) ||
-	    skb_has_shared_frag(skb)) {
-		/* Copy the packet if shared so that we can do in-place
-		 * decryption.
-		 */
-		struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+	buffer = kmalloc(len, GFP_NOFS);
+	if (!buffer)
+		return -ENOMEM;
 
-		if (nskb) {
-			rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
-			ret = conn->security->verify_response(conn, nskb);
-			rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
-		} else {
-			/* OOM - Drop the packet. */
-			rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
-			ret = -ENOMEM;
-		}
-	} else {
-		ret = conn->security->verify_response(conn, skb);
-	}
+	ret = skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), buffer, len);
+	if (ret < 0)
+		goto out;
 
+	ret = conn->security->verify_response(conn, skb, buffer, len);
+
+out:
+	kfree(buffer);
 	return ret;
 }
 
--- a/net/rxrpc/insecure.c
+++ b/net/rxrpc/insecure.c
@@ -44,9 +44,10 @@ static int none_respond_to_challenge(str
 }
 
 static int none_verify_response(struct rxrpc_connection *conn,
-				struct sk_buff *skb)
+				struct sk_buff *response_skb,
+				void *response, unsigned int len)
 {
-	return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
+	return rxrpc_abort_conn(conn, response_skb, RX_PROTOCOL_ERROR, -EPROTO,
 				rxrpc_eproto_rxnull_response);
 }
 
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -875,7 +875,6 @@ static int rxkad_decrypt_ticket(struct r
 	*_expiry = 0;
 
 	ASSERT(server_key->payload.data[0] != NULL);
-	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
 
 	memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
 
@@ -1024,14 +1023,15 @@ unlock:
  * verify a response
  */
 static int rxkad_verify_response(struct rxrpc_connection *conn,
-				 struct sk_buff *skb)
+				 struct sk_buff *skb,
+				 void *buffer, unsigned int len)
 {
 	struct rxkad_response *response;
 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 	struct rxrpc_crypt session_key;
 	struct key *server_key;
 	time64_t expiry;
-	void *ticket = NULL;
+	void *ticket;
 	u32 version, kvno, ticket_len, level;
 	__be32 csum;
 	int ret, i;
@@ -1054,13 +1054,8 @@ static int rxkad_verify_response(struct
 		}
 	}
 
-	ret = -ENOMEM;
-	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
-	if (!response)
-		goto error;
-
-	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
-			  response, sizeof(*response)) < 0) {
+	response = buffer;
+	if (len < sizeof(*response)) {
 		ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
 				       rxkad_abort_resp_short);
 		goto error;
@@ -1072,6 +1067,9 @@ static int rxkad_verify_response(struct
 
 	trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
 
+	buffer	+= sizeof(*response);
+	len	-= sizeof(*response);
+
 	if (version != RXKAD_VERSION) {
 		ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
 				       rxkad_abort_resp_version);
@@ -1091,13 +1089,8 @@ static int rxkad_verify_response(struct
 	}
 
 	/* extract the kerberos ticket and decrypt and decode it */
-	ret = -ENOMEM;
-	ticket = kmalloc(ticket_len, GFP_NOFS);
-	if (!ticket)
-		goto error;
-
-	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
-			  ticket, ticket_len) < 0) {
+	ticket = buffer;
+	if (ticket_len > len) {
 		ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
 				       rxkad_abort_resp_short_tkt);
 		goto error;
@@ -1177,8 +1170,6 @@ static int rxkad_verify_response(struct
 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
 
 error:
-	kfree(ticket);
-	kfree(response);
 	key_put(server_key);
 	_leave(" = %d", ret);
 	return ret;


Patches currently in stable-queue which might be from sashal at kernel.org are

queue-6.12/kunit-fix-use-after-free-in-debugfs-when-using-kunit.patch
queue-6.12/bonding-refuse-to-enslave-can-devices.patch
queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch
queue-6.12/arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch
queue-6.12/asoc-intel-bytcht_es8316-fix-mclk-leak-on-init-error.patch
queue-6.12/asoc-codecs-simple-mux-fix-enum-control-bounds-check.patch
queue-6.12/vsock-keep-poll-shutdown-state-consistent.patch
queue-6.12/arm64-debug-split-brk64-exception-entry.patch
queue-6.12/bluetooth-l2cap-fix-possible-crash-on-l2cap_ecred_co.patch
queue-6.12/ice-fix-vf-queue-configuration-with-low-mtu-values.patch
queue-6.12/mm-memory-fix-spurious-warning-when-unmapping-device-private-exclusive-pages.patch
queue-6.12/x86-kexec-disable-kcov-instrumentation-after-load_se.patch
queue-6.12/ethtool-eeprom-add-more-safeties-to-eeprom-netlink-f.patch
queue-6.12/drm-v3d-fix-use-after-free-of-cpu-job-query-arrays-o.patch
queue-6.12/sctp-fix-race-between-sctp_wait_for_connect-and-peel.patch
queue-6.12/iio-chemical-scd30-fix-division-by-zero-in-write_raw.patch
queue-6.12/arm64-debug-call-software-breakpoint-handlers-static.patch
queue-6.12/mptcp-do-not-drop-partial-packets.patch
queue-6.12/usb-musb-omap2430-fix-use-after-free-in-omap2430_probe.patch
queue-6.12/nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch
queue-6.12/perf-fix-dangling-cgroup-pointer-in-cpuctx.patch
queue-6.12/octeontx2-pf-avoid-double-free-of-pool-stack-on-aq-init-failure.patch
queue-6.12/net-hsr-defer-node-table-free-until-after-rcu-readers.patch
queue-6.12/net-netlink-fix-sending-unassigned-nsid-after-assign.patch
queue-6.12/net-avoid-checksumming-unreadable-skb-tail-on-trim.patch
queue-6.12/drm-i915-psr-read-intel-dpcd-workaround-register.patch
queue-6.12/arm64-refactor-aarch32_break_handler.patch
queue-6.12/ipv6-rpl-fix-hdrlen-overflow-in-ipv6_rpl_srh_decompr.patch
queue-6.12/ethtool-module-fix-cleanup-if-socket-used-for-flashi.patch
queue-6.12/tun-free-page-on-short-frame-rejection-in-tun_xdp_on.patch
queue-6.12/inet-frags-add-inet_frag_queue_flush.patch
queue-6.12/net-sched-fix-ethx-ingress-ethy-egress-ethx-ingress-.patch
queue-6.12/usb-typec-ucsi-check-if-power-role-change-actually-happened-before-handling.patch
queue-6.12/ethtool-eeprom-add-missing-ethnl_ops_begin-_complete.patch
queue-6.12/net-introduce-skb-tc-depth-field-to-track-packet-loo.patch
queue-6.12/net-ethtool-add-new-parameters-and-a-function-to-sup.patch
queue-6.12/ethtool-pse-pd-fix-missing-ethnl_ops_complete.patch
queue-6.12/alsa-pcm-oss-fix-setup-list-uaf-on-proc-write-error.patch
queue-6.12/ring-buffer-flush-and-stop-persistent-ring-buffer-on-panic.patch
queue-6.12/x86-boot-disable-stack-protector-for-early-boot-code.patch
queue-6.12/usb-typec-ucsi-don-t-update-power_supply-on-power-role-change-if-not-connected.patch
queue-6.12/net-mctp-ensure-our-nlmsg-responses-are-initialised.patch
queue-6.12/batman-adv-tt-fix-toctou-race-for-reported-vlans.patch
queue-6.12/ethtool-module-check-fw_flash_in_progress-under-rtnl.patch
queue-6.12/arm64-entry-add-entry-and-exit-functions-for-debug-e.patch
queue-6.12/nvme-tcp-store-negative-errno-in-queue-tls_err.patch
queue-6.12/usb-serial-cypress_m8-fix-memory-corruption-with-sma.patch
queue-6.12/alsa-firewire-motu-protect-register-dsp-event-queue-positions.patch
queue-6.12/net-sched-act_mirred-add-loop-detection.patch
queue-6.12/batman-adv-tt-avoid-empty-vlan-responses.patch
queue-6.12/ethtool-cmis-fix-u16-to-u8-truncation-of-msleep_pre_.patch
queue-6.12/net-hsr-fix-potential-oob-access-in-supervision-fram.patch
queue-6.12/cxl-test-update-mock-dev-array-before-calling-platfo.patch
queue-6.12/ethtool-coalesce-cap-profile-updates-at-net_dim_para.patch
queue-6.12/arm64-debug-remove-break-step-handler-registration-i.patch
queue-6.12/thunderbolt-property-cap-recursion-depth-in-__tb_property_parse_dir.patch
queue-6.12/net-sched-revert-net-sched-restrict-conditions-for-a.patch
queue-6.12/arm64-introduce-esr_is_ubsan_brk.patch
queue-6.12/inet-frags-flush-pending-skbs-in-fqdir_pre_exit.patch
queue-6.12/drm-i915-psr-add-defininitions-for-intel_wa_register.patch
queue-6.12/alsa-scarlett2-allow-flash-writes-ending-at-segment-boundary.patch
queue-6.12/ethtool-cmis-validate-fw-size-against-start_cmd_payl.patch
queue-6.12/arm64-debug-always-unmask-interrupts-in-el0_softstp.patch
queue-6.12/vxlan-do-not-reuse-cached-ip_hdr-value-after-skb_tun.patch
queue-6.12/batman-adv-tvlv-reject-oversized-tvlv-packets.patch
queue-6.12/ethtool-rss-fix-hkey-leak-when-indir_size-is-0.patch
queue-6.12/alsa-scarlett2-return-enospc-for-out-of-bounds-flash-writes.patch
queue-6.12/net-sched-act_mirred-move-the-recursion-counter-stru.patch
queue-6.12/iommu-skip-pasid-validation-for-devices-without-pasi.patch
queue-6.12/xfrm-check-for-underflow-in-xfrm_state_mtu.patch
queue-6.12/batman-adv-tt-prevent-tvlv-entry-number-overflow.patch
queue-6.12/s390-cio-restore-gfp_dma-for-chsc-allocation.patch
queue-6.12/arm64-debug-split-bkpt32-exception-entry.patch
queue-6.12/hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
queue-6.12/xfrm-move-policy_bydst-rcu-sync-from-per-netns-.exit.patch
queue-6.12/net-handshake-pass-negative-errno-through-handshake_.patch
queue-6.12/bluetooth-6lowpan-check-skb_clone-return-value-in-se.patch
queue-6.12/rxrpc-fix-response-packet-verification-to-extract-skb-to-a-linear-buffer.patch
queue-6.12/batman-adv-v-stop-ogmv2-on-disabled-interface.patch
queue-6.12/arm64-tlb-flush-walk-cache-when-unsharing-pmd-tables.patch
queue-6.12/net-handshake-drain-pending-requests-at-net-namespac.patch
queue-6.12/mptcp-pm-fix-add_addr-timer-infinite-retry-on-option-space-insufficient.patch
queue-6.12/gpio-rockchip-convert-bank-clk-to-devm_clk_get_enabl.patch
queue-6.12/hid-pass-the-buffer-size-to-hid_report_raw_event.patch
queue-6.12/mm-damon-sysfs-schemes-delete-tried-region-in-regions_rmdirs.patch
queue-6.12/iio-dac-ad5686-fix-ref-bit-initialization-for-single-channel-parts.patch
queue-6.12/batman-adv-bla-avoid-null-ptr-deref-for-claim-via-dr.patch
queue-6.12/media-rc-fix-race-between-unregister-and-urb-irq-cal.patch
queue-6.12/usb-serial-digi_acceleport-fix-memory-corruption-wit.patch
queue-6.12/serdev-provide-a-bustype-shutdown-function.patch
queue-6.12/batman-adv-iv-recover-ogm-scheduling-after-forward-p.patch
queue-6.12/net-sched-cls_fw-fix-null-dereference-of-old-filters.patch
queue-6.12/net-netlink-don-t-set-nsid-on-local-notifications.patch
queue-6.12/batman-adv-tp_meter-directly-shut-down-timer-on-clea.patch
queue-6.12/mm-page_alloc-clear-page-private-in-free_pages_prepa.patch
queue-6.12/kernel-fork-validate-exit_signal-in-kernel_clone.patch
queue-6.12/net-smc-do-not-re-initialize-smc-hashtables.patch
queue-6.12/batman-adv-tp_meter-avoid-role-confusion-in-tp_list.patch
queue-6.12/bluetooth-l2cap-clear-chan-ident-on-ecred-reconfigur.patch
queue-6.12/tunnels-do-not-assume-transport-header-in-iptunnel_p.patch
queue-6.12/remove-pointless-includes-of-linux-fdtable.h.patch
queue-6.12/selftests-mptcp-drop-nanoseconds-width-specifier.patch
queue-6.12/iio-chemical-scd30-use-guard-mutex-to-allow-early-returns.patch
queue-6.12/net-sched-act_mirred-fix-return-code-in-early-mirred.patch
queue-6.12/batman-adv-bla-avoid-double-decrement-of-bla.num_req.patch
queue-6.12/batman-adv-tvlv-abort-ogm-send-on-tvlv-append-failur.patch
queue-6.12/ethtool-cmis-validate-start_cmd_payload_size-from-mo.patch
queue-6.12/media-rc-ttusbir-fix-inverted-error-logic.patch
queue-6.12/drm-v3d-release-indirect-csd-gem-reference-on-cpu-jo.patch
queue-6.12/arm64-debug-call-step-handlers-statically.patch
queue-6.12/net-handshake-use-spin_lock_bh-for-hn_lock.patch
queue-6.12/tun-free-page-on-build_skb-failure-in-tun_xdp_one.patch
queue-6.12/bluetooth-hci_sync-set-hci_cmd_drain_workqueue-durin.patch
queue-6.12/arm64-io-extract-user-memory-type-in-ioremap_prot.patch
queue-6.12/hid-core-add-printk_ratelimited-variants-to-hid_warn.patch
queue-6.12/usb-dwc3-xilinx-fix-error-handling-in-zynqmp-init-error-paths.patch
queue-6.12/accel-ivpu-prevent-uninitialized-data-bug-in-debugfs.patch
queue-6.12/drm-dp-add-edp-1.5-bit-definition.patch
queue-6.12/hid-core-introduce-hid_safe_input_report.patch
queue-6.12/ipv6-fix-possible-infinite-loop-in-rt6_fill_node.patch
queue-6.12/net-skbuff-fix-pskb_carve-leaking-zcopy-pages.patch
queue-6.12/net-sched-sch_sfb-replace-direct-dequeue-call-with-p.patch
queue-6.12/ethtool-cmis-require-exact-cdb-reply-length.patch
queue-6.12/net-ethtool-add-support-for-writing-firmware-blocks-.patch
queue-6.12/tunnels-load-network-headers-after-skb_cow-in-iptunn.patch
queue-6.12/netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
queue-6.12/rxrpc-fix-data-decrypt-vs-splice-by-copying-data-to-buffer-in-recvmsg.patch
queue-6.12/gpio-mxc-fix-irq_high-handling.patch
queue-6.12/bluetooth-hci_qca-migrate-to-serdev-specific-shutdown-function.patch
queue-6.12/xhci-tegra-fix-ghost-usb-device-on-dual-role-port-un.patch
queue-6.12/net-mana-add-null-guards-in-teardown-path-to-prevent.patch
queue-6.12/mptcp-cleanup-fallback-dummy-mapping-generation.patch
queue-6.12/mptcp-handle-first-subflow-closing-consistently.patch
queue-6.12/net-cpsw_new-fix-potential-unregister-of-netdev-that.patch
queue-6.12/bcache-fix-uninitialized-closure-object.patch
queue-6.12/drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch
queue-6.12/arm64-debug-refactor-reinstall_suspended_bps.patch
queue-6.12/net-iucv-fix-locking-in-.getsockopt.patch
queue-6.12/ethtool-strset-fix-header-attribute-index-in-ethnl_r.patch
queue-6.12/platform-x86-intel-vsec-fix-enable_cnt-imbalance-on-pcie-error-recovery.patch
queue-6.12/netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
queue-6.12/ethtool-linkstate-fix-unbalanced-ethnl_ops_complete-.patch
queue-6.12/bluetooth-hci_qca-convert-timeout-from-jiffies-to-ms.patch
queue-6.12/batman-adv-tt-reject-oversized-local-tvlv-buffers.patch
queue-6.12/netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
queue-6.12/mptcp-reset-rcv-wnd-on-disconnect.patch
queue-6.12/net-sched-fix-packet-loop-on-netem-when-duplicate-is.patch
queue-6.12/net-handshake-take-a-long-lived-file-reference-at-su.patch
queue-6.12/nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch
queue-6.12/scsi-target-iscsi-fix-crc-overread-and-double-free-in-iscsit_handle_text_cmd.patch
queue-6.12/gpio-virtuser-fix-uninitialized-data-bug-in-gpio_vir.patch
queue-6.12/arm64-debug-split-hardware-breakpoint-exception-entr.patch
queue-6.12/x86-alternatives-rename-apply_relocation-to-text_poke_apply_relocation.patch
queue-6.12/arm64-debug-split-hardware-watchpoint-exception-entr.patch
queue-6.12/ipv6-fix-possible-infinite-loop-in-fib6_select_path.patch
queue-6.12/scsi-core-run-queues-for-all-non-sdev_del-devices-fr.patch
queue-6.12/nfc-llcp-fix-use-after-free-in-llcp_sock_release.patch
queue-6.12/arm64-debug-clean-up-single_step_handler-logic.patch
queue-6.12/arm64-debug-remove-debug-exception-registration-infr.patch
queue-6.12/ethtool-module-avoid-leaking-a-netdev-ref-on-module-.patch
queue-6.12/arm64-debug-split-single-stepping-exception-entry.patch
queue-6.12/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch
queue-6.12/ipv4-free-net-ipv4.sysctl_local_reserved_ports-after.patch
queue-6.12/mptcp-introduce-the-mptcp_init_skb-helper.patch

