Patch "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets" has been added to the 5.15-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Mon Jun 15 22:32:08 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-conn-level-packet-handling-to-unshare-response-packets.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-242815-greg=kroah.com at vger.kernel.org Mon May  4 00:44:24 2026
From: Sasha Levin <sashal at kernel.org>
Date: Sun,  3 May 2026 15:14:16 -0400
Subject: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
To: stable at vger.kernel.org
Cc: David Howells <dhowells at redhat.com>, Marc Dionne <marc.dionne at auristor.com>, Jeffrey Altman <jaltman at auristor.com>, Simon Horman <horms at kernel.org>, linux-afs at lists.infradead.org, stable at kernel.org, Jakub Kicinski <kuba at kernel.org>, Sasha Levin <sashal at kernel.org>
Message-ID: <20260503191416.1286222-1-sashal at kernel.org>

From: David Howells <dhowells at redhat.com>

[ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ]

The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).

Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
[ adapted callback signature to include `_abort_code` ]
Signed-off-by: Sasha Levin <sashal at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/conn_event.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 5d91ef562ff78..09438850f9a5a 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -285,6 +285,34 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
 	}
 }
 
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+				 struct sk_buff *skb,
+				 u32 *_abort_code)
+{
+	int ret;
+
+	if (skb_cloned(skb)) {
+		/* Copy the packet if shared so that we can do in-place
+		 * decryption.
+		 */
+		struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+		if (nskb) {
+			rxrpc_new_skb(nskb, rxrpc_skb_unshared);
+			ret = conn->security->verify_response(conn, nskb, _abort_code);
+			rxrpc_free_skb(nskb, rxrpc_skb_freed);
+		} else {
+			/* OOM - Drop the packet. */
+			rxrpc_see_skb(skb, rxrpc_skb_unshared_nomem);
+			ret = -ENOMEM;
+		}
+	} else {
+		ret = conn->security->verify_response(conn, skb, _abort_code);
+	}
+
+	return ret;
+}
+
 /*
  * connection-level Rx packet processor
  */
@@ -337,7 +365,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
 							    _abort_code);
 
 	case RXRPC_PACKET_TYPE_RESPONSE:
-		ret = conn->security->verify_response(conn, skb, _abort_code);
+		ret = rxrpc_verify_response(conn, skb, _abort_code);
 		if (ret < 0)
 			return ret;
 
-- 
2.53.0



Patches currently in stable-queue which might be from sashal at kernel.org are

queue-5.15/bonding-refuse-to-enslave-can-devices.patch
queue-5.15/asoc-intel-bytcht_es8316-fix-mclk-leak-on-init-error.patch
queue-5.15/asoc-codecs-simple-mux-fix-enum-control-bounds-check.patch
queue-5.15/bluetooth-l2cap-fix-possible-crash-on-l2cap_ecred_co.patch
queue-5.15/ipv6-sit-reload-inner-ipv6-header-after-gso-offloads.patch
queue-5.15/ethtool-eeprom-add-more-safeties-to-eeprom-netlink-f.patch
queue-5.15/6lowpan-fix-off-by-one-in-multicast-context-address-.patch
queue-5.15/randomize_kstack-maintain-kstack_offset-per-task.patch
queue-5.15/sctp-fix-race-between-sctp_wait_for_connect-and-peel.patch
queue-5.15/pcnet32-stop-holding-device-spin-lock-during-napi_co.patch
queue-5.15/drm-vc4-fix-krealloc-memory-leak.patch
queue-5.15/f2fs-fix-to-do-sanity-check-on-dcc-discard_cmd_cnt-conditionally.patch
queue-5.15/arm64-tlb-optimize-arm64_workaround_repeat_tlbi.patch
queue-5.15/nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch
queue-5.15/net-netlink-fix-sending-unassigned-nsid-after-assign.patch
queue-5.15/bluetooth-bnep-reject-short-frames-before-parsing.patch
queue-5.15/nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch
queue-5.15/rtw88-8821ce-disable-pcie-aspm-l1-for-8821ce-using-chip-id.patch
queue-5.15/net-qrtr-ns-free-the-node-during-ctrl_cmd_bye.patch
queue-5.15/dm-cache-policy-smq-check-allocation-under-invalidat.patch
queue-5.15/crypto-nx-avoid-wflex-array-member-not-at-end-warning.patch
queue-5.15/drm-i915-psr-read-intel-dpcd-workaround-register.patch
queue-5.15/ipv6-rpl-fix-hdrlen-overflow-in-ipv6_rpl_srh_decompr.patch
queue-5.15/ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
queue-5.15/tun-free-page-on-short-frame-rejection-in-tun_xdp_on.patch
queue-5.15/usb-serial-mct_u232-fix-memory-corruption-with-small.patch
queue-5.15/ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch
queue-5.15/wifi-rtw88-check-for-pci-upstream-bridge-existence.patch
queue-5.15/bluetooth-bnep-fix-incorrect-length-parsing-in-bnep_.patch
queue-5.15/mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch
queue-5.15/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
queue-5.15/alsa-aoa-i2sbus-clear-stale-prepared-state.patch
queue-5.15/sched-use-u64-for-bandwidth-ratio-calculations.patch
queue-5.15/revert-rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch
queue-5.15/can-ucan-fix-devres-lifetime.patch
queue-5.15/net-qrtr-fix-refcount-saturation-and-potential-uaf-i.patch
queue-5.15/media-rc-igorplugusb-heed-coherency-rules.patch
queue-5.15/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
queue-5.15/net-qrtr-ns-change-servers-radix-tree-to-xarray.patch
queue-5.15/net-mctp-ensure-our-nlmsg-responses-are-initialised.patch
queue-5.15/media-rc-ttusbir-respect-dma-coherency-rules.patch
queue-5.15/batman-adv-tt-fix-toctou-race-for-reported-vlans.patch
queue-5.15/nvme-fix-interpretation-of-dmrsl.patch
queue-5.15/time-fix-off-by-one-in-settimeofday-usec-validation.patch
queue-5.15/usb-serial-cypress_m8-fix-memory-corruption-with-sma.patch
queue-5.15/crypto-nx-fix-bounce-buffer-leaks-in-nx842_crypto_-alloc-free-_ctx.patch
queue-5.15/xfrm-policy-fix-use-after-free-on-inexact-bin-in-xfr.patch
queue-5.15/netlabel-validate-unlabeled-address-and-mask-attribu.patch
queue-5.15/can-ucan-fix-typos-in-comments.patch
queue-5.15/batman-adv-tt-avoid-empty-vlan-responses.patch
queue-5.15/drm-remove-plane-hsub-vsub-alignment-requirement-for.patch
queue-5.15/net-qrtr-ns-limit-the-total-number-of-nodes.patch
queue-5.15/scsi-sd-fix-missing-put_disk-when-device_add-disk_dev-fails.patch
queue-5.15/serial-dz-fix-bootconsole-handover-lockup.patch
queue-5.15/net-sched-revert-net-sched-restrict-conditions-for-a.patch
queue-5.15/drm-i915-psr-add-defininitions-for-intel_wa_register.patch
queue-5.15/net-mvpp2-limit-xdp-frame-size-to-the-rx-buffer.patch
queue-5.15/vxlan-do-not-reuse-cached-ip_hdr-value-after-skb_tun.patch
queue-5.15/udf-fix-partition-descriptor-append-bookkeeping.patch
queue-5.15/scsi-sd-add-error-handling-support-for-add_disk.patch
queue-5.15/net-guard-timestamp-cmsgs-to-real-error-queue-skbs.patch
queue-5.15/batman-adv-tvlv-reject-oversized-tvlv-packets.patch
queue-5.15/net-mvpp2-add-metadata-support-for-xdp-mode.patch
queue-5.15/net-mctp-fix-don-t-require-received-header-reserved-bits-to-be-zero.patch
queue-5.15/xfrm-check-for-underflow-in-xfrm_state_mtu.patch
queue-5.15/net-garp-fix-unsigned-integer-underflow-in-garp_pdu_.patch
queue-5.15/alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch
queue-5.15/hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
queue-5.15/rds-mark-snapshot-pages-dirty-in-rds_info_getsockopt.patch
queue-5.15/net-sched-act_api-use-rcu-with-deferred-freeing-for-.patch
queue-5.15/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch
queue-5.15/bluetooth-6lowpan-check-skb_clone-return-value-in-se.patch
queue-5.15/mtd-docg3-fix-use-after-free-in-docg3_release.patch
queue-5.15/batman-adv-v-stop-ogmv2-on-disabled-interface.patch
queue-5.15/net-openvswitch-fix-possible-kfree_skb-of-err_ptr.patch
queue-5.15/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch
queue-5.15/fbdev-defio-disconnect-deferred-i-o-from-the-lifetime-of-struct-fb_info.patch
queue-5.15/net-packet-fix-toctou-race-on-mmap-d-vnet_hdr-in-tpacket_snd.patch
queue-5.15/ip6_vti-fix-incorrect-tunnel-matching-in-vti6_tnl_lo.patch
queue-5.15/gpio-rockchip-convert-bank-clk-to-devm_clk_get_enabl.patch
queue-5.15/hid-pass-the-buffer-size-to-hid_report_raw_event.patch
queue-5.15/smb-server-fix-active_num_conn-leak-on-transport-allocation-failure.patch
queue-5.15/alsa-aoa-skip-devices-with-no-codecs-in-i2sbus_resume.patch
queue-5.15/printk-add-print_hex_dump_devel.patch
queue-5.15/batman-adv-bla-avoid-null-ptr-deref-for-claim-via-dr.patch
queue-5.15/usb-serial-digi_acceleport-fix-memory-corruption-wit.patch
queue-5.15/bluetooth-rfcomm-hold-listener-socket-in-rfcomm_conn.patch
queue-5.15/wifi-mwifiex-fix-use-after-free-in-mwifiex_adapter_cleanup.patch
queue-5.15/tracepoint-balance-regfunc-on-func_add-failure-in-tracepoint_add_func.patch
queue-5.15/batman-adv-iv-recover-ogm-scheduling-after-forward-p.patch
queue-5.15/net-sched-cls_fw-fix-null-dereference-of-old-filters.patch
queue-5.15/compiler-clang.h-add-__diag-infrastructure-for-clang.patch
queue-5.15/net-netlink-don-t-set-nsid-on-local-notifications.patch
queue-5.15/smb-client-fix-oob-read-in-smb2_ioctl_query_info-query_info-path.patch
queue-5.15/batman-adv-tp_meter-directly-shut-down-timer-on-clea.patch
queue-5.15/netfilter-nf_log-validate-mac-header-was-set-before-.patch
queue-5.15/alsa-core-fix-potential-data-race-at-fasync-handling.patch
queue-5.15/net-smc-do-not-re-initialize-smc-hashtables.patch
queue-5.15/ipvs-clear-the-svc-scheduler-ptr-early-on-edit.patch
queue-5.15/bluetooth-l2cap-clear-chan-ident-on-ecred-reconfigur.patch
queue-5.15/tunnels-do-not-assume-transport-header-in-iptunnel_p.patch
queue-5.15/phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch
queue-5.15/net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
queue-5.15/batman-adv-bla-avoid-double-decrement-of-bla.num_req.patch
queue-5.15/hfsplus-fix-uninit-value-by-validating-catalog-record-size.patch
queue-5.15/batman-adv-tvlv-abort-ogm-send-on-tvlv-append-failur.patch
queue-5.15/net-mvpp2-refill-rx-buffers-before-xdp-or-skb-use.patch
queue-5.15/mtd-docg3-convert-to-platform-remove-callback-returning-void.patch
queue-5.15/scsi-core-pm-rely-on-the-device-driver-core-for-async-power-management.patch
queue-5.15/tun-free-page-on-build_skb-failure-in-tun_xdp_one.patch
queue-5.15/net-mvpp2-build-skb-from-xdp-adjusted-data-on-xdp_pa.patch
queue-5.15/bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch
queue-5.15/hid-core-add-printk_ratelimited-variants-to-hid_warn.patch
queue-5.15/bluetooth-mgmt-validate-advertising-tlv-before-type-.patch
queue-5.15/mm-damon-ops-common-call-folio_test_lru-after-folio_.patch
queue-5.15/mmc-sdhci-of-dwcmshc-disable-clock-before-dll-configuration.patch
queue-5.15/netfilter-synproxy-add-mutex-to-guard-hook-reference.patch
queue-5.15/drm-dp-add-edp-1.5-bit-definition.patch
queue-5.15/dmaengine-idxd-fix-not-releasing-workqueue-on-.relea.patch
queue-5.15/tee-optee-prevent-use-after-free-when-the-client-exi.patch
queue-5.15/disable-wattribute-alias-for-clang-23-and-newer.patch
queue-5.15/net-qrtr-ns-limit-the-maximum-number-of-lookups.patch
queue-5.15/net-sched-sch_sfb-replace-direct-dequeue-call-with-p.patch
queue-5.15/netfilter-x_tables-avoid-leaking-percpu-counter-poin.patch
queue-5.15/tunnels-load-network-headers-after-skb_cow-in-iptunn.patch
queue-5.15/netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
queue-5.15/arm64-mm-enable-batched-tlb-flush-in-unmap_hotplug_range.patch
queue-5.15/alsa-aoa-use-guard-for-mutex-locks.patch
queue-5.15/bluetooth-hci_event-fix-potential-uaf-in-ssp-passkey-handlers.patch
queue-5.15/kvm-arm64-remove-vpipt-i-cache-handling.patch
queue-5.15/xhci-tegra-fix-ghost-usb-device-on-dual-role-port-un.patch
queue-5.15/netfilter-nft_exthdr-fix-register-tracking-for-f_pre.patch
queue-5.15/net-cpsw_new-fix-potential-unregister-of-netdev-that.patch
queue-5.15/smb-server-fix-max_connections-off-by-one-in-tcp-accept-path.patch
queue-5.15/drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch
queue-5.15/net-iucv-fix-locking-in-.getsockopt.patch
queue-5.15/rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch-82
queue-5.15/sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
queue-5.15/ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch
queue-5.15/netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
queue-5.15/erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch
queue-5.15/smb-client-require-a-full-nfs-mode-sid-before-reading-mode-bits.patch
queue-5.15/netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
queue-5.15/ceph-only-d_add-negative-dentries-when-they-are-unhashed.patch
queue-5.15/tap-free-page-on-error-paths-in-tap_get_user_xdp.patch
queue-5.15/nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch
queue-5.15/bluetooth-rfcomm-validate-skb-length-in-mcc-handlers.patch
queue-5.15/net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch
queue-5.15/fs-ntfs3-return-error-for-inconsistent-extended-attr.patch
queue-5.15/f2fs-fix-uaf-caused-by-decrementing-sbi-nr_pages-in-f2fs_write_end_io.patch
queue-5.15/thermal-core-fix-thermal-zone-governor-cleanup-issues.patch
queue-5.15/net-lan743x-permit-vlan-tagged-packets-up-to-configu.patch
queue-5.15/crypto-nx-migrate-to-scomp-api.patch
queue-5.15/drm-imx-fix-three-kernel-doc-warnings-in-dcss-scaler.patch
queue-5.15/sd-rename-the-scsi_disk.dev-field.patch
queue-5.15/crypto-caam-guard-hmac-key-hex-dumps-in-hash_digest_key.patch
queue-5.15/netfilter-bridge-make-ebt_snat-arp-rewrite-writable.patch
queue-5.15/nfc-llcp-fix-use-after-free-in-llcp_sock_release.patch
queue-5.15/selftests-forwarding-lib-add-helpers-for-checksum-ha.patch
queue-5.15/hfsplus-fix-held-lock-freed-on-hfsplus_fill_super.patch
queue-5.15/ksmbd-require-minimum-ace-size-in-smb_check_perm_dacl.patch
queue-5.15/netfilter-conntrack_irc-fix-possible-out-of-bounds-r.patch
queue-5.15/netfilter-xt_nfqueue-prefer-raw_smp_processor_id.patch
queue-5.15/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch
queue-5.15/net-rds-fix-null-deref-in-rds_ib_send_cqe_handler-on.patch
queue-5.15/erofs-fix-unsigned-underflow-in-z_erofs_lz4_handle_overlap.patch
queue-5.15/sctp-fix-uninit-value-in-__sctp_rcv_asconf_lookup.patch
queue-5.15/ipv4-free-net-ipv4.sysctl_local_reserved_ports-after.patch
queue-5.15/net-mvpp2-sync-rx-data-at-the-hardware-packet-offset.patch
queue-5.15/arm64-tlb-allow-xzr-argument-to-tlbi-ops.patch
queue-5.15/rxrpc-fix-conn-level-packet-handling-to-unshare-response-packets.patch
queue-5.15/nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch

More information about the linux-afs mailing list