Patch "rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets" has been added to the 7.0-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Fri May 1 05:05:48 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets

to the 7.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-rxrpc_input_call_event-to-only-unshare-data-packets.patch
and it can be found in the queue-7.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From 55b2984c96c37f909bbfe8851f13152693951382 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Thu, 23 Apr 2026 21:09:06 +0100
Subject: rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets

From: David Howells <dhowells at redhat.com>

commit 55b2984c96c37f909bbfe8851f13152693951382 upstream.

Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
ABORT, etc..

And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.

Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure")
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/call_event.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,8 @@ bool rxrpc_input_call_event(struct rxrpc
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			if (sp->hdr.securityIndex != 0 &&
+			if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
+			    sp->hdr.securityIndex != 0 &&
 			    skb_cloned(skb)) {
 				/* Unshare the packet so that it can be
 				 * modified by in-place decryption.


Patches currently in stable-queue which might be from dhowells at redhat.com are

queue-7.0/rxrpc-fix-re-decryption-of-response-packets.patch
queue-7.0/rxrpc-fix-rxrpc_input_call_event-to-only-unshare-data-packets.patch
queue-7.0/rxrpc-fix-rxkad-crypto-unalignment-handling.patch
queue-7.0/rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch
queue-7.0/fs-afs-revert-mmap_prepare-change.patch
queue-7.0/rxrpc-fix-potential-uaf-after-skb_unshare-failure.patch
queue-7.0/rxrpc-fix-conn-level-packet-handling-to-unshare-response-packets.patch
queue-7.0/rxrpc-fix-error-handling-in-rxgk_extract_token.patch

More information about the linux-afs mailing list