Patch "rxrpc: Fix rxkad crypto unalignment handling" has been added to the 6.18-stable tree
gregkh at linuxfoundation.org
gregkh at linuxfoundation.org
Fri May 1 05:06:33 PDT 2026
This is a note to let you know that I've just added the patch titled
rxrpc: Fix rxkad crypto unalignment handling
to the 6.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
rxrpc-fix-rxkad-crypto-unalignment-handling.patch
and it can be found in the queue-6.18 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.
>From def304aae2edf321d2671fd6ca766a93c21f877e Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Wed, 22 Apr 2026 17:14:31 +0100
Subject: rxrpc: Fix rxkad crypto unalignment handling
From: David Howells <dhowells at redhat.com>
commit def304aae2edf321d2671fd6ca766a93c21f877e upstream.
Fix handling of a packet with a misaligned crypto length. Also handle
non-ENOMEM errors from decryption by aborting. Further, remove the
WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can
still be emitted).
Fixes: f93af41b9f5f ("rxrpc: Fix missing error checks for rxkad encryption/decryption failure")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-3-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
include/trace/events/rxrpc.h | 1 +
net/rxrpc/rxkad.c | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -37,6 +37,7 @@
EM(rxkad_abort_1_short_encdata, "rxkad1-short-encdata") \
EM(rxkad_abort_1_short_header, "rxkad1-short-hdr") \
EM(rxkad_abort_2_short_check, "rxkad2-short-check") \
+ EM(rxkad_abort_2_crypto_unaligned, "rxkad2-crypto-unaligned") \
EM(rxkad_abort_2_short_data, "rxkad2-short-data") \
EM(rxkad_abort_2_short_header, "rxkad2-short-hdr") \
EM(rxkad_abort_2_short_len, "rxkad2-short-len") \
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -510,6 +510,9 @@ static int rxkad_verify_packet_2(struct
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_2_short_header);
+ /* Don't let the crypto algo see a misaligned length. */
+ sp->len = round_down(sp->len, 8);
+
/* Decrypt the skbuff in-place. TODO: We really want to decrypt
* directly into the target buffer.
*/
@@ -543,8 +546,10 @@ static int rxkad_verify_packet_2(struct
if (sg != _sg)
kfree(sg);
if (ret < 0) {
- WARN_ON_ONCE(ret != -ENOMEM);
- return ret;
+ if (ret == -ENOMEM)
+ return ret;
+ return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
+ rxkad_abort_2_crypto_unaligned);
}
/* Extract the decrypted packet length */
Patches currently in stable-queue which might be from dhowells at redhat.com are
queue-6.18/rxrpc-fix-re-decryption-of-response-packets.patch
queue-6.18/rxrpc-fix-rxrpc_input_call_event-to-only-unshare-data-packets.patch
queue-6.18/rxrpc-fix-rxkad-crypto-unalignment-handling.patch
queue-6.18/rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch
queue-6.18/fs-afs-revert-mmap_prepare-change.patch
queue-6.18/rxrpc-fix-potential-uaf-after-skb_unshare-failure.patch
queue-6.18/rxrpc-fix-conn-level-packet-handling-to-unshare-response-packets.patch
queue-6.18/rxrpc-fix-error-handling-in-rxgk_extract_token.patch
More information about the linux-afs
mailing list