[PATCH 6.12.y] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
Greg KH
gregkh at linuxfoundation.org
Mon May 4 05:04:21 PDT 2026
On Sun, May 03, 2026 at 10:17:23AM -0400, Sasha Levin wrote:
> From: David Howells <dhowells at redhat.com>
>
> [ Upstream commit 24481a7f573305706054c59e275371f8d0fe919f ]
>
> The security operations that verify the RESPONSE packets decrypt bits of it
> in place - however, the sk_buff may be shared with a packet sniffer, which
> would lead to the sniffer seeing an apparently corrupt packet (actually
> decrypted).
>
> Fix this by handing a copy of the packet off to the specific security
> handler if the packet was cloned.
>
> Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
> Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
> Signed-off-by: David Howells <dhowells at redhat.com>
> cc: Marc Dionne <marc.dionne at auristor.com>
> cc: Jeffrey Altman <jaltman at auristor.com>
> cc: Simon Horman <horms at kernel.org>
> cc: linux-afs at lists.infradead.org
> cc: stable at kernel.org
> Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> Signed-off-by: Sasha Levin <sashal at kernel.org>
> ---
> include/trace/events/rxrpc.h | 2 ++
> net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++-
> 2 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
> index 3eb806f7bc6a5..c5533176d770d 100644
> --- a/include/trace/events/rxrpc.h
> +++ b/include/trace/events/rxrpc.h
> @@ -146,12 +146,14 @@
> EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \
> EM(rxrpc_skb_put_last_nack, "PUT last-nack") \
> EM(rxrpc_skb_put_purge, "PUT purge ") \
> + EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \
> EM(rxrpc_skb_put_rotate, "PUT rotate ") \
> EM(rxrpc_skb_put_unknown, "PUT unknown ") \
> EM(rxrpc_skb_see_conn_work, "SEE conn-work") \
> EM(rxrpc_skb_see_recvmsg, "SEE recvmsg ") \
> EM(rxrpc_skb_see_reject, "SEE reject ") \
> EM(rxrpc_skb_see_rotate, "SEE rotate ") \
> + EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \
> E_(rxrpc_skb_see_version, "SEE version ")
>
> #define rxrpc_local_traces \
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index 6ef2dc1aa8cc2..6d7b064661d88 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
> @@ -226,6 +226,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
> rxrpc_notify_socket(call);
> }
>
> +static int rxrpc_verify_response(struct rxrpc_connection *conn,
> + struct sk_buff *skb)
> +{
> + int ret;
> +
> + if (skb_cloned(skb)) {
> + /* Copy the packet if shared so that we can do in-place
> + * decryption.
> + */
> + struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
> +
> + if (nskb) {
> + rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
> + ret = conn->security->verify_response(conn, nskb);
> + rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
> + } else {
> + /* OOM - Drop the packet. */
> + rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
> + ret = -ENOMEM;
> + }
> + } else {
> + ret = conn->security->verify_response(conn, skb);
> + }
> +
> + return ret;
> +}
> +
> /*
> * connection-level Rx packet processor
> */
> @@ -253,7 +280,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
> }
> spin_unlock(&conn->state_lock);
>
> - ret = conn->security->verify_response(conn, skb);
> + ret = rxrpc_verify_response(conn, skb);
> if (ret < 0)
> return ret;
>
> --
> 2.53.0
>
>
Does not apply :(
More information about the linux-afs
mailing list