[Devel] [PATCH vz10 3/4] ms/rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 17 23:49:07 MSK 2026


From: David Howells <dhowells at redhat.com>

Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
ABORT, etc..

And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.

Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure")
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
(cherry picked from commit 55b2984c96c37f909bbfe8851f13152693951382)

Follow-up fix for the backported 1f2740150f90 ("rxrpc: Fix potential UAF
after skb_unshare() failure"). Cherry-pick applied cleanly, no conflicts.

https://virtuozzo.atlassian.net/browse/VSTOR-131094
Feature: fix ms/rxrpc
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/rxrpc/call_event.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index cc8f9dfa44e8a..fdd683261226c 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			if (sp->hdr.securityIndex != 0 &&
+			if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
+			    sp->hdr.securityIndex != 0 &&
 			    skb_cloned(skb)) {
 				/* Unshare the packet so that it can be
 				 * modified by in-place decryption.
-- 
2.43.0



More information about the Devel mailing list