[Devel] [PATCH vz10 3/4] ms/rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jun 17 23:49:07 MSK 2026
From: David Howells <dhowells at redhat.com>
Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
ABORT, etc..
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.
Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure")
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
(cherry picked from commit 55b2984c96c37f909bbfe8851f13152693951382)
Follow-up fix for the backported 1f2740150f90 ("rxrpc: Fix potential UAF
after skb_unshare() failure"). Cherry-pick applied cleanly, no conflicts.
https://virtuozzo.atlassian.net/browse/VSTOR-131094
Feature: fix ms/rxrpc
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
net/rxrpc/call_event.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index cc8f9dfa44e8a..fdd683261226c 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
- if (sp->hdr.securityIndex != 0 &&
+ if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
+ sp->hdr.securityIndex != 0 &&
skb_cloned(skb)) {
/* Unshare the packet so that it can be
* modified by in-place decryption.
--
2.43.0
More information about the Devel
mailing list