[Devel] [PATCH RHEL10 COMMIT] ms/rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 17 23:50:24 MSK 2026


The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.12.2.vz10
------>
commit 1c72055f83941f0a1afbf6ae8c457f708119f7f7
Author: David Howells <dhowells at redhat.com>
Date:   Wed Apr 22 17:14:33 2026 +0100

    ms/rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
    
    The security operations that verify the RESPONSE packets decrypt bits of it
    in place - however, the sk_buff may be shared with a packet sniffer, which
    would lead to the sniffer seeing an apparently corrupt packet (actually
    decrypted).
    
    Fix this by handing a copy of the packet off to the specific security
    handler if the packet was cloned.
    
    Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
    Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
    Signed-off-by: David Howells <dhowells at redhat.com>
    cc: Marc Dionne <marc.dionne at auristor.com>
    cc: Jeffrey Altman <jaltman at auristor.com>
    cc: Simon Horman <horms at kernel.org>
    cc: linux-afs at lists.infradead.org
    cc: stable at kernel.org
    Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com
    Signed-off-by: Jakub Kicinski <kuba at kernel.org>
    (cherry picked from commit 24481a7f573305706054c59e275371f8d0fe919f)
    
    Prerequisite for the CVE-2026-43500 fix aa54b1d27fe0 ("rxrpc: Also unshare
    DATA/RESPONSE packets when paged frags are present"), which extends the
    rxrpc_verify_response() gate added here.
    
    Conflict: the RESPONSE case in rxrpc_process_event() conflicted because
    mainline has an extra early "spin_lock_irq(&conn->state_lock); if (state !=
    RXRPC_CONN_SERVICE_CHALLENGING) return 0;" block before the verify call
    (from an unrelated commit not in vz10). Resolved by keeping the vz10
    structure and applying only this patch's change - replacing
    conn->security->verify_response(conn, skb) with rxrpc_verify_response(conn,
    skb). The helper itself applied cleanly.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-131094
    Feature: fix ms/rxrpc
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 232b6986da83e..f3deed19b9fe5 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -240,6 +240,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
 		rxrpc_notify_socket(call);
 }
 
+static int rxrpc_verify_response(struct rxrpc_connection *conn,
+				 struct sk_buff *skb)
+{
+	int ret;
+
+	if (skb_cloned(skb)) {
+		/* Copy the packet if shared so that we can do in-place
+		 * decryption.
+		 */
+		struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+
+		if (nskb) {
+			rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+			ret = conn->security->verify_response(conn, nskb);
+			rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
+		} else {
+			/* OOM - Drop the packet. */
+			rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+			ret = -ENOMEM;
+		}
+	} else {
+		ret = conn->security->verify_response(conn, skb);
+	}
+
+	return ret;
+}
+
 /*
  * connection-level Rx packet processor
  */
@@ -262,7 +289,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
 		return ret;
 
 	case RXRPC_PACKET_TYPE_RESPONSE:
-		ret = conn->security->verify_response(conn, skb);
+		ret = rxrpc_verify_response(conn, skb);
 		if (ret < 0)
 			return ret;
 


More information about the Devel mailing list