queue-7.0/rxrpc-fix-re-decryption-of-response-packets.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 0422e7a4883f25101903f3e8105c0808aa5f4ce9 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Thu, 23 Apr 2026 21:09:07 +0100
 Subject: rxrpc: Fix re-decryption of RESPONSE packets

 From: David Howells <dhowells@redhat.com>

 commit 0422e7a4883f25101903f3e8105c0808aa5f4ce9 upstream.

 If a RESPONSE packet gets a temporary failure during processing, it may end
 up in a partially decrypted state - and then get requeued for a retry.

 Fix this by just discarding the packet; we will send another CHALLENGE
 packet and thereby elicit a further response.  Similarly, discard an
 incoming CHALLENGE packet if we get an error whilst generating a RESPONSE;
 the server will send another CHALLENGE.

 Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
 Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
 Signed-off-by: David Howells <dhowells@redhat.com>
 cc: Marc Dionne <marc.dionne@auristor.com>
 cc: Jeffrey Altman <jaltman@auristor.com>
 cc: Simon Horman <horms@kernel.org>
 cc: linux-afs@lists.infradead.org
 cc: stable@kernel.org
 Link: https://patch.msgid.link/20260423200909.3049438-3-dhowells@redhat.com
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  include/trace/events/rxrpc.h |    1 -
  net/rxrpc/conn_event.c       |   14 ++------------
  2 files changed, 2 insertions(+), 13 deletions(-)

 --- a/include/trace/events/rxrpc.h
 +++ b/include/trace/events/rxrpc.h
 @@ -285,7 +285,6 @@
  	EM(rxrpc_conn_put_unidle,		"PUT unidle  ") \
  	EM(rxrpc_conn_put_work,			"PUT work    ") \
  	EM(rxrpc_conn_queue_challenge,		"QUE chall   ") \
 -	EM(rxrpc_conn_queue_retry_work,		"QUE retry-wk") \
  	EM(rxrpc_conn_queue_rx_work,		"QUE rx-work ") \
  	EM(rxrpc_conn_see_new_service_conn,	"SEE new-svc ") \
  	EM(rxrpc_conn_see_reap_service,		"SEE reap-svc") \
 --- a/net/rxrpc/conn_event.c
 +++ b/net/rxrpc/conn_event.c
 @@ -389,7 +389,6 @@ again:
  static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
  {
  	struct sk_buff *skb;
 -	int ret;

  	if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events))
  		rxrpc_secure_connection(conn);
 @@ -398,17 +397,8 @@ static void rxrpc_do_process_connection(
  	 * connection that each one has when we've finished with it */
  	while ((skb = skb_dequeue(&conn->rx_queue))) {
  		rxrpc_see_skb(skb, rxrpc_skb_see_conn_work);
 -		ret = rxrpc_process_event(conn, skb);
 -		switch (ret) {
 -		case -ENOMEM:
 -		case -EAGAIN:
 -			skb_queue_head(&conn->rx_queue, skb);
 -			rxrpc_queue_conn(conn, rxrpc_conn_queue_retry_work);
 -			break;
 -		default:
 -			rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
 -			break;
 -		}
 +		rxrpc_process_event(conn, skb);
 +		rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
  	}
  }
	From 0422e7a4883f25101903f3e8105c0808aa5f4ce9 Mon Sep 17 00:00:00 2001
	From: David Howells <dhowells@redhat.com>
	Date: Thu, 23 Apr 2026 21:09:07 +0100
	Subject: rxrpc: Fix re-decryption of RESPONSE packets

	From: David Howells <dhowells@redhat.com>

	commit 0422e7a4883f25101903f3e8105c0808aa5f4ce9 upstream.

	If a RESPONSE packet gets a temporary failure during processing, it may end
	up in a partially decrypted state - and then get requeued for a retry.

	Fix this by just discarding the packet; we will send another CHALLENGE
	packet and thereby elicit a further response. Similarly, discard an
	incoming CHALLENGE packet if we get an error whilst generating a RESPONSE;
	the server will send another CHALLENGE.

	Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
	Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
	Signed-off-by: David Howells <dhowells@redhat.com>
	cc: Marc Dionne <marc.dionne@auristor.com>
	cc: Jeffrey Altman <jaltman@auristor.com>
	cc: Simon Horman <horms@kernel.org>
	cc: linux-afs@lists.infradead.org
	cc: stable@kernel.org
	Link: https://patch.msgid.link/20260423200909.3049438-3-dhowells@redhat.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	include/trace/events/rxrpc.h \| 1 -
	net/rxrpc/conn_event.c \| 14 ++------------
	2 files changed, 2 insertions(+), 13 deletions(-)

	--- a/include/trace/events/rxrpc.h
	+++ b/include/trace/events/rxrpc.h
	@@ -285,7 +285,6 @@
	EM(rxrpc_conn_put_unidle, "PUT unidle ") \
	EM(rxrpc_conn_put_work, "PUT work ") \
	EM(rxrpc_conn_queue_challenge, "QUE chall ") \
	- EM(rxrpc_conn_queue_retry_work, "QUE retry-wk") \
	EM(rxrpc_conn_queue_rx_work, "QUE rx-work ") \
	EM(rxrpc_conn_see_new_service_conn, "SEE new-svc ") \
	EM(rxrpc_conn_see_reap_service, "SEE reap-svc") \
	--- a/net/rxrpc/conn_event.c
	+++ b/net/rxrpc/conn_event.c
	@@ -389,7 +389,6 @@ again:
	static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
	{
	struct sk_buff *skb;
	- int ret;

	if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events))
	rxrpc_secure_connection(conn);
	@@ -398,17 +397,8 @@ static void rxrpc_do_process_connection(
	* connection that each one has when we've finished with it */
	while ((skb = skb_dequeue(&conn->rx_queue))) {
	rxrpc_see_skb(skb, rxrpc_skb_see_conn_work);
	- ret = rxrpc_process_event(conn, skb);
	- switch (ret) {
	- case -ENOMEM:
	- case -EAGAIN:
	- skb_queue_head(&conn->rx_queue, skb);
	- rxrpc_queue_conn(conn, rxrpc_conn_queue_retry_work);
	- break;
	- default:
	- rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
	- break;
	- }
	+ rxrpc_process_event(conn, skb);
	+ rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
	}
	}