[Deepin-Kernel-SIG] [linux 6.6-y] [FROMLIST] Sync rxrpc fixes from upstream and maillist

[opsiff]

CVE-2026-43284: #1673
Link: #1671
Link: https://dirtyfrag.io/
Link: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
Link: https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
Link: https://github.com/V4bel/dirtyfrag/blob/master/exp.c
Link: https://seclists.org/oss-sec/2026/q2/434
Link: V4bel/dirtyfrag#14
Link: https://afflicted.sh/blog/posts/copy-fail-2.html
Link: https://almalinux.org/blog/2026-05-07-dirty-frag/
Link: https://www.phoronix.com/news/Dirty-Frag-Linux

Summary by Sourcery

Sync upstream rxrpc security fixes to harden in-place decryption and response verification against malformed or shared SKBs, addressing the dirty frag vulnerability path.

Bug Fixes:

• Clamp rxkad encrypted payload lengths to 8-byte alignment and abort connections on crypto errors instead of returning generic failures.
• Fix rxkad response verification to consistently propagate error codes, properly initialize ticket pointers, and avoid treating protocol errors as transient.
• Ensure response and data packet decryption operates on unshared SKBs by copying or unsharing as needed, preventing unsafe in-place modification of shared or non-linear buffers.
• Simplify connection event processing to stop requeuing packets on ENOMEM/EAGAIN and always free processed SKBs, avoiding inconsistent retry behavior.

Enhancements:

• Refine RXRPC skb tracing enums to remove unused events and add coverage for unshare OOM cases and new crypto abort reasons.
• Clean up rxrpc input path by removing the generic eaten-skb helper and related tracepoints in favor of more direct skb lifecycle tracking.

[sourcery-ai]

Reviewer's Guide

Syncs upstream rxrpc/rxkad fixes related to Dirty Frag: enforces 8‑byte alignment before rxkad v2 decryption, tightens crypto error handling, reworks response verification and RX path to only decrypt on unshared SKBs, simplifies connection work retry logic, and updates rxrpc tracing and helpers accordingly.

Sequence diagram for rxrpc_verify_response handling cloned or nonlinear SKBs

sequenceDiagram
    participant Conn as rxrpc_connection
    participant ProcessEvent as rxrpc_process_event
    participant VerifyWrapper as rxrpc_verify_response
    participant SecOps as security_verify_response
    participant SKB as sk_buff

    ProcessEvent->>VerifyWrapper: rxrpc_verify_response(conn, skb)
    alt skb_cloned(skb) or skb_is_nonlinear(skb)
        VerifyWrapper->>VerifyWrapper: skb_copy(skb, GFP_NOFS)
        alt nskb allocated
            VerifyWrapper->>VerifyWrapper: rxrpc_new_skb(nskb, rxrpc_skb_new_unshared)
            VerifyWrapper->>SecOps: conn->security->verify_response(conn, nskb)
            SecOps-->>VerifyWrapper: ret
            VerifyWrapper->>VerifyWrapper: rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy)
        else nskb allocation failed
            VerifyWrapper->>VerifyWrapper: rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem)
            VerifyWrapper-->>ProcessEvent: ret = -ENOMEM
        end
    else skb exclusively owned and linear
        VerifyWrapper->>SecOps: conn->security->verify_response(conn, skb)
        SecOps-->>VerifyWrapper: ret
    end
    VerifyWrapper-->>ProcessEvent: ret

Loading

Sequence diagram for rxrpc_input_call_event handling encrypted data SKBs

sequenceDiagram
    participant Call as rxrpc_call
    participant InputEvent as rxrpc_input_call_event
    participant InputPkt as rxrpc_input_call_packet
    participant SKB as sk_buff

    InputEvent->>InputEvent: determine resend flag
    alt skb is not NULL
        InputEvent->>InputEvent: sp = rxrpc_skb(skb)
        alt encrypted data and (skb_cloned or skb_is_nonlinear)
            InputEvent->>InputEvent: skb_copy(skb, GFP_ATOMIC) as nskb
            alt nskb allocated
                InputEvent->>InputEvent: rxrpc_new_skb(nskb, rxrpc_skb_new_unshared)
                InputEvent->>InputPkt: rxrpc_input_call_packet(call, nskb)
                InputPkt-->>InputEvent: return
                InputEvent->>InputEvent: rxrpc_free_skb(nskb, rxrpc_skb_put_input)
            else OOM
                InputEvent->>InputEvent: rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem)
                InputEvent-->>Call: drop packet
            end
        else not encrypted data or already unshared
            InputEvent->>InputPkt: rxrpc_input_call_packet(call, skb)
            InputPkt-->>InputEvent: return
        end
    end
    InputEvent->>InputEvent: rxrpc_transmit_some_data(call)

Loading

Class diagram for updated rxrpc rxkad verification and SKB utilities

classDiagram
    class rxrpc_connection {
        +struct rxrpc_security *security
        +struct rxkad_proto rxkad
        +u32 security_level
        +int state
        +struct sk_buff_head rx_queue
        +int channels_call_counter[RXRPC_MAXCALLS]
    }

    class rxrpc_security {
        <<interface>>
        +int verify_response(struct rxrpc_connection *conn, struct sk_buff *skb)
    }

    class rxkad_security {
        +int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, struct rxrpc_skb_priv *sp)
        +int rxkad_verify_response(struct rxrpc_connection *conn, struct sk_buff *skb)
        +int rxkad_decrypt_ticket(struct rxrpc_connection *conn, struct key *server_key, struct sk_buff *skb, void *ticket, u32 ticket_len, struct rxrpc_crypt *session_key, time64_t *expiry)
        +int rxkad_decrypt_response(struct rxrpc_connection *conn, struct rxkad_response *response, struct rxrpc_crypt *session_key)
    }

    class rxrpc_call {
        +struct rxrpc_connection *conn
        +u32 security_level
        +void rxrpc_transmit_some_data(struct rxrpc_call *call)
    }

    class sk_buff_utils {
        +void rxrpc_new_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
        +void rxrpc_see_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
        +void rxrpc_get_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
        +void rxrpc_free_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
    }

    class rxrpc_conn_event_c {
        +int rxrpc_verify_response(struct rxrpc_connection *conn, struct sk_buff *skb)
        +int rxrpc_process_event(struct rxrpc_connection *conn, struct sk_buff *skb)
        +void rxrpc_do_process_connection(struct rxrpc_connection *conn)
    }

    class rxrpc_call_event_c {
        +bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb)
        +void rxrpc_input_call_packet(struct rxrpc_call *call, struct sk_buff *skb)
    }

    class rxrpc_io_thread_c {
        +bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff *skb)
        +int rxrpc_io_thread(void *data)
    }

    class rxrpc_trace_events_h {
        +enum rxrpc_abort_reason rxkad_abort_2_crypto_unaligned
        +enum rxrpc_skb_trace rxrpc_skb_see_unshare_nomem
    }

    rxrpc_security <|.. rxkad_security
    rxrpc_connection --> rxrpc_security : security
    rxrpc_connection --> rxrpc_conn_event_c : uses
    rxrpc_call --> rxrpc_call_event_c : uses
    rxrpc_io_thread_c --> rxrpc_connection : locates
    rxrpc_conn_event_c --> sk_buff_utils : manages_skb
    rxrpc_call_event_c --> sk_buff_utils : manages_skb
    rxkad_security --> rxrpc_trace_events_h : uses_traces
    rxrpc_conn_event_c --> rxkad_security : verify_response

Loading

File-Level Changes

Change	Details	Files
Harden rxkad v2 packet decryption against misaligned lengths and crypto errors.	Before decrypting, round down the encrypted data length to an 8‑byte boundary to avoid feeding misaligned lengths into the crypto algorithm. Change rxkad_verify_packet_2 error handling to treat -ENOMEM as a transient error but map all other crypto failures to a protocol abort with a new rxkad_abort_2_crypto_unaligned abort reason instead of just WARN_ON and returning the raw error.	net/rxrpc/rxkad.c include/trace/events/rxrpc.h
Unify and tighten rxkad response verification error handling.	Initialize the ticket pointer to NULL and collapse multiple protocol/temporary error labels into a single error path that frees ticket/response and drops the key reference consistently. Replace direct -EPROTO returns with the return value of rxrpc_abort_conn, so aborts propagate their specific error codes instead of always -EPROTO. Treat all failures (including decryption and ENOMEM) uniformly via the common error label and return the actual error code, updating tracing with _leave(" = %d", ret).	net/rxrpc/rxkad.c
Ensure conn-level response decryption only operates on unshared SKBs and simplify connection work processing.	Introduce rxrpc_verify_response in conn_event.c to copy the skb (with skb_copy, GFP_NOFS) when it is cloned or non-linear before calling security->verify_response, tagging and freeing the copy with rxrpc_new_skb/rxrpc_free_skb; on OOM, drop the original skb with a specific trace and return -ENOMEM. Change rxrpc_process_event to call rxrpc_verify_response instead of conn->security->verify_response directly. Simplify rxrpc_do_process_connection to ignore rxrpc_process_event return codes, always free the skb, and remove the previous logic that requeued SKBs and scheduled retry work on -ENOMEM/-EAGAIN, along with the associated rxrpc_conn_queue_retry_work tracepoint.	net/rxrpc/conn_event.c include/trace/events/rxrpc.h
Move packet unsharing for in-place data decryption from the UDP RX path into call/conn handling and adjust SKB lifetime/tracing.	In rxrpc_input_call_event, when a secured DATA packet arrives on a cloned or non-linear skb, create an unshared copy with skb_copy(GFP_ATOMIC), mark it as unshared via rxrpc_new_skb, process it with rxrpc_input_call_packet, then free it; on OOM, drop the original with a new rxrpc_skb_see_unshare_nomem trace. Simplify rxrpc_input_packet in io_thread.c to accept a single skb pointer and remove the securityIndex-based skb_unshare logic and *_skb indirection; callers now pass the original skb and handle unsharing elsewhere. Adjust rxrpc_io_thread to call the new rxrpc_input_packet signature and rely on rxrpc_input_packet and higher layers for SKB ownership and unsharing semantics. Drop the rxrpc_eaten_skb helper and corresponding trace events rxrpc_skb_eaten_by_unshare/_nomem, replacing them with the new SEE-unshare-nomem tracepoint for OOM drops.	net/rxrpc/call_event.c net/rxrpc/io_thread.c net/rxrpc/skbuff.c include/trace/events/rxrpc.h net/rxrpc/ar-internal.h

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The new skb unsharing/copying logic for encrypted packets is now implemented in multiple places (rxrpc_verify_response() in conn_event.c and the RXRPC_PACKET_TYPE_DATA path in call_event.c); consider factoring this into a shared helper to keep the in-place decryption preconditions consistent and reduce duplication.
• rxrpc_do_process_connection() now ignores the return value from rxrpc_process_event() and always frees the skb, changing the previous ENOMEM/EAGAIN retry semantics; double-check that no callers still rely on connection-level packet retries and, if not, consider a short comment explaining the intentional drop-on-error behavior.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new skb unsharing/copying logic for encrypted packets is now implemented in multiple places (rxrpc_verify_response() in conn_event.c and the RXRPC_PACKET_TYPE_DATA path in call_event.c); consider factoring this into a shared helper to keep the in-place decryption preconditions consistent and reduce duplication.
- rxrpc_do_process_connection() now ignores the return value from rxrpc_process_event() and always frees the skb, changing the previous ENOMEM/EAGAIN retry semantics; double-check that no callers still rely on connection-level packet retries and, if not, consider a short comment explaining the intentional drop-on-error behavior.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[opsiff]

/fix
2026-05-08T08:03:49.3210876Z net/rxrpc/conn_event.c: In function ‘rxrpc_verify_response’:
2026-05-08T08:03:49.3250655Z net/rxrpc/conn_event.c:243:46: error: ‘rxrpc_skb_put_response_copy’ undeclared (first use in this function); did you mean ‘rxrpc_skb_put_conn_work’?
2026-05-08T08:03:49.3280780Z 243 | rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
2026-05-08T08:03:49.3319740Z | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
2026-05-08T08:03:49.3359902Z | rxrpc_skb_put_conn_work
caused by
https://lore.kernel.org/stable/20260503143317.1089945-1-sashal@kernel.org/#R

[Avenger-285714]

/approve

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Avenger-285714

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS [Avenger-285714]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Syncs upstream RxRPC (rxkad) hardening and fixes related to Dirty-Frag-style shared-SKB handling, tightening crypto error handling and skb lifecycle/trace reporting in the RxRPC receive path.

Changes:

• Harden rxkad packet/response verification (length alignment, crypto-error abort behavior, and consistent error propagation/cleanup).
• Refactor RxRPC receive processing to avoid in-place modification of shared/cloned/frag-list/shared-frag SKBs by copying where needed, and simplify connection workqueue skb handling.
• Update RxRPC skb tracing: remove unused “eaten” events, add events for response-copy frees and unshare-OOM visibility, and adjust connection queue trace enums.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
net/rxrpc/skbuff.c	Removes rxrpc_eaten_skb() accounting hook as part of trace/lifecycle simplification.
net/rxrpc/rxkad.c	Adds 8-byte length alignment for level-2 decrypt, improves crypto error handling, and refactors response verification error paths.
net/rxrpc/io_thread.c	Simplifies rxrpc_input_packet() interface and removes the earlier unshare step (unsharing/copying handled later).
net/rxrpc/conn_event.c	Adds rxrpc_verify_response() wrapper to copy shared SKBs before security verification; simplifies conn rx-queue processing to always free processed SKBs.
net/rxrpc/call_event.c	Copies shared/cloned DATA SKBs before call processing to support safe in-place decryption.
net/rxrpc/ar-internal.h	Removes prototype for deleted rxrpc_eaten_skb().
include/trace/events/rxrpc.h	Updates trace enums: adds new rxkad abort reason and skb trace reasons; removes unused retry/eaten events.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.