Skip to content

[ciqlts9_6] Multiple patches tested (3 commits)#1199

Closed
ciq-kernel-automation[bot] wants to merge 3 commits into
ciqlts9_6from
{shreeya_rxrpc}_ciqlts9_6
Closed

[ciqlts9_6] Multiple patches tested (3 commits)#1199
ciq-kernel-automation[bot] wants to merge 3 commits into
ciqlts9_6from
{shreeya_rxrpc}_ciqlts9_6

Conversation

@ciq-kernel-automation

@ciq-kernel-automation ciq-kernel-automation Bot commented May 8, 2026

Copy link
Copy Markdown

Local test

[rnicolescu@localhost kernel-src-tree]$ ls /etc/modprobe.d/
kvm.conf  lockd.conf  vhost.conf
[rnicolescu@localhost kernel-src-tree]$ uname -r
5.14.0-shreeya_rxrpc_esp_ciqlts9_6-887fd6ae0624+
[rnicolescu@localhost kernel-src-tree]$ git log -1 --format=%h
887fd6ae0624
[rnicolescu@localhost kernel-src-tree]$ ./dirtyfrag/exp --force-rxrpc
[  284.756718] [exp   ]     verify = -71
[  284.783778] [exp   ]     verify = -71
[  284.814666] [exp   ]     verify = -71
[  284.905563] [exp   ]     verify = -71
[  284.932479] [exp   ]     verify = -71
[  284.963910] [exp   ]     verify = -71
[  285.051691] [exp   ]     verify = -71
[  285.078785] [exp   ]     verify = -71
[  285.107755] [exp   ]     verify = -71
[  285.194580] [exp   ]     verify = -71
[  285.221950] [exp   ]     verify = -71
[  285.252023] [exp   ]     verify = -71
dirtyfrag: failed (rc=4)
[rnicolescu@localhost kernel-src-tree]$ id
uid=1000(rnicolescu) gid=1000(rnicolescu) groups=1000(rnicolescu) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

rxrpc: Fix potential UAF after skb_unshare() failure

unpub-cve DIRTY-FRAG
commit-author David Howells <dhowells@redhat.com>
commit 1f2740150f904bfa60e4bad74d65add3ccb5e7f8
upstream-diff |
	Upstream's rxrpc_input_call_event() pulls skbs from a per-call queue
	in a loop, so the unshare block sits inside that loop alongside
	rxrpc_free_skb() and saw_ack bookkeeping. This kernel's version
	receives a single skb as a function parameter and doesn't free
	it (the caller in rxrpc_io_thread() does). As such, the adapted
	unshare block wraps the existing rxrpc_input_call_packet() call
	site, creates and frees a copy when needed, and drops the loop
	and queue-drain logic that doesn't exist here.
rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets

unpub-cve DIRTY-FRAG
commit-author David Howells <dhowells@redhat.com>
commit 55b2984c96c37f909bbfe8851f13152693951382
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

unpub-cve DIRTY-FRAG
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 544687651fe57721c5e4e76380ed8ef8fdfdc98b
upstream-diff |
	The conn_event.c hunk is dropped entirely. Upstream wraps the
	conn->security->verify_response() call inside a new
	rxrpc_verify_response() function that copies non-linear skbs before
	in-place decryption. This kernel doesn't have that wrapper; the
	security op is called directly from rxrpc_process_event(), so there
	is no call site to patch. The call_event.c hunk applies as-is.

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 31m 4s 32m 1s
aarch64 18m 19s 19m 8s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 208 41 ciqlts9_6 ✅ No regressions
aarch64 153 46 ciqlts9_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1453 82 ciqlts9_6 ✅ No regressions
aarch64 1426 83 ciqlts9_6 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 25545614125

unpub-cve DIRTY-FRAG
commit-author David Howells <dhowells@redhat.com>
commit 1f27401
upstream-diff |
	Upstream's rxrpc_input_call_event() pulls skbs from a per-call queue
	in a loop, so the unshare block sits inside that loop alongside
	rxrpc_free_skb() and saw_ack bookkeeping. This kernel's version
	receives a single skb as a function parameter and doesn't free
	it (the caller in rxrpc_io_thread() does). As such, the adapted
	unshare block wraps the existing rxrpc_input_call_packet() call
	site, creates and frees a copy when needed, and drops the loop
	and queue-drain logic that doesn't exist here.

	Upstream already had rxrpc_skb_put_call_rx and rxrpc_skb_get_call_rx
	trace constants from a prior refactor not present in this tree.
	rxrpc_skb_put_call_rx is added here since the new skb_copy path
	needs it; rxrpc_skb_get_call_rx is omitted since nothing uses it.

	Several trace constants added by upstream (rxrpc_skb_put_purge_oob,
	rxrpc_skb_put_response, rxrpc_skb_put_response_copy) don't apply
	since the code they trace doesn't exist in this kernel.

If skb_unshare() fails to unshare a packet due to allocation failure in
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
will be NULL'd out.  This will likely cause the call to
trace_rxrpc_rx_done() to oops.

Fix this by moving the unsharing down to where rxrpc_input_call_event()
calls rxrpc_input_call_packet().  There are a number of places prior to
that where we ignore DATA packets for a variety of reasons (such as the
call already being complete) for which an unshare is then avoided.

And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.

Fixes: 2d1faf7 ("rxrpc: Simplify skbuff accounting in receive path")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
	Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-4-dhowells@redhat.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 1f27401)
	Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
unpub-cve DIRTY-FRAG
commit-author David Howells <dhowells@redhat.com>
commit 55b2984

Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
ABORT, etc..

And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.

Fixes: 1f27401 ("rxrpc: Fix potential UAF after skb_unshare() failure")
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
	Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 55b2984)
	Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
unpub-cve DIRTY-FRAG
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 544687651fe57721c5e4e76380ed8ef8fdfdc98b
upstream-diff |
	The conn_event.c hunk is dropped entirely. Upstream wraps the
	conn->security->verify_response() call inside a new
	rxrpc_verify_response() function that copies non-linear skbs before
	in-place decryption. This kernel doesn't have that wrapper; the
	security op is called directly from rxrpc_process_event(), so there
	is no call site to patch. The call_event.c hunk applies as-is.

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true.  An skb
that is not cloned but still carries paged fragments (skb->data_len != 0)
falls through to the in-place decryption path, which binds the frag
pages directly into the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate so that any skb with non-linear data is also copied,
ensuring the security handler always operates on a fully linear skb.
The OOM/trace handling already in place is reused.

Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
(cherry picked from commit 544687651fe57721c5e4e76380ed8ef8fdfdc98b)
	Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label May 8, 2026
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25555251848

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ❗ PR commit a78478a68e0 (rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present) references upstream commit
    544687651fe5 which does not exist in the upstream Linux kernel.

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit a93f576bb55 (rxrpc: Fix potential UAF after skb_unshare() failure) → upstream 1f2740150f90
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -137,7 +139,6 @@
 	EM(rxrpc_skb_new_error_report,		"NEW error-rpt") \
 	EM(rxrpc_skb_new_jumbo_subpacket,	"NEW jumbo-sub") \
 	EM(rxrpc_skb_new_unshared,		"NEW unshared ") \
-	EM(rxrpc_skb_put_call_rx,		"PUT call-rx  ") \
 	EM(rxrpc_skb_put_conn_secured,		"PUT conn-secd") \
 	EM(rxrpc_skb_put_conn_work,		"PUT conn-work") \
 	EM(rxrpc_skb_put_error_report,		"PUT error-rep") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -342,27 +342,8 @@
 	if (skb && skb->mark == RXRPC_SKB_MARK_ERROR)
 		goto out;
 
-	if (skb) {
-		struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-
-		if (sp->hdr.securityIndex != 0 &&
-		    skb_cloned(skb)) {
-			/* Unshare the packet so that it can be
-			 * modified by in-place decryption.
-			 */
-			struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
-
-			if (nskb) {
-				rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
-				rxrpc_input_call_packet(call, nskb);
-				rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
-			} else {
-				rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
-			}
-		} else {
-			rxrpc_input_call_packet(call, skb);
-		}
-	}
+	if (skb)
+		rxrpc_input_call_packet(call, skb);
 
 	/* If we see our async-event poke, check for timeout trippage. */
 	now = ktime_get_real();

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -162,8 +162,6 @@
 	E_(rxrpc_call_poke_timer_now,		"Timer-now")
 
 #define rxrpc_skb_traces \
-	EM(rxrpc_skb_eaten_by_unshare,		"ETN unshare  ") \
-	EM(rxrpc_skb_eaten_by_unshare_nomem,	"ETN unshar-nm") \
 	EM(rxrpc_skb_get_call_rx,		"GET call-rx  ") \
 	EM(rxrpc_skb_get_conn_secured,		"GET conn-secd") \
 	EM(rxrpc_skb_get_conn_work,		"GET conn-work") \
@@ -190,6 +188,7 @@
 	EM(rxrpc_skb_put_purge,			"PUT purge    ") \
 	EM(rxrpc_skb_put_purge_oob,		"PUT purge-oob") \
 	EM(rxrpc_skb_put_response,		"PUT response ") \
+	EM(rxrpc_skb_put_response_copy,		"PUT resp-cpy ") \
 	EM(rxrpc_skb_put_rotate,		"PUT rotate   ") \
 	EM(rxrpc_skb_put_unknown,		"PUT unknown  ") \
 	EM(rxrpc_skb_see_conn_work,		"SEE conn-work") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,24 @@
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			rxrpc_input_call_packet(call, skb);
+			if (sp->hdr.securityIndex != 0 &&
+			    skb_cloned(skb)) {
+				/* Unshare the packet so that it can be
+				 * modified by in-place decryption.
+				 */
+				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
+
+				if (nskb) {
+					rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
+					rxrpc_input_call_packet(call, nskb);
+					rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
+				} else {
+					/* OOM - Drop the packet. */
+					rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
+				}
+			} else {
+				rxrpc_input_call_packet(call, skb);
+			}
 			rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
 			did_receive = true;
 		}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -126,4 +126,5 @@
 	EM(rxrpc_skb_eaten_by_unshare,		"ETN unshare  ") \
 	EM(rxrpc_skb_eaten_by_unshare_nomem,	"ETN unshar-nm") \
+	EM(rxrpc_skb_get_call_rx,		"GET call-rx  ") \
 	EM(rxrpc_skb_get_conn_secured,		"GET conn-secd") \
 	EM(rxrpc_skb_get_conn_work,		"GET conn-work") \
--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -331,6 +329,7 @@
 
-	if (skb)
-		rxrpc_input_call_packet(call, skb);
+			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-	/* If we see our async-event poke, check for timeout trippage. */
-	now = ktime_get_real();
+			rxrpc_input_call_packet(call, skb);
+			rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
+			did_receive = true;
+		}
  • ⚠️ PR commit 148184ed49d (rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets) → upstream 55b2984c96c3
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -345,8 +345,7 @@
 	if (skb) {
 		struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 
-		if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
-		    sp->hdr.securityIndex != 0 &&
+		if (sp->hdr.securityIndex != 0 &&
 		    skb_cloned(skb)) {
 			/* Unshare the packet so that it can be
 			 * modified by in-place decryption.

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,7 +332,8 @@
 
 			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
 
-			if (sp->hdr.securityIndex != 0 &&
+			if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
+			    sp->hdr.securityIndex != 0 &&
 			    skb_cloned(skb)) {
 				/* Unshare the packet so that it can be
 				 * modified by in-place decryption.

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -331,5 +329,7 @@
 
-		if (sp->hdr.securityIndex != 0 &&
-		    skb_cloned(skb)) {
-			/* Unshare the packet so that it can be
-			 * modified by in-place decryption.
+			saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
+
+			if (sp->hdr.securityIndex != 0 &&
+			    skb_cloned(skb)) {
+				/* Unshare the packet so that it can be
+				 * modified by in-place decryption.
  • ❌ PR commit a78478a68e0 (rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present)544687651fe5
    Error: Failed to generate patch for upstream commit: Git command failed: format-patch -1 --stdout 544687651fe57721c5e4e76380ed8ef8fdfdc98b
    fatal: bad object 544687651fe57721c5e4e76380ed8ef8fdfdc98b

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25555251848

@shreeya-patel98

Copy link
Copy Markdown
Collaborator

Closing this as we have a different branch with both fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

2 participants