From nobody Mon Apr 6 10:31:27 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AC6A3D6694 for ; Thu, 19 Mar 2026 15:02:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932570; cv=none; b=tQi4bvkaMn0pUTxPtjCC3CH93BcjoG+7Iawatk2Av2fMxo1VqfmpePAQGU8PFj8rZWetPzJTdd+O/azAPI0Q5aqgVQH7orQGYVwiIUzEyW3UCkOoo3TKs3Tbsuqa0Q55D3fVSSwm22kmQajsNwXbRJ1kd+QFap1ww0b0GOeCtVs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932570; c=relaxed/simple; bh=GLd4qfXuiZlmFgoBnEIpAEMmRw0SwUkeo0/6dC1W5Lg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SO6x23ZRGBrlMG+cjTtOhZwR03J40ed574GMRJtFdzwAwmjvzWQXuREW9Gp+wjNfB2gj8bbE+pjjKoEotQe57mLxX8Qvz6V0ufX28jdsko48mFEUvk+xpNcIg5Xmo+FGJ8cs2X1SVOQJ/Lgs0zr/HfvXFoog1sAPrXo+YNHBrG4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=BLFkjg7o; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="BLFkjg7o" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773932568; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qeCoRrsqHiEQgKw5Tn8Q3ISupxkgu6z3xAFPorUcwac=; b=BLFkjg7omKqIUEBjCQC+P3pmeSNzI1yjl+vMfJRsK7xuqcwLY5nXQkRBEKrfxnogGforux DA+zdyPL0TJZ2m2jUppm+G6Ay1QAjQoDbCJogK9sbxhdMjI09up3HsFu1t1SJUVjnpqZ8g FOnYD2zACTXYexnfFGgLfrQebd14AqA= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-441-9gM4NXuRN8uRQsBEk0ixxQ-1; Thu, 19 Mar 2026 11:02:43 -0400 X-MC-Unique: 9gM4NXuRN8uRQsBEk0ixxQ-1 X-Mimecast-MFC-AGG-ID: 9gM4NXuRN8uRQsBEk0ixxQ_1773932561 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7C7141800283; Thu, 19 Mar 2026 15:02:40 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.45.224.65]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 81A991800107; Thu, 19 Mar 2026 15:02:36 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Oleh Konko , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net 1/5] rxrpc: Fix RxGK token loading to check bounds Date: Thu, 19 Mar 2026 15:01:41 +0000 Message-ID: <20260319150150.4189381-2-dhowells@redhat.com> In-Reply-To: <20260319150150.4189381-1-dhowells@redhat.com> References: <20260319150150.4189381-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" From: Oleh Konko rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >=3D 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call. Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse. The control path (valid token with lengths within bounds) is unaffected. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Signed-off-by: Oleh Konko Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 85078114b2dd..c96e1d8f4845 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -171,7 +172,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, size_t plen; const __be32 *ticket, *key; s64 tmp; - u32 tktlen, keylen; + size_t raw_keylen, raw_tktlen, keylen, tktlen; =20 _enter(",{%x,%x,%x,%x},%x", ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), @@ -181,18 +182,22 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_pre= parsed_payload *prep, goto reject; =20 key =3D xdr + (6 * 2 + 1); - keylen =3D ntohl(key[-1]); - _debug("keylen: %x", keylen); - keylen =3D round_up(keylen, 4); + raw_keylen =3D ntohl(key[-1]); + _debug("keylen: %zx", raw_keylen); + if (raw_keylen > AFSTOKEN_GK_KEY_MAX) + goto reject; + keylen =3D round_up(raw_keylen, 4); if ((6 * 2 + 2) * 4 + keylen > toklen) goto reject; =20 ticket =3D xdr + (6 * 2 + 1 + (keylen / 4) + 1); - tktlen =3D ntohl(ticket[-1]); - _debug("tktlen: %x", tktlen); - tktlen =3D round_up(tktlen, 4); + raw_tktlen =3D ntohl(ticket[-1]); + _debug("tktlen: %zx", raw_tktlen); + if (raw_tktlen > AFSTOKEN_GK_TOKEN_MAX) + goto reject; + tktlen =3D round_up(raw_tktlen, 4); if ((6 * 2 + 2) * 4 + keylen + tktlen !=3D toklen) { - kleave(" =3D -EKEYREJECTED [%x!=3D%x, %x,%x]", + kleave(" =3D -EKEYREJECTED [%zx!=3D%x, %zx,%zx]", (6 * 2 + 2) * 4 + keylen + tktlen, toklen, keylen, tktlen); goto reject; @@ -206,7 +211,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, if (!token) goto nomem; =20 - token->rxgk =3D kzalloc(sizeof(*token->rxgk) + keylen, GFP_KERNEL); + token->rxgk =3D kzalloc(struct_size_t(struct rxgk_key, _key, raw_keylen),= GFP_KERNEL); if (!token->rxgk) goto nomem_token; =20 @@ -221,9 +226,9 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, token->rxgk->enctype =3D tmp =3D xdr_dec64(xdr + 5 * 2); if (tmp < 0 || tmp > UINT_MAX) goto reject_token; - token->rxgk->key.len =3D ntohl(key[-1]); + token->rxgk->key.len =3D raw_keylen; token->rxgk->key.data =3D token->rxgk->_key; - token->rxgk->ticket.len =3D ntohl(ticket[-1]); + token->rxgk->ticket.len =3D raw_tktlen; =20 if (token->rxgk->endtime !=3D 0) { expiry =3D rxrpc_s64_to_time64(token->rxgk->endtime); @@ -236,8 +241,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, memcpy(token->rxgk->key.data, key, token->rxgk->key.len); =20 /* Pad the ticket so that we can use it directly in XDR */ - token->rxgk->ticket.data =3D kzalloc(round_up(token->rxgk->ticket.len, 4), - GFP_KERNEL); + token->rxgk->ticket.data =3D kzalloc(tktlen, GFP_KERNEL); if (!token->rxgk->ticket.data) goto nomem_yrxgk; memcpy(token->rxgk->ticket.data, ticket, token->rxgk->ticket.len); From nobody Mon Apr 6 10:31:27 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4F213E1CFF for ; Thu, 19 Mar 2026 15:02:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932576; cv=none; b=bQj8uoAZSINPcWA5ItxLs+u7/b9oqpPTBgm2f3iEDDxGipeqGFXszi0G/RYtmwxuDDUVIy7970Xc138A1ZDn10oLiGB/F3DLT+HA//iN4Xo0cp/p1ipPPqbpUID3lpzViSy5s1CKKUhFAYxeFXUKUl5nMHwJSEBvMtOsjxBxzUg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932576; c=relaxed/simple; bh=yYt2ZZrom4OBrOckOQ2uDB2KRzi+ygnnBnUBMule74s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Dr6oDNmyUSs+NyNrSYMfXkMloTl9ofdC7ITYDBmrOIEEPrsn+dCwIUgaC7nrmNTo9KaBEPPooeGALLN7AXjQ6ifufSTELgwvBujP+KoLhmjxwoRdERHqT8WXSERFFp8hkQd99kcDULpS4UHRTflXavML+YRi1wCff/sTxrdjdpM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=O9vFM5d2; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="O9vFM5d2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773932572; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qe8BjP28NMw5ykXz64SRH/WFS1bGGID3gMz6oA2YqQM=; b=O9vFM5d2ghhgu9Eu9DaCkQeCOhl1BFQVUjGsQXGXxKiGw9KwRTxEZYIMmrQxaxGPgoKfEQ yXRqvpI3MhEp+dnMejgYeJIeFyekBzBTch+dvIL7qq8eTBtbWn2W6ZPsMmpQBqjSyzxUOf Olc3Dhq7O1jgUcLZF8BVOzIZfdN+CfQ= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-222-0q5b5iDpMMqukYlXRLNv8Q-1; Thu, 19 Mar 2026 11:02:48 -0400 X-MC-Unique: 0q5b5iDpMMqukYlXRLNv8Q-1 X-Mimecast-MFC-AGG-ID: 0q5b5iDpMMqukYlXRLNv8Q_1773932566 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4278A18002F4; Thu, 19 Mar 2026 15:02:46 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.45.224.65]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 226F91800576; Thu, 19 Mar 2026 15:02:41 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net 2/5] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial Date: Thu, 19 Mar 2026 15:01:42 +0000 Message-ID: <20260319150150.4189381-3-dhowells@redhat.com> In-Reply-To: <20260319150150.4189381-1-dhowells@redhat.com> References: <20260319150150.4189381-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for = a RESPONSE") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/conn_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 98ad9b51ca2c..2c27f47951f9 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -557,7 +557,7 @@ void rxrpc_post_response(struct rxrpc_connection *conn,= struct sk_buff *skb) spin_lock_irq(&local->lock); old =3D conn->tx_response; if (old) { - struct rxrpc_skb_priv *osp =3D rxrpc_skb(skb); + struct rxrpc_skb_priv *osp =3D rxrpc_skb(old); =20 /* Always go with the response to the most recent challenge. */ if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) From nobody Mon Apr 6 10:31:27 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52E1E3C8729 for ; Thu, 19 Mar 2026 15:03:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932581; cv=none; b=o9MpBIpbtnt+ln5PDfk1gwgZDy+/hq8EYLNXtqG4YF7oh1307BJoT9f9ICWa+tOH2Ln2lGNgTAacKtZQB0Pp1HqPAp8E4cWj3Lt6iZiJgDVlsMFzBVWw1bQ03D7pyb7/tyh0c4awj2XXnnz9T/QyQwQpRbAwvJ6SPQ6Wbw3jP7o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932581; c=relaxed/simple; bh=wiH6DsMqrg29tzFgP11flkS65RZZkVoC9406w0ZzAqc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MCZXfAU+e4Egu4zonSqdvdKznWwfiUqf5JkHo+FSa7fXIixfq279Ty+iunaXskJiTTcpQuDyXy39aLxr/1WGzscuGU89pQDXFFHcx1AjSJHv4xEoZJufnkW9wdkhm+x8CUVUC/Bir0D/OjP6QG/XlCjctr06k4arwLVuCGT2gY8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=cVQYzdUb; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="cVQYzdUb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773932579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=loVxfrzyxYdQdW2xqgUXj+kDQbA4pbY0Yb3C1QbXM7A=; b=cVQYzdUbWN62niUAa3r23B2CiJVevScsg+hFwAoR8eaR3Gal9NFh/UfSQ1NZJlVsR7m9vt LXk7olCLrRpkBv51hF9HwQ+i5PD5PU2NxWIeIlsciokau+1zT0SFaj8xn2NEYBVgCifNGd N/UTa9T78aTLytLkcawSIpr1SjY+EuU= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-68-mLugYaN7Mu2TAqJjBiLTDQ-1; Thu, 19 Mar 2026 11:02:55 -0400 X-MC-Unique: mLugYaN7Mu2TAqJjBiLTDQ-1 X-Mimecast-MFC-AGG-ID: mLugYaN7Mu2TAqJjBiLTDQ_1773932572 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 39D3919560BE; Thu, 19 Mar 2026 15:02:52 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.45.224.65]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id F176830001A1; Thu, 19 Mar 2026 15:02:47 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Simon Horman , Jeffrey Altman , stable@kernel.org Subject: [PATCH net 3/5] rxrpc: Fix rack timer warning to report unexpected mode Date: Thu, 19 Mar 2026 15:01:43 +0000 Message-ID: <20260319150150.4189381-4-dhowells@redhat.com> In-Reply-To: <20260319150150.4189381-1-dhowells@redhat.com> References: <20260319150150.4189381-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari rxrpc_rack_timer_expired() clears call->rack_timer_mode to OFF before the switch. The default case warning therefore always prints OFF and doesn't identify the unexpected timer mode. Log the saved mode value instead so the warning reports the actual unexpected rack timer mode. Fixes: 7c482665931b ("rxrpc: Implement RACK/TLP to deal with transmission s= talls [RFC8985]") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Simon Horman Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/input_rack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/input_rack.c b/net/rxrpc/input_rack.c index 13c371261e0a..9eb109ffba56 100644 --- a/net/rxrpc/input_rack.c +++ b/net/rxrpc/input_rack.c @@ -413,6 +413,6 @@ void rxrpc_rack_timer_expired(struct rxrpc_call *call, = ktime_t overran_by) break; //case RXRPC_CALL_RACKTIMER_ZEROWIN: default: - pr_warn("Unexpected rack timer %u", call->rack_timer_mode); + pr_warn("Unexpected rack timer %u", mode); } } From nobody Mon Apr 6 10:31:27 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5269A3D6CD8 for ; Thu, 19 Mar 2026 15:03:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932584; cv=none; b=XLZkVNEsiQgK7vbAYEW1NVmjjVgL0uoWsKNHfqCKBzErhdjIxVwnbBZYr4XIwErs7nkl07ZLY4hQfXwy8jyX7lB6Up+yiBo6B5xlR1e2B28Y73/dxJ7JDMi0iEEhSRPUhMQYhRiY0wMvrg25Awmak/qGdrVhkXcyP8oxWhNYMkg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932584; c=relaxed/simple; bh=I3X9Xgh8JthJcC1AVR46HTecX3GW+jzHyhem1V0naug=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aGOZh1XwW6JOobiF7VqxGhE/d7Ci70Kbqhf+rKr0BxprYHrrUQl57rRmd5yH/YY62eyYXrQMrLU+jV3apETELFLKHYs6HKVjK8W6rz6ZnQEqro0nOP4kaQYVg7RQJB6oq/DNQQEGPOCtzQzrYo1LtRPuSQoZA5CXRBeJSbpIp24= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=UQhOmS+j; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="UQhOmS+j" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773932581; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AN3SQlsqlhxFhvczjAvAzreHONU16FaElSEWYMuHbwQ=; b=UQhOmS+j6XKsG7i/0gKCnIWpVBkuYXDLaCLgKrhBt8HQJ0vPKu3BDnSW//R9NnIUKxcSiL CmHMORxVfwHIeap2WP8u3XavB1Sl9ZJOEfqIDuzu+bfsXhODbbqAdQQDYpE3fs704jssqZ V9CjsM1uHwnQ3gTji/XMsxGXhCUhH/4= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-155-aqR4LBEgMkGQ5ec08alfqQ-1; Thu, 19 Mar 2026 11:02:59 -0400 X-MC-Unique: aqR4LBEgMkGQ5ec08alfqQ-1 X-Mimecast-MFC-AGG-ID: aqR4LBEgMkGQ5ec08alfqQ_1773932577 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B1E6B1955F18; Thu, 19 Mar 2026 15:02:57 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.45.224.65]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D2BEE180035F; Thu, 19 Mar 2026 15:02:53 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net 4/5] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt() Date: Thu, 19 Mar 2026 15:01:44 +0000 Message-ID: <20260319150150.4189381-5-dhowells@redhat.com> In-Reply-To: <20260319150150.4189381-1-dhowells@redhat.com> References: <20260319150150.4189381-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento In rxrpc_setsockopt(), the code checks 'rx->key' when handling the RXRPC_SECURITY_KEYRING option. However, this appears to be a logic error. The code should be checking 'rx->securities' to determine if a keyring has already been defined for the socket. Currently, if a user calls setsockopt(RXRPC_SECURITY_KEYRING) multiple times on the same socket, the check 'if (rx->key)' fails to block subsequent calls because 'rx->key' has not been defined by the function. This results in a reference count leak on the keyring. This patch changes the check to 'rx->securities' to correctly identify if the socket security keyring has already been configured, returning -EINVAL on subsequent attempts. Before the patch: It shows the keyring reference counter elevated. $ cat /proc/keys | grep AFSkeys1 27aca8ae I--Q--- 24469721 perm 3f010000 1000 1000 keyring AFSkeys1: emp= ty $ After the patch: The keyring reference counter remains stable and subsequent calls return an error: $ ./poc setsockopt: Invalid argument $ Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Signed-off-by: Anderson Nascimento Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/af_rxrpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c index 0f90272ac254..0b7ed99a3025 100644 --- a/net/rxrpc/af_rxrpc.c +++ b/net/rxrpc/af_rxrpc.c @@ -665,7 +665,7 @@ static int rxrpc_setsockopt(struct socket *sock, int le= vel, int optname, =20 case RXRPC_SECURITY_KEYRING: ret =3D -EINVAL; - if (rx->key) + if (rx->securities) goto error; ret =3D -EISCONN; if (rx->sk.sk_state !=3D RXRPC_UNBOUND) From nobody Mon Apr 6 10:31:27 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 78EA63DD50C for ; Thu, 19 Mar 2026 15:03:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932590; cv=none; b=UoKVdikgut9uvprtte1W5MpGuaiz1CqX10xgE/iAXhDdfIZz1pY23ZXR5/fx8DXZJrYf8/lRTapqqi5NmIVa9Y4DTRps4kYF8M0gbqqszXT5kT4HPdDuwX9t64lsxYITbgGmWsi3cZrB7Y21WQ1t3FlkN9eQGgXhNXFQiMyTSjo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773932590; c=relaxed/simple; bh=NIVCQHyaHr2OaZGBBDm2SzC3pgkER5yXpWy42ajxxrY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e72zuwkrtXMX0Sp8b6EH5e3sHh/0xAv6L/9FRAQCZeWnOHSvP9RNA+nkbMwrbmDvaLiMRGsoOTcDoM2B4uC1Evb+X4tSU+W8t1gCfIq0/FqqjDdHSs/poxFFHYBozHcSkSjckdPVGutQWNiszPFeEjLEiGCHCG2aCNrYV+4G+tY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Al0QnA1f; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Al0QnA1f" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773932588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N9gc6LU34XsGIsUSQKLtKTEHbCdv/mbjhF40Ii9LBzY=; b=Al0QnA1f4bSn/du+bcNTXnVZAFuDzL3jpotNip61dJXfvY2k2KRhK3/MvvFlYEL83ozJko uhlem3S2V94iujW1+vVsEDjZS2Dg2WFxqnDHG8MazxKBlZ/rRWIl4/JtZRqM7IxQWZ55vs 4pyoMylM/974Hhgdb6R1PHV+9Ac87UM= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-632-_KS4rVzhP329w6oV1ucYDw-1; Thu, 19 Mar 2026 11:03:05 -0400 X-MC-Unique: _KS4rVzhP329w6oV1ucYDw-1 X-Mimecast-MFC-AGG-ID: _KS4rVzhP329w6oV1ucYDw_1773932583 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 275461800372; Thu, 19 Mar 2026 15:03:03 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.45.224.65]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 5897618002A6; Thu, 19 Mar 2026 15:02:59 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net 5/5] rxrpc: Fix key reference count leak from call->key Date: Thu, 19 Mar 2026 15:01:45 +0000 Message-ID: <20260319150150.4189381-6-dhowells@redhat.com> In-Reply-To: <20260319150150.4189381-1-dhowells@redhat.com> References: <20260319150150.4189381-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ After the patch, the invalidated key is removed when the code exits: $ cat /proc/keys | grep afs@54321 $ Fixes: f3441d4125fc ("rxrpc: Copy client call parameters into rxrpc_call ea= rlier") Signed-off-by: Anderson Nascimento Co-developed-by: David Howells Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/call_object.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 918f41d97a2f..8d874ea428ff 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -694,6 +694,7 @@ static void rxrpc_destroy_call(struct work_struct *work) rxrpc_put_bundle(call->bundle, rxrpc_bundle_put_call); rxrpc_put_peer(call->peer, rxrpc_peer_put_call); rxrpc_put_local(call->local, rxrpc_local_put_call); + key_put(call->key); call_rcu(&call->rcu, rxrpc_rcu_free_call); }