From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FBBC3B27F3 for ; Mon, 23 Mar 2026 15:05:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278333; cv=none; b=GJy2TovoXNOmdjTSAYku046u+1Mg4WVV4JIKyKANvaO5M+W9Mqcga28jLOEm7EfVpHPqbS9Fht78RZN2Agx1iEaFXhpah8GcfejKFfSGNufxxwIhNXXrMbB0wgFbpMEYFAwpVwoK0qqyyrDoqkgcJkgErPvD71vZjTK3il+BjmA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278333; c=relaxed/simple; bh=lb0GZ4LjZYME6LIEZSDsoau/6K8K5XJGRSMiunj2zEc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sa4RzT3jok/0VOGEyByLTD7fK/okNjoSCRbq3ASorLNO+t0VkpuIKWHFgrJNe8e9YXG/NOpzn5eFUaKKN4mRsngr4Rz5dTmN3zROUM+8TCFBnVAG5FAHvvQhCv2bxHVTDS2Ybd97gM0AA1ZHmx00AshZUYzwuP8i+Ka8JlpBK6w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=SRwRiFOz; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="SRwRiFOz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278331; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hXfYTLAZKbXpNf47trMTcMM/l7RhE1yxWdNYJ5ar7ck=; b=SRwRiFOzxT2Cm1edTsW6sMJFHsxPxs741oNqPbMewGCgDgBOkW40EnHHH8huvV18GTUUrt xxbnm0KLByW3SJhxOcTnwWCAiiXfCt3jAbwIDD5ImlPnq8JLOxhmYik6grj5WVklgCnbpA Blb2le9GkML9Lr228HPAo9933O92gAE= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-512-AAV2VAlYOV63wbBF7DsDzQ-1; Mon, 23 Mar 2026 11:05:27 -0400 X-MC-Unique: AAV2VAlYOV63wbBF7DsDzQ-1 X-Mimecast-MFC-AGG-ID: AAV2VAlYOV63wbBF7DsDzQ_1774278320 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BB9571944EB9; Mon, 23 Mar 2026 15:05:19 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E3DC41955F21; Mon, 23 Mar 2026 15:05:15 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 01/10] rxrpc: Fix key quota calculation for multitoken keys Date: Mon, 23 Mar 2026 15:04:52 +0000 Message-ID: <20260323150505.3513839-2-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" In the rxrpc key preparsing, every token extracted sets the proposed quota value, but for multitoken keys, this will overwrite the previous proposed quota, losing it. Fix this by adding to the proposed quota instead. Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 85078114b2dd..af403f0ccab5 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(struct key_preparsed_= payload *prep, return -EKEYREJECTED; =20 plen =3D sizeof(*token) + sizeof(*token->kad) + tktlen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -199,7 +199,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, } =20 plen =3D sizeof(*token) + sizeof(*token->rxgk) + tktlen + keylen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -460,6 +460,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) memcpy(&kver, prep->data, sizeof(kver)); prep->data +=3D sizeof(kver); prep->datalen -=3D sizeof(kver); + prep->quotalen =3D 0; =20 _debug("KEY I/F VERSION: %u", kver); =20 @@ -497,7 +498,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) goto error; =20 plen =3D sizeof(*token->kad) + v1->ticket_length; - prep->quotalen =3D plen + sizeof(*token); + prep->quotalen +=3D plen + sizeof(*token); =20 ret =3D -ENOMEM; token =3D kzalloc_obj(*token); From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE84B3B38A5 for ; Mon, 23 Mar 2026 15:05:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278336; cv=none; b=YoOtqhZIuVajplr0v1CeJcElKWUeknIzObdE9EyqQqh31wEv2PRCbdyvREzal8ikmHJz41/oTyAHApVpYV/nAugc17un3ahT7MHp5XUk2TZGI+5aibEs7dvDesyuYsxteS5OCCYFCyeWqd5X9p8YixxqcL+dDqlqdGI5CMAlUwg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278336; c=relaxed/simple; bh=lNi53xaZ2dGL9nGQo2Q5PUubxeSgR378CvFt6gObZgc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DH/iAaa476xte2iwE4iD2pFA3JtSdeHX/VxbNFIq/YYqVuZQnPkxpiv0KNL2N4ZA2QYpSt7pNSKi2FH3lidYZHwGil9VcGV9O9+BoyPUjhKIxH0mqWf9AHeDOZ3T5L/OuJh1v6dD/jUD+vMby6nvO4Zgq6Cg0e9MCgosqX1Y6/E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=TjQuIX8u; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="TjQuIX8u" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278334; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YaIw1S56HP9C94n6EHAzBdJx0jJ6g47etF8yPJICPVc=; b=TjQuIX8ubP/TLSCYDA8ZIbtp2dw+lxYFfLZD+JQppJ+DGdOpQV29VT5tKbAlDA8ikwaBKj V5bXRC8axsAmlL110nyy7Aku9BbVFw36cNKKI1FvM6Ck07mKWEobOiJfx/Ei1ySkW42WL2 bIFtCUAWEKZUxGg17w7g61MA+wRytYY= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-175-FU9qcOY5NciB73N_CMT9-A-1; Mon, 23 Mar 2026 11:05:28 -0400 X-MC-Unique: FU9qcOY5NciB73N_CMT9-A-1 X-Mimecast-MFC-AGG-ID: FU9qcOY5NciB73N_CMT9-A_1774278325 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5A3B419560BF; Mon, 23 Mar 2026 15:05:25 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 6CE8A180075D; Mon, 23 Mar 2026 15:05:21 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 02/10] rxrpc: Fix key parsing memleak Date: Mon, 23 Mar 2026 15:04:53 +0000 Message-ID: <20260323150505.3513839-3-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" In rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be leaked in a few error paths after it's allocated. Fix this by freeing it in the "reject_token:" case. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index af403f0ccab5..26d4336a4a02 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -274,6 +274,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, nomem: return -ENOMEM; reject_token: + kfree(token->rxgk); kfree(token); reject: return -EKEYREJECTED; From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 961713B777F for ; Mon, 23 Mar 2026 15:05:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278338; cv=none; b=dzbles7fN+qv4bogchqzZKqKqX/tDmgC5iMVUUVeY6quu83PB5USzG5tSd+YClg+/dK44c3NEYA9cjUA6/Gtv3ukw4ohF5tzAsHSpsLzNUiEokmOGqpXlQ1PbHheT9qRhInl5R2QYQK6FTlqcTo60lItsBWTUZ6PEUKZyemtUr8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278338; c=relaxed/simple; bh=GTDitVkkmcP3pmQfGjjQNmdx/6Cfdn8ljMrl4GlS00k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rTtKjPApQfweXuZ5RHbGy5X2+kMYx1E/CyoUyiDjBykQS3MhFOLTaYpQEWUAvFXvxZJZYT4+RJ0e0gkHPXLXld4i/MtNc8PtXDIvDfB+5GvJy6Mve7A6NpSzyAKkRJ4s6m6rks1rioFQ+pZ44YzyqLfy9Quj2jZ+CPWPShRdYDc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=DrgYcs+Y; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="DrgYcs+Y" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278336; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P4apLx2lQf8nhrvynIjV3RMW+ZpNX1GtOZdWeDq74IM=; b=DrgYcs+Yz4jbj5W5JS65el86SaqajXPSvGEH5WRoUQl0jp3BPOtf0hJQ3JseN1FebXSGh6 xoBl36y+iduMp+0X0PhcvVDsO+wUYt0x0DxLRzwy8dwUyBhyaCgwH4EmEq8E96KrgZO1KX 2o6YE+LELHTCXIkpxwS6sPQrkJVIT6o= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-138-51-jujjcPG6s_inS8sUmbw-1; Mon, 23 Mar 2026 11:05:32 -0400 X-MC-Unique: 51-jujjcPG6s_inS8sUmbw-1 X-Mimecast-MFC-AGG-ID: 51-jujjcPG6s_inS8sUmbw_1774278331 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 742CC18002D7; Mon, 23 Mar 2026 15:05:30 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0D0441955F21; Mon, 23 Mar 2026 15:05:26 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 03/10] rxrpc: Fix anonymous key handling Date: Mon, 23 Mar 2026 15:04:54 +0000 Message-ID: <20260323150505.3513839-4-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to be substituted for a NULL key pointer, but the variable this is done with is subsequently not used. Fix this by using "key" rather than "rx->key" when filling in the connection parameters. Note that this only affects direct use of AF_RXRPC; the kAFS filesystem doesn't use sendmsg() directly and so bypasses the issue. Further, AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key in that manner works. Since this hasn't been noticed to this point, it might be better just to remove the "key" variable and the code that sets it - and, arguably, rxrpc_init_client_call_security() would be a better place to handle it. Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and prot= ocol info") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/sendmsg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c index 04f9c5f2dc24..c35de4fd75e3 100644 --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -637,7 +637,7 @@ rxrpc_new_client_call_for_sendmsg(struct rxrpc_sock *rx= , struct msghdr *msg, memset(&cp, 0, sizeof(cp)); cp.local =3D rx->local; cp.peer =3D peer; - cp.key =3D rx->key; + cp.key =3D key; cp.security_level =3D rx->min_sec_level; cp.exclusive =3D rx->exclusive | p->exclusive; cp.upgrade =3D p->upgrade; From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E313926CE2C for ; Mon, 23 Mar 2026 15:05:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278345; cv=none; b=O4YKhokd4LlbqOEX+CLzl7a9HXXb0/G95V2ueuD8+JkQHp2ieL4mOD8jH8gfnk3upyhNMBwFjfqqulxtGYB+fr57OmfzGLrhllniEvfXjwQBAHqZc1LwTK9T+qjQsIBledTPaSKkxKFGfjEgI/qUoAUt+QOSyNRNIZ/Ya9NOwec= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278345; c=relaxed/simple; bh=n0iPo2pDZQX9XRo48GkCor41ZVjHORjsiDeF+v5aYvg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KXFBSr5Dm/jlJ0DntTSnTshIM0czSu9cjyRnQht0EMMB7J+ue8LRaWS0aXHfbj8iKPHxaWgIcWcw0S7uZOlxLXyJR9qmaf2FRt5xgYRg1OBewVHWfVBeah4j0Z+tzs76yFLobrY9UOw7u45dKP6g7xtXX5zuX4tKKVUnKnOJyyQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=U/+JWtiO; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="U/+JWtiO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278343; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v8irQRHfFWnEfG6qljHMonM0AVFnFCevGipBEnTRuQk=; b=U/+JWtiO1xka+2UBeMxZJbr1Mum12VEhwsIJ8y+y4ahJje/oh/kWsoC+6B675n8B1hSqC2 VD1k57pl+yslpa50t2mipajg3zDW/ZKYKFELKrtQLyOGwXa91YF95lDiItd59m39AG5Hk2 dTCVqxYVLUsaYB294Pe/Nvv/UzeoIX8= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-50-1PmYBqROPYW4-KZDozPj9w-1; Mon, 23 Mar 2026 11:05:39 -0400 X-MC-Unique: 1PmYBqROPYW4-KZDozPj9w-1 X-Mimecast-MFC-AGG-ID: 1PmYBqROPYW4-KZDozPj9w_1774278337 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 08B6E180049D; Mon, 23 Mar 2026 15:05:37 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 27DB71955F2E; Mon, 23 Mar 2026 15:05:31 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Mathieu Desnoyers , John Johansen , Simon Horman , apparmor@lists.ubuntu.com, stable@kernel.org Subject: [PATCH net v2 04/10] list: Move on_list_rcu() to list.h and add on_list() also Date: Mon, 23 Mar 2026 15:04:55 +0000 Message-ID: <20260323150505.3513839-5-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" Unfortunately, list_empty() is not usable with an entry that has been removed from a list with list_del_rcu() as ->next must be left pointing at the following entry so as not to break traversal under RCU. Solve this by moving on_list_rcu() from AppArmor to linux/list.h, and turning it into an inline function. Also add an on_list() counterpart (functionally, this is just an antonym for list_empty()), but the name looks less awkward when applied to a non-head element. We probably don't want to use on_list_rcu() generally because it requires an extra check as ->prev is set differently in the two cases. Signed-off-by: David Howells cc: Mathieu Desnoyers cc: John Johansen cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: apparmor@lists.ubuntu.com cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/linux/list.h | 26 ++++++++++++++++++++++++++ security/apparmor/include/policy.h | 2 -- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/include/linux/list.h b/include/linux/list.h index 00ea8e5fb88b..d224e7210d1b 100644 --- a/include/linux/list.h +++ b/include/linux/list.h @@ -381,6 +381,32 @@ static inline int list_empty(const struct list_head *h= ead) return READ_ONCE(head->next) =3D=3D head; } =20 +/** + * on_list - Test whether an entry is on a list. + * @entry: The entry to check + * + * Test whether an entry is on a list. Safe to use on an entry initialised + * with INIT_LIST_HEAD() or LIST_HEAD() or removed with things like + * list_del_init(). Not safe for use with list_del() or list_del_rcu(). + */ +static inline bool on_list(const struct list_head *entry) +{ + return !list_empty(entry); +} + +/** + * on_list_rcu - Test whether an entry is on a list (RCU-del safe). + * @entry: The entry to check + * + * Test whether an entry is on a list. Safe to use on an entry initialised + * with INIT_LIST_HEAD() or LIST_HEAD() or removed with things like + * list_del_init(). Also safe for use with list_del() or list_del_rcu(). + */ +static inline bool on_list_rcu(const struct list_head *entry) +{ + return !list_empty(entry) && entry->prev !=3D LIST_POISON2; +} + /** * list_del_init_careful - deletes entry from list and reinitialize it. * @entry: the element to delete from the list. diff --git a/security/apparmor/include/policy.h b/security/apparmor/include= /policy.h index 3895f8774a3f..c3697c23bbed 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -57,8 +57,6 @@ extern const char *const aa_profile_mode_names[]; =20 #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label)) =20 -#define on_list_rcu(X) (!list_empty(X) && (X)->prev !=3D LIST_POISON2) - /* flags in the dfa accept2 table */ enum dfa_accept_flags { ACCEPT_FLAG_OWNER =3D 1, From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C84B13B8D58 for ; Mon, 23 Mar 2026 15:05:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278352; cv=none; b=Tz0BDZaYP5rtZjHSDufQejLANznrPbIxKPw6K9I32k7S8chdpv58Tf/GO/jgmGXc4a5MpVjcf1coc7f6GmRMfHADSTusrMEdEMSMscnrDt9pf5pUVIFMBAACKSw+opkOG33/gAa1KU2nRu8IW2ISLj9dFjG0FzDUIgmenKvPKzs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278352; c=relaxed/simple; bh=2w2X5/keWSYIEq5kP0enuQqtU6bjbD/nwb96pNy227I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p3IufGeBmbNAEjQGCz6FG8yDBzJtjCDfaigBbx5aeEZGgKOYCdFYn4DadzlSXVsSruGhhS6m6B+dI81YmBrD2jEI4AC4KINoGWa0VXEPUiFQ24B/VSfVBG1UC57qHNELFtGbPua9kFGKepdnTIkqvX50Weo24Wl7Vzzi1kEZEek= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=geiNmwen; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="geiNmwen" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278350; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fc4Dc9rhjFkx+bfczLiQwRPtyzYqEhuP7T8AhY5Spp4=; b=geiNmwenI9MTvQM7T+Dw5ihmmAJrKX64LQdCOIWx7rPJMwu6qOl2bG/ZzfPDKgk8usu083 25/F9F+E8sQk+NriE0GimglxJ5ywAzuV8EotxEhgwew78MAOJSQv5Z6pyhlS2HPptXx5MS KOWDPtImqrnlFstC5lqlZQFaVRCnFbU= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-546-8EXRhOFmMGyzePDbTZRciQ-1; Mon, 23 Mar 2026 11:05:44 -0400 X-MC-Unique: 8EXRhOFmMGyzePDbTZRciQ-1 X-Mimecast-MFC-AGG-ID: 8EXRhOFmMGyzePDbTZRciQ_1774278342 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4518019560B4; Mon, 23 Mar 2026 15:05:42 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9AABB300019F; Mon, 23 Mar 2026 15:05:38 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 05/10] rxrpc: Fix call removal to use RCU safe deletion Date: Mon, 23 Mar 2026 15:04:56 +0000 Message-ID: <20260323150505.3513839-6-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() rather than list_del_init() to prevent stuffing up reading /proc/net/rxrpc/calls from potentially getting into an infinite loop. Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/call_object.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 918f41d97a2f..0e47751d5937 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -654,9 +654,9 @@ void rxrpc_put_call(struct rxrpc_call *call, enum rxrpc= _call_trace why) if (dead) { ASSERTCMP(__rxrpc_call_state(call), =3D=3D, RXRPC_CALL_COMPLETE); =20 - if (!list_empty(&call->link)) { + if (on_list_rcu(&call->link)) { spin_lock(&rxnet->call_lock); - list_del_init(&call->link); + list_del_rcu(&call->link); spin_unlock(&rxnet->call_lock); } =20 @@ -738,7 +738,7 @@ void rxrpc_destroy_all_calls(struct rxrpc_net *rxnet) _debug("Zapping call %p", call); =20 rxrpc_see_call(call, rxrpc_call_see_zap); - list_del_init(&call->link); + list_del_rcu(&call->link); =20 pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", call, refcount_read(&call->ref), From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D8413B47DE for ; Mon, 23 Mar 2026 15:05:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278356; cv=none; b=k/QbRxkpbdN/t3prgCDpmcVNhMgGwdgLZG1+PCU5/t9fu7YzAIk41LEVbHA/9dadKwqTK0thPhlwu3BYRA6x9n6yOCbE3GD0DeYjUKKr6axBGrAHYu5YI7OVe40MfuWKrfhjbh478p353p4otiMs4LGYtW/6MsJzfdPnAdrPfTc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278356; c=relaxed/simple; bh=i2+6T5laS6iXW24MjsOpSAQSe/11jAwSQhKVgP6EJWc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Qe09alPn5XnpOplSBVyJoTpPhUCzgc9q3tT3x+ctxQbE4P+KwDtjKdQf5FtXpvyPfvrObc+nE05gvMsjrE+rQpwavugkfKqL+gPuPfRsMXPvkepCHn1ryIDXDK3c0O/B6WFlsTd7PyNg+UZLwRTgG2begMVIWvZaycLBkAe5/x0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=BzP95ZjJ; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="BzP95ZjJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278354; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LLb+kvWly++E+vGdyFSJ+eIakQ89ZsZ0xRogJGUpqc=; b=BzP95ZjJ59iB3XaQhRQWnWXH60odnaAz1sjbgSsS6pqaks3P3vIgNCCyA1hUpiTnFaNq7g LZWN18tFKg3BpI69V6Hraf/MI0rsRPrQInJXlEN1kwHkjsR6MPgmPk2etgEc4W4aC5bfjt vJdnIForTexwo+ThBK5fnSEF3BzBMSY= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-636-wlQ1P0hnOaycKdRVnn0kbw-1; Mon, 23 Mar 2026 11:05:50 -0400 X-MC-Unique: wlQ1P0hnOaycKdRVnn0kbw-1 X-Mimecast-MFC-AGG-ID: wlQ1P0hnOaycKdRVnn0kbw_1774278348 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 181791955D84; Mon, 23 Mar 2026 15:05:48 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E97441800351; Mon, 23 Mar 2026 15:05:43 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Oleh Konko , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 06/10] rxrpc: Fix RxGK token loading to check bounds Date: Mon, 23 Mar 2026 15:04:57 +0000 Message-ID: <20260323150505.3513839-7-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Oleh Konko rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >=3D 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call. Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse. The control path (valid token with lengths within bounds) is unaffected. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Signed-off-by: Oleh Konko Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 26d4336a4a02..77237a82be3b 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -171,7 +172,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, size_t plen; const __be32 *ticket, *key; s64 tmp; - u32 tktlen, keylen; + size_t raw_keylen, raw_tktlen, keylen, tktlen; =20 _enter(",{%x,%x,%x,%x},%x", ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), @@ -181,18 +182,22 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_pre= parsed_payload *prep, goto reject; =20 key =3D xdr + (6 * 2 + 1); - keylen =3D ntohl(key[-1]); - _debug("keylen: %x", keylen); - keylen =3D round_up(keylen, 4); + raw_keylen =3D ntohl(key[-1]); + _debug("keylen: %zx", raw_keylen); + if (raw_keylen > AFSTOKEN_GK_KEY_MAX) + goto reject; + keylen =3D round_up(raw_keylen, 4); if ((6 * 2 + 2) * 4 + keylen > toklen) goto reject; =20 ticket =3D xdr + (6 * 2 + 1 + (keylen / 4) + 1); - tktlen =3D ntohl(ticket[-1]); - _debug("tktlen: %x", tktlen); - tktlen =3D round_up(tktlen, 4); + raw_tktlen =3D ntohl(ticket[-1]); + _debug("tktlen: %zx", raw_tktlen); + if (raw_tktlen > AFSTOKEN_GK_TOKEN_MAX) + goto reject; + tktlen =3D round_up(raw_tktlen, 4); if ((6 * 2 + 2) * 4 + keylen + tktlen !=3D toklen) { - kleave(" =3D -EKEYREJECTED [%x!=3D%x, %x,%x]", + kleave(" =3D -EKEYREJECTED [%zx!=3D%x, %zx,%zx]", (6 * 2 + 2) * 4 + keylen + tktlen, toklen, keylen, tktlen); goto reject; @@ -206,7 +211,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, if (!token) goto nomem; =20 - token->rxgk =3D kzalloc(sizeof(*token->rxgk) + keylen, GFP_KERNEL); + token->rxgk =3D kzalloc(struct_size_t(struct rxgk_key, _key, raw_keylen),= GFP_KERNEL); if (!token->rxgk) goto nomem_token; =20 @@ -221,9 +226,9 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, token->rxgk->enctype =3D tmp =3D xdr_dec64(xdr + 5 * 2); if (tmp < 0 || tmp > UINT_MAX) goto reject_token; - token->rxgk->key.len =3D ntohl(key[-1]); + token->rxgk->key.len =3D raw_keylen; token->rxgk->key.data =3D token->rxgk->_key; - token->rxgk->ticket.len =3D ntohl(ticket[-1]); + token->rxgk->ticket.len =3D raw_tktlen; =20 if (token->rxgk->endtime !=3D 0) { expiry =3D rxrpc_s64_to_time64(token->rxgk->endtime); @@ -236,8 +241,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, memcpy(token->rxgk->key.data, key, token->rxgk->key.len); =20 /* Pad the ticket so that we can use it directly in XDR */ - token->rxgk->ticket.data =3D kzalloc(round_up(token->rxgk->ticket.len, 4), - GFP_KERNEL); + token->rxgk->ticket.data =3D kzalloc(tktlen, GFP_KERNEL); if (!token->rxgk->ticket.data) goto nomem_yrxgk; memcpy(token->rxgk->ticket.data, ticket, token->rxgk->ticket.len); From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7E8A25392A for ; Mon, 23 Mar 2026 15:06:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278362; cv=none; b=RY4h98/1kAmPSOR+lW5JwJHP/pxEYiyVSYYEgXxloXYmGr/r2t5+MhndQa4JBtkksiUATVGkNV/1mwGYxYXsTWX3ewxso5XWt9KpnAbWTruBKIraIwp5TcYJTu8P32+D7ieWaiAqeMA/k5qjV1FXc3OIcV7rifEEThx31TPZi54= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278362; c=relaxed/simple; bh=uKQQDvBp/KwfLLfHSXwGqcQ4zZX/GfdRXMjfn3+FICw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=u/wNZW6LIcxAGZ4Pgr0wVEYTEgk34duEOzFA6v7BAEVVAQuBrq1hXgQvu1J1tWBmASbMibaFY4vF8ocXj0CecyO/5IBWS/y/ieEaWiZed4gXcZOBUKj+Bjh7nKrNmIyXzj8z9uKhYYAEYlGjgZWAgAz+TMmHzdec74LH2af3t1Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=h13zPAd4; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="h13zPAd4" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278360; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PD9Fy7wSG+dykOVFU6Ayy0szZH4DtiCgK8ZVa956s6c=; b=h13zPAd4nce8EKRi/w20CXCxry78IyHmBICU8FB1vl2+mzAWMyeL5g395zp94QtHb+5vs8 bpvBiQTFT/sdVwo+XVYlV+hAeAyHGrCBVSF4Wo7RGV3tZeCUVSCRzTb+N6/OEZz53jl99k dIexIf5z06KdSeAZvOE1tnhzBPGnj3A= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-663-eWs3ccfNPmmU4R2E08feaQ-1; Mon, 23 Mar 2026 11:05:56 -0400 X-MC-Unique: eWs3ccfNPmmU4R2E08feaQ-1 X-Mimecast-MFC-AGG-ID: eWs3ccfNPmmU4R2E08feaQ_1774278353 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 702AC19560B4; Mon, 23 Mar 2026 15:05:53 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C55AB300019F; Mon, 23 Mar 2026 15:05:49 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 07/10] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial Date: Mon, 23 Mar 2026 15:04:58 +0000 Message-ID: <20260323150505.3513839-8-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use. Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for = a RESPONSE") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org Link: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40re= dhat.com [1] --- include/trace/events/rxrpc.h | 1 + net/rxrpc/conn_event.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 869f97c9bf73..5edad6a624ad 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -185,6 +185,7 @@ EM(rxrpc_skb_put_input, "PUT input ") \ EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \ EM(rxrpc_skb_put_oob, "PUT oob ") \ + EM(rxrpc_skb_put_old_response, "PUT old-resp ") \ EM(rxrpc_skb_put_purge, "PUT purge ") \ EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \ EM(rxrpc_skb_put_response, "PUT response ") \ diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 98ad9b51ca2c..c50cbfc5a313 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -557,11 +557,11 @@ void rxrpc_post_response(struct rxrpc_connection *con= n, struct sk_buff *skb) spin_lock_irq(&local->lock); old =3D conn->tx_response; if (old) { - struct rxrpc_skb_priv *osp =3D rxrpc_skb(skb); + struct rxrpc_skb_priv *osp =3D rxrpc_skb(old); =20 /* Always go with the response to the most recent challenge. */ if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) - conn->tx_response =3D old; + conn->tx_response =3D skb; else old =3D skb; } else { @@ -569,4 +569,5 @@ void rxrpc_post_response(struct rxrpc_connection *conn,= struct sk_buff *skb) } spin_unlock_irq(&local->lock); rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response); + rxrpc_free_skb(old, rxrpc_skb_put_old_response); } From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1B163BADAE for ; Mon, 23 Mar 2026 15:06:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278369; cv=none; b=aNhNammDfZT9Mi5j2N4TlgPxTaMNOj7ytd7GX+X5JHebuus31YtNQ4vZwcfUX1Berg9yKXPagPCBKG7xuJ/zdM4fpMQc1DcMB06V2c8yp+ZP3fSqHQkbYSIgGJNV/o2AMJFoC2e/1xmxM0aLsUsIa3stbS2mvBWwnLOfrl9jVqI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278369; c=relaxed/simple; bh=wiH6DsMqrg29tzFgP11flkS65RZZkVoC9406w0ZzAqc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mMYlwBR320qIQ/SSDilPGX8KLFKN2p99irZJS312ceL5CZSt59rF5r4qNVYEbBTKRaDb//MAFLbx/Li89qe9ISxxc26AWDp8xRYZ+a8I2j6wjuP5lHuG6vsMrMYyo+4R3WUJAtJHGpiSWyx3wGfhWlO0C6LvfGkFbznCXXZTkZ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=QFT0u6dj; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="QFT0u6dj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278367; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=loVxfrzyxYdQdW2xqgUXj+kDQbA4pbY0Yb3C1QbXM7A=; b=QFT0u6djUNY7zu7EkHJdQtno5WUxBu1t8zvZmHn1Gq9QbfHqr8Q/RO13eovU9Ks40KqN6o CFSPBU5JliOzisOI01/yxlQxCEUKnOg1o2zpDrs99vA+he97wUk1lgW6MggcZzxK8pRt5q V2wEjmEaLwph44yhELRh72GR4AeOH9o= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-400-4gT5hl3-O4acj9Q4khLLaA-1; Mon, 23 Mar 2026 11:06:01 -0400 X-MC-Unique: 4gT5hl3-O4acj9Q4khLLaA-1 X-Mimecast-MFC-AGG-ID: 4gT5hl3-O4acj9Q4khLLaA_1774278358 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BFE8D195608A; Mon, 23 Mar 2026 15:05:58 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 21DF9300019F; Mon, 23 Mar 2026 15:05:54 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Simon Horman , Jeffrey Altman , stable@kernel.org Subject: [PATCH net v2 08/10] rxrpc: Fix rack timer warning to report unexpected mode Date: Mon, 23 Mar 2026 15:04:59 +0000 Message-ID: <20260323150505.3513839-9-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari rxrpc_rack_timer_expired() clears call->rack_timer_mode to OFF before the switch. The default case warning therefore always prints OFF and doesn't identify the unexpected timer mode. Log the saved mode value instead so the warning reports the actual unexpected rack timer mode. Fixes: 7c482665931b ("rxrpc: Implement RACK/TLP to deal with transmission s= talls [RFC8985]") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Simon Horman Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/input_rack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/input_rack.c b/net/rxrpc/input_rack.c index 13c371261e0a..9eb109ffba56 100644 --- a/net/rxrpc/input_rack.c +++ b/net/rxrpc/input_rack.c @@ -413,6 +413,6 @@ void rxrpc_rack_timer_expired(struct rxrpc_call *call, = ktime_t overran_by) break; //case RXRPC_CALL_RACKTIMER_ZEROWIN: default: - pr_warn("Unexpected rack timer %u", call->rack_timer_mode); + pr_warn("Unexpected rack timer %u", mode); } } From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13DC83BB9E0 for ; Mon, 23 Mar 2026 15:06:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278372; cv=none; b=R4rYvMTp3cPpRDtxV+tFvewk2fGM+m9w/ja2+O34DaKSQ4AwdnMvbs5SW8w1Zs/ffOl137TN9j4t43WURcJoQNr4EQ7OOAJzu6F8/ANEI9zXWUHrdRrKaWDzFv2FHllm6rbZqWsGdWb2c5nIJeH99E9KR1cf6aCOjEh7ikQPTjU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278372; c=relaxed/simple; bh=I3X9Xgh8JthJcC1AVR46HTecX3GW+jzHyhem1V0naug=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Bv0C4Rf1QlW48iXqViafwbwmzS/8hCa9eRQq/sWDo8H3c8thPF9U678nd0o2CO3moHZfuOCgZSJSowS25KrXAr7xMrc9B9z7sMV2h51nblFSpbtcJKzZffdBbBSU5Xs5xkc5SwnLuVGtw7PikAUlS/KDahp20UxDcsyYmYjnu78= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=HQpfsGqI; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="HQpfsGqI" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AN3SQlsqlhxFhvczjAvAzreHONU16FaElSEWYMuHbwQ=; b=HQpfsGqIbS01bwKRIyAkYtkNztnj5rXjQ+i7tft802FI6u4GiE3srjmzoAZsCv/v2ZtSh3 +/4CbQgIstbQtWVR66pQGhzgDH8bJXjHmybpoVNgsun1h0a+KzDvNlIHlciLwS2XkPivjE ++fivvwmZXTMrgn68he2Nin7xj30OoQ= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-297-QTMd5Q5dO7Cvo_kO7sVkXQ-1; Mon, 23 Mar 2026 11:06:08 -0400 X-MC-Unique: QTMd5Q5dO7Cvo_kO7sVkXQ-1 X-Mimecast-MFC-AGG-ID: QTMd5Q5dO7Cvo_kO7sVkXQ_1774278364 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2E93F18002F3; Mon, 23 Mar 2026 15:06:04 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 5E0C91955D71; Mon, 23 Mar 2026 15:06:00 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 09/10] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt() Date: Mon, 23 Mar 2026 15:05:00 +0000 Message-ID: <20260323150505.3513839-10-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento In rxrpc_setsockopt(), the code checks 'rx->key' when handling the RXRPC_SECURITY_KEYRING option. However, this appears to be a logic error. The code should be checking 'rx->securities' to determine if a keyring has already been defined for the socket. Currently, if a user calls setsockopt(RXRPC_SECURITY_KEYRING) multiple times on the same socket, the check 'if (rx->key)' fails to block subsequent calls because 'rx->key' has not been defined by the function. This results in a reference count leak on the keyring. This patch changes the check to 'rx->securities' to correctly identify if the socket security keyring has already been configured, returning -EINVAL on subsequent attempts. Before the patch: It shows the keyring reference counter elevated. $ cat /proc/keys | grep AFSkeys1 27aca8ae I--Q--- 24469721 perm 3f010000 1000 1000 keyring AFSkeys1: emp= ty $ After the patch: The keyring reference counter remains stable and subsequent calls return an error: $ ./poc setsockopt: Invalid argument $ Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Signed-off-by: Anderson Nascimento Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/af_rxrpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c index 0f90272ac254..0b7ed99a3025 100644 --- a/net/rxrpc/af_rxrpc.c +++ b/net/rxrpc/af_rxrpc.c @@ -665,7 +665,7 @@ static int rxrpc_setsockopt(struct socket *sock, int le= vel, int optname, =20 case RXRPC_SECURITY_KEYRING: ret =3D -EINVAL; - if (rx->key) + if (rx->securities) goto error; ret =3D -EISCONN; if (rx->sk.sk_state !=3D RXRPC_UNBOUND) From nobody Mon Mar 23 19:50:50 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FFC23BBA18 for ; Mon, 23 Mar 2026 15:06:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278377; cv=none; b=gug3Ek7yu74FgDamduNX8zF5HtnA0L+rl8MEeXnd0tJAgtZlrjMU80Z+MvE4wbF0f+FH/PqvLYCarranaada8XU5lLPWTJkTCJn6Ky/xh1LX3IlG7HMPnOD4fYziqAs9dGGYnCQBt+lXcRT18MqcfygAav11PKJBzeHFWy3JK50= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774278377; c=relaxed/simple; bh=+qHAnkIsqP997RWJ6s4umVeu9sIbTOhEQRZ3NRgBWrs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eThqeX7bRSRi975qKfBsuTATX16NMdKiZB2Jz9jmxAbgcGNFFzyv3PpmlSTHk9Sg/CJUx7u02A8JyVqGzhgnFHKEpLB7Pv5IjZVwb7G0Tu/nGR5tSO2EMDWCOdYGCB30yo14Q7n4/s8Q7e2rpsraF6J3glZ4GWYQ4kjEFRa8uO0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=UBOSSvYV; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="UBOSSvYV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774278375; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VeYaAx0dAJ4NEayyI0atPURUWeMa5ddyG3Tx/cyMm4w=; b=UBOSSvYVXx6SqSUldm+vInwt34ZmQFDP7sxahg6Tw6OYV3m55mwyFQNOtKTMWxj69xUi+F d09H9aJ2yD1xgAFF/sWurinoFffGSWhUuW41Slouh9f9qhP5tCa+cN1L1iXocp3drQM8VW LRmC2jeX32HIPKvgjd+8obFKZqsmdoE= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-577-Nj5H2jTqPACnoLggokpyxA-1; Mon, 23 Mar 2026 11:06:12 -0400 X-MC-Unique: Nj5H2jTqPACnoLggokpyxA-1 X-Mimecast-MFC-AGG-ID: Nj5H2jTqPACnoLggokpyxA_1774278370 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 25AEC1800359; Mon, 23 Mar 2026 15:06:10 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E7AD3300019F; Mon, 23 Mar 2026 15:06:05 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v2 10/10] rxrpc: Fix key reference count leak from call->key Date: Mon, 23 Mar 2026 15:05:01 +0000 Message-ID: <20260323150505.3513839-11-dhowells@redhat.com> In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com> References: <20260323150505.3513839-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ After the patch, the invalidated key is removed when the code exits: $ cat /proc/keys | grep afs@54321 $ Fixes: f3441d4125fc ("rxrpc: Copy client call parameters into rxrpc_call ea= rlier") Signed-off-by: Anderson Nascimento Co-developed-by: David Howells Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/call_object.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 0e47751d5937..57c15aa1e9b5 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -694,6 +694,7 @@ static void rxrpc_destroy_call(struct work_struct *work) rxrpc_put_bundle(call->bundle, rxrpc_bundle_put_call); rxrpc_put_peer(call->peer, rxrpc_peer_put_call); rxrpc_put_local(call->local, rxrpc_local_put_call); + key_put(call->key); call_rcu(&call->rcu, rxrpc_rcu_free_call); }