From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56B603CEB95 for ; Thu, 26 Mar 2026 13:18:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531138; cv=none; b=f2J6aaZ2NWUEQ2E5reSj9LqjqV4dU+ZtIGInRy3AufskS2KAsShDyF+Ivs+q6wV0S9Z6r6y/UG8dfhlCcsYzXFU+jW8vyAFWeY0rGKBWbe0E73D3a/zDvSHT/vf1kuJowot67zJUAd7pOhXpXPKgTqckGwgyhn6qUZvGTGopBRs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531138; c=relaxed/simple; bh=lb0GZ4LjZYME6LIEZSDsoau/6K8K5XJGRSMiunj2zEc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MJBSX44YSt4vi+sLwRdc3nKXHnvp15CErbt6EWZDQAW58udrTl0IsjL8OPzMjW/5yOmz5mnwBMWaQoXIL3w9qrN8AcGYtbMrNtsLMRt5F7mfdMOjMM01FuANcT0jTjKZGXuBPDcBEfVnZtdfZjWjLPYmuFuhl30bw4HQNdWVkWg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=DiKk5KdO; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="DiKk5KdO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531135; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hXfYTLAZKbXpNf47trMTcMM/l7RhE1yxWdNYJ5ar7ck=; b=DiKk5KdOu4QDjfMZ0NVoDdfnb9zOFHcsgtUbNjscwlbh5x+Mz0rrBf6anfQnZVYuWmnYR/ a6UZf74DyI/ri0DPM7QEbSIp7vVVRmMyN0iiJLRtxYy4RHIuIjBZZHbpwNuNYSHJc8n6/c hN//zRmcKgVBrup5WqArIu34cbzByE8= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-228-EoAQyj13PUS2elco2fO-cg-1; Thu, 26 Mar 2026 09:18:52 -0400 X-MC-Unique: EoAQyj13PUS2elco2fO-cg-1 X-Mimecast-MFC-AGG-ID: EoAQyj13PUS2elco2fO-cg_1774531130 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 02D0818002C8; Thu, 26 Mar 2026 13:18:50 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id F3BEA1800107; Thu, 26 Mar 2026 13:18:45 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 01/11] rxrpc: Fix key quota calculation for multitoken keys Date: Thu, 26 Mar 2026 13:18:26 +0000 Message-ID: <20260326131838.634095-2-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" In the rxrpc key preparsing, every token extracted sets the proposed quota value, but for multitoken keys, this will overwrite the previous proposed quota, losing it. Fix this by adding to the proposed quota instead. Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 85078114b2dd..af403f0ccab5 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(struct key_preparsed_= payload *prep, return -EKEYREJECTED; =20 plen =3D sizeof(*token) + sizeof(*token->kad) + tktlen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -199,7 +199,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, } =20 plen =3D sizeof(*token) + sizeof(*token->rxgk) + tktlen + keylen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -460,6 +460,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) memcpy(&kver, prep->data, sizeof(kver)); prep->data +=3D sizeof(kver); prep->datalen -=3D sizeof(kver); + prep->quotalen =3D 0; =20 _debug("KEY I/F VERSION: %u", kver); =20 @@ -497,7 +498,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) goto error; =20 plen =3D sizeof(*token->kad) + v1->ticket_length; - prep->quotalen =3D plen + sizeof(*token); + prep->quotalen +=3D plen + sizeof(*token); =20 ret =3D -ENOMEM; token =3D kzalloc_obj(*token); From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 43C9B3F8E1E for ; Thu, 26 Mar 2026 13:19:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531144; cv=none; b=lpUW4kTlBdqjsFSjai4u3RSJY6d5z78Fi3VTSUhUAI7Ak+8Ktb9riQmoKQEeGvyfX751/qq8IbZE7DSaitLRoO62N/MllqEGot2r4gRc7jSNv1/dLk1aT4i3X0ek0fsI59/O4UlGwqxL+b71Im2fqsw7oUcWN4LZhUihjN82yHQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531144; c=relaxed/simple; bh=lNi53xaZ2dGL9nGQo2Q5PUubxeSgR378CvFt6gObZgc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VRiT7Mii8k0dsyEpCRpicK3nO+1WrgIiFuSjwhshRRGtGc726JOl71Wdd5Re7MUNu6jT6xnD+ZTDFazyKLlaJJ0P0BanNF4Q7C3xFDeVMYlh1Nm8q/HCzengmJy/8a5r06QGOS6yMEnbDZo6iWdx+HSbgzOjemQdCMapYxWwVPE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=X8H1vHV2; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="X8H1vHV2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531141; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YaIw1S56HP9C94n6EHAzBdJx0jJ6g47etF8yPJICPVc=; b=X8H1vHV2fmQC1XPKx+seYGGFKmE8lLNQNGTiyXLLpY0BGFGJHtLJYgLZ56T4gl0LIMAI7S dWF6j2QZIimEsa+9sfwN8HllAjywDrCH+IQguDxeKO/DdFTulJYIW/nBxI6tTVy9lOmtNb PH1y+r5RGvqAv7ejOneQ7QXZfJNRFhg= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-519-aXr7BN_QOcWaF0MevtC9fQ-1; Thu, 26 Mar 2026 09:18:57 -0400 X-MC-Unique: aXr7BN_QOcWaF0MevtC9fQ-1 X-Mimecast-MFC-AGG-ID: aXr7BN_QOcWaF0MevtC9fQ_1774531136 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6959D1956089; Thu, 26 Mar 2026 13:18:55 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id AF26119560B1; Thu, 26 Mar 2026 13:18:51 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 02/11] rxrpc: Fix key parsing memleak Date: Thu, 26 Mar 2026 13:18:27 +0000 Message-ID: <20260326131838.634095-3-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" In rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be leaked in a few error paths after it's allocated. Fix this by freeing it in the "reject_token:" case. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index af403f0ccab5..26d4336a4a02 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -274,6 +274,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, nomem: return -ENOMEM; reject_token: + kfree(token->rxgk); kfree(token); reject: return -EKEYREJECTED; From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 212B33F9F42 for ; Thu, 26 Mar 2026 13:19:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531148; cv=none; b=fHuaviuVHKUgCeziqzmUZSqkwP2MZ6hCMDujPeWJ65Hc76qPgfYItRmBI1QtzTFCIiPSLTe9ilQPUxTsruhzJGo7HBDYR23jC+CJjKjaErXVcE2YkydJ40c9OuEZv5NlOXjsbAYhKIg5XDecqeEzQqnj8w+8gn/259g+QQlWHPE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531148; c=relaxed/simple; bh=GTDitVkkmcP3pmQfGjjQNmdx/6Cfdn8ljMrl4GlS00k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qiA989QDDCSvRqJbimjWWH4ALGtlv5HJawC9n+/yzO+sZQe07ruqszkZfAG38GKKuvlWzlsdYCM8wHJdURH0EkESwm6DZErPWvQ3OOJCuRyetkOO4UYXBC87M1TBnuSjzgAapc8P8NlN4eZFw/VHkWZjfUSKd7/waJEjTJ5XhzI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=hbx4iyHk; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="hbx4iyHk" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531146; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P4apLx2lQf8nhrvynIjV3RMW+ZpNX1GtOZdWeDq74IM=; b=hbx4iyHkW7YsJY7l9BLIfVwKhHvsgr+X1uJI2tyNSO4OXDjUQt1evQhI2FYTkADG5eFqAi Vszc69ZEvPfd9scvWH+TeDvKBQdbFSoaSWnSzQWgoXom4Ga5mtFifZRHX/ydgkgfHo00M7 c0Acl7JH94UrD9mCosJSiCudOfC0h9s= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-627-B8zLBgi_MbaDrbLSI1jfxA-1; Thu, 26 Mar 2026 09:19:03 -0400 X-MC-Unique: B8zLBgi_MbaDrbLSI1jfxA-1 X-Mimecast-MFC-AGG-ID: B8zLBgi_MbaDrbLSI1jfxA_1774531141 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id ED40C18005B3; Thu, 26 Mar 2026 13:19:00 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0C9243000223; Thu, 26 Mar 2026 13:18:56 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 03/11] rxrpc: Fix anonymous key handling Date: Thu, 26 Mar 2026 13:18:28 +0000 Message-ID: <20260326131838.634095-4-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to be substituted for a NULL key pointer, but the variable this is done with is subsequently not used. Fix this by using "key" rather than "rx->key" when filling in the connection parameters. Note that this only affects direct use of AF_RXRPC; the kAFS filesystem doesn't use sendmsg() directly and so bypasses the issue. Further, AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key in that manner works. Since this hasn't been noticed to this point, it might be better just to remove the "key" variable and the code that sets it - and, arguably, rxrpc_init_client_call_security() would be a better place to handle it. Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and prot= ocol info") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/sendmsg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c index 04f9c5f2dc24..c35de4fd75e3 100644 --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -637,7 +637,7 @@ rxrpc_new_client_call_for_sendmsg(struct rxrpc_sock *rx= , struct msghdr *msg, memset(&cp, 0, sizeof(cp)); cp.local =3D rx->local; cp.peer =3D peer; - cp.key =3D rx->key; + cp.key =3D key; cp.security_level =3D rx->min_sec_level; cp.exclusive =3D rx->exclusive | p->exclusive; cp.upgrade =3D p->upgrade; From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 318163F9F42 for ; Thu, 26 Mar 2026 13:19:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531153; cv=none; b=TBPNvcYtF/aWLYa5QgwNtqyDhbdL68VEN8p/48REh6Lt+TsHuRYH13qZi+YBJdNDV9hsPRPBqQyj5DW3W73gH7oEze/pk9kYSST9BynsEHCFO8pUu7qi+SqJL0gU7sapJVFq3Rnu0LrEegwqV2KhZ/1A9Ra2p+yGbFIBCmYcSuE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531153; c=relaxed/simple; bh=mBKrZtOnIAHd6KsphkSL/iGsCqPyJf6gyUryLPO2bOA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VLnsCunFXki6y7U5LDB24SueLc0oo7km6wYuTpOjv4FQyJn4HPejTCafpD4NIpdvTZ5XS+JpTSnv4P4meX4NVghxUR7raZQnv++omYitRHRz2zpdXa+ymGJ5x0GLbYtV0e26ff/m5BvR5p7F6cBYp5fmE2IcfU0rPkAIp4a7ACw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=jTqkk+mn; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="jTqkk+mn" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531151; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1w/tzujNq6shO/Yk27oYEh0iCXtTypElru3vLGpkYIY=; b=jTqkk+mn9lj2YE2HAW4Caj9NHboyEwoG8R0LbQtkMv4QaF8MzvJed7tcsG2qdb9qgjuHvd DwQ2cPu4mhAr0zifWwhbgmreLr0c0f+DySlmU/80lMI+Ht/0xatltWJGZuXVJslBKc6qRF Pq9ICU9qdwlytn1VSNtEqcIi7N+F0OM= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-389-SRuUNOehMoCCTIHOHqYf1Q-1; Thu, 26 Mar 2026 09:19:09 -0400 X-MC-Unique: SRuUNOehMoCCTIHOHqYf1Q-1 X-Mimecast-MFC-AGG-ID: SRuUNOehMoCCTIHOHqYf1Q_1774531147 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5C57C19560B4; Thu, 26 Mar 2026 13:19:07 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 93EA6180036E; Thu, 26 Mar 2026 13:19:02 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Mathieu Desnoyers , John Johansen , Minas Harutyunyan , Simon Horman , apparmor@lists.ubuntu.com, linux-usb@vger.kernel.org, stable@kernel.org Subject: [PATCH net v3 04/11] list: Move on_list_rcu() to list.h and add on_list() also Date: Thu, 26 Mar 2026 13:18:29 +0000 Message-ID: <20260326131838.634095-5-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" Unfortunately, list_empty() is not usable with an entry that has been removed from a list with list_del_rcu() as ->next must be left pointing at the following entry so as not to break traversal under RCU. Solve this by moving on_list_rcu() from AppArmor to linux/list.h, and turning it into an inline function. Also add an on_list() counterpart (functionally, this is just an antonym for list_empty()), but the name looks less awkward when applied to a non-head element. We probably don't want to use on_list_rcu() generally because it requires an extra check as ->prev is set differently in the two cases. Further, rename the on_list() function in the Designware usb2 drd ip driver to dwc2_on_list() to free up the original name. Signed-off-by: David Howells cc: Mathieu Desnoyers cc: John Johansen cc: Minas Harutyunyan cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: apparmor@lists.ubuntu.com cc: linux-usb@vger.kernel.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- drivers/usb/dwc2/gadget.c | 6 +++--- include/linux/list.h | 26 ++++++++++++++++++++++++++ security/apparmor/include/policy.h | 2 -- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index d216e26c787b..04b6aef8ac13 100644 --- a/drivers/usb/dwc2/gadget.c +++ b/drivers/usb/dwc2/gadget.c @@ -4306,11 +4306,11 @@ static int dwc2_hsotg_ep_disable_lock(struct usb_ep= *ep) } =20 /** - * on_list - check request is on the given endpoint + * dwc2_on_list - check request is on the given endpoint * @ep: The endpoint to check. * @test: The request to test if it is on the endpoint. */ -static bool on_list(struct dwc2_hsotg_ep *ep, struct dwc2_hsotg_req *test) +static bool dwc2_on_list(struct dwc2_hsotg_ep *ep, struct dwc2_hsotg_req *= test) { struct dwc2_hsotg_req *req, *treq; =20 @@ -4338,7 +4338,7 @@ static int dwc2_hsotg_ep_dequeue(struct usb_ep *ep, s= truct usb_request *req) =20 spin_lock_irqsave(&hs->lock, flags); =20 - if (!on_list(hs_ep, hs_req)) { + if (!dwc2_on_list(hs_ep, hs_req)) { spin_unlock_irqrestore(&hs->lock, flags); return -EINVAL; } diff --git a/include/linux/list.h b/include/linux/list.h index 00ea8e5fb88b..d224e7210d1b 100644 --- a/include/linux/list.h +++ b/include/linux/list.h @@ -381,6 +381,32 @@ static inline int list_empty(const struct list_head *h= ead) return READ_ONCE(head->next) =3D=3D head; } =20 +/** + * on_list - Test whether an entry is on a list. + * @entry: The entry to check + * + * Test whether an entry is on a list. Safe to use on an entry initialised + * with INIT_LIST_HEAD() or LIST_HEAD() or removed with things like + * list_del_init(). Not safe for use with list_del() or list_del_rcu(). + */ +static inline bool on_list(const struct list_head *entry) +{ + return !list_empty(entry); +} + +/** + * on_list_rcu - Test whether an entry is on a list (RCU-del safe). + * @entry: The entry to check + * + * Test whether an entry is on a list. Safe to use on an entry initialised + * with INIT_LIST_HEAD() or LIST_HEAD() or removed with things like + * list_del_init(). Also safe for use with list_del() or list_del_rcu(). + */ +static inline bool on_list_rcu(const struct list_head *entry) +{ + return !list_empty(entry) && entry->prev !=3D LIST_POISON2; +} + /** * list_del_init_careful - deletes entry from list and reinitialize it. * @entry: the element to delete from the list. diff --git a/security/apparmor/include/policy.h b/security/apparmor/include= /policy.h index 3895f8774a3f..c3697c23bbed 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -57,8 +57,6 @@ extern const char *const aa_profile_mode_names[]; =20 #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label)) =20 -#define on_list_rcu(X) (!list_empty(X) && (X)->prev !=3D LIST_POISON2) - /* flags in the dfa accept2 table */ enum dfa_accept_flags { ACCEPT_FLAG_OWNER =3D 1, From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B340D3FADF6 for ; Thu, 26 Mar 2026 13:19:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531160; cv=none; b=F+DUixWnJ3KTAGTlGbYHWpXEXYtbCEdW190awxr4sZ8/DqLKnfcYr6M4dO++FZU+7hkyMRAy2+xMbt0LARsIX/y3QHYuwXR5rZeaiZnHcKrZ75RUoTeHZCY+lfAJneCVS81OytGY4azS9roejAJEhYk4GrPEdxG/xb6biwRsQfk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531160; c=relaxed/simple; bh=2w2X5/keWSYIEq5kP0enuQqtU6bjbD/nwb96pNy227I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eXacbPdc4xighhtdlo5fMIDNWUHNyvsv/Lz0Gumxau/pP4iBKfeIn7pOkTuVKusan3xydx4pylLbrC9VdLvpvzfJPhN2JB21n6DxR4hVjW9ICt2Zb+2cndo4qyM69jmDTxdTEFsaVxcSIzo/4CGz27l0IL4ItZ+UIGC3eZsbQ8M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=U3G55Zow; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="U3G55Zow" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531158; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fc4Dc9rhjFkx+bfczLiQwRPtyzYqEhuP7T8AhY5Spp4=; b=U3G55ZowwFtaPR+t4RTQpz5myApDRPZzZZ+OGfXNagy7+S5Kh6OgCAZa/6FpXHWqcQ7Z+t F05nqnBb+BHeMHsJpPSOVAqs1srhD2mRd12F1AjFPjNWBRHDbnCngyBCj8HIGKZpunfR/D uA1onnKhhWK2sANfMD8mDF+5F4ZhehI= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-505-G02DmEYdPPOZ0nMh_6dlZA-1; Thu, 26 Mar 2026 09:19:14 -0400 X-MC-Unique: G02DmEYdPPOZ0nMh_6dlZA-1 X-Mimecast-MFC-AGG-ID: G02DmEYdPPOZ0nMh_6dlZA_1774531152 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 78295195608E; Thu, 26 Mar 2026 13:19:12 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0B1721800671; Thu, 26 Mar 2026 13:19:08 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 05/11] rxrpc: Fix call removal to use RCU safe deletion Date: Thu, 26 Mar 2026 13:18:30 +0000 Message-ID: <20260326131838.634095-6-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() rather than list_del_init() to prevent stuffing up reading /proc/net/rxrpc/calls from potentially getting into an infinite loop. Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/call_object.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 918f41d97a2f..0e47751d5937 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -654,9 +654,9 @@ void rxrpc_put_call(struct rxrpc_call *call, enum rxrpc= _call_trace why) if (dead) { ASSERTCMP(__rxrpc_call_state(call), =3D=3D, RXRPC_CALL_COMPLETE); =20 - if (!list_empty(&call->link)) { + if (on_list_rcu(&call->link)) { spin_lock(&rxnet->call_lock); - list_del_init(&call->link); + list_del_rcu(&call->link); spin_unlock(&rxnet->call_lock); } =20 @@ -738,7 +738,7 @@ void rxrpc_destroy_all_calls(struct rxrpc_net *rxnet) _debug("Zapping call %p", call); =20 rxrpc_see_call(call, rxrpc_call_see_zap); - list_del_init(&call->link); + list_del_rcu(&call->link); =20 pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", call, refcount_read(&call->ref), From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 916DD3FB04F for ; Thu, 26 Mar 2026 13:19:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531167; cv=none; b=NZEm1JYctD5kPx1vOriIZGhfbxO33jvuHwbDLoaMOkwsDlJ7H8ypD6vQP2xOiB5/N2LeiC2mJoLrY0Wo63/QZvWm1tJH1R1xwOsVKTOmbqtWkM/DFht7PdX6JSPOTLJYuPpbJKrac/17h7V13r44frl1iZXPg1ST7LrJJGOibL8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531167; c=relaxed/simple; bh=i2+6T5laS6iXW24MjsOpSAQSe/11jAwSQhKVgP6EJWc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=en8tpFozIRFhWjE6cBU0Rgw2km+f/sz/tTpDkyYEXheJ8Jrbo7r4ZQgTFnW4pVyftvy56oMOEO/yMTaxmSXAG+yx0lmDWKWc1aqUAIokC/PVrDKaG972BzpgKbqyfpYGeco0fLaeDcj846Y6EoLr5YdkB+d6XF8UMDVQ/SkqMKU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=UQzvjdIf; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="UQzvjdIf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LLb+kvWly++E+vGdyFSJ+eIakQ89ZsZ0xRogJGUpqc=; b=UQzvjdIfba+gVAZG12oVcpn0jKWERn4ZEQal59hg7c7KRGH7IgpBVQhT6+3PtZjmxl/aNE P4sWYvC8l3R7N4YIgJYa5/Iv8JbytELM98Z1hui11JTwPrpXi0wYj8sq+/+8n1/ufIIzZL pOoBN9xuPSpDJElrdqeMLoFmryXahUg= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-477-aMHhxQ6WPJmkVR7JAQKj3A-1; Thu, 26 Mar 2026 09:19:19 -0400 X-MC-Unique: aMHhxQ6WPJmkVR7JAQKj3A-1 X-Mimecast-MFC-AGG-ID: aMHhxQ6WPJmkVR7JAQKj3A_1774531157 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CB12E180044D; Thu, 26 Mar 2026 13:19:17 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 158E619560B1; Thu, 26 Mar 2026 13:19:13 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Oleh Konko , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 06/11] rxrpc: Fix RxGK token loading to check bounds Date: Thu, 26 Mar 2026 13:18:31 +0000 Message-ID: <20260326131838.634095-7-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Oleh Konko rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >=3D 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call. Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse. The control path (valid token with lengths within bounds) is unaffected. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Signed-off-by: Oleh Konko Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 26d4336a4a02..77237a82be3b 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -171,7 +172,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, size_t plen; const __be32 *ticket, *key; s64 tmp; - u32 tktlen, keylen; + size_t raw_keylen, raw_tktlen, keylen, tktlen; =20 _enter(",{%x,%x,%x,%x},%x", ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), @@ -181,18 +182,22 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_pre= parsed_payload *prep, goto reject; =20 key =3D xdr + (6 * 2 + 1); - keylen =3D ntohl(key[-1]); - _debug("keylen: %x", keylen); - keylen =3D round_up(keylen, 4); + raw_keylen =3D ntohl(key[-1]); + _debug("keylen: %zx", raw_keylen); + if (raw_keylen > AFSTOKEN_GK_KEY_MAX) + goto reject; + keylen =3D round_up(raw_keylen, 4); if ((6 * 2 + 2) * 4 + keylen > toklen) goto reject; =20 ticket =3D xdr + (6 * 2 + 1 + (keylen / 4) + 1); - tktlen =3D ntohl(ticket[-1]); - _debug("tktlen: %x", tktlen); - tktlen =3D round_up(tktlen, 4); + raw_tktlen =3D ntohl(ticket[-1]); + _debug("tktlen: %zx", raw_tktlen); + if (raw_tktlen > AFSTOKEN_GK_TOKEN_MAX) + goto reject; + tktlen =3D round_up(raw_tktlen, 4); if ((6 * 2 + 2) * 4 + keylen + tktlen !=3D toklen) { - kleave(" =3D -EKEYREJECTED [%x!=3D%x, %x,%x]", + kleave(" =3D -EKEYREJECTED [%zx!=3D%x, %zx,%zx]", (6 * 2 + 2) * 4 + keylen + tktlen, toklen, keylen, tktlen); goto reject; @@ -206,7 +211,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, if (!token) goto nomem; =20 - token->rxgk =3D kzalloc(sizeof(*token->rxgk) + keylen, GFP_KERNEL); + token->rxgk =3D kzalloc(struct_size_t(struct rxgk_key, _key, raw_keylen),= GFP_KERNEL); if (!token->rxgk) goto nomem_token; =20 @@ -221,9 +226,9 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, token->rxgk->enctype =3D tmp =3D xdr_dec64(xdr + 5 * 2); if (tmp < 0 || tmp > UINT_MAX) goto reject_token; - token->rxgk->key.len =3D ntohl(key[-1]); + token->rxgk->key.len =3D raw_keylen; token->rxgk->key.data =3D token->rxgk->_key; - token->rxgk->ticket.len =3D ntohl(ticket[-1]); + token->rxgk->ticket.len =3D raw_tktlen; =20 if (token->rxgk->endtime !=3D 0) { expiry =3D rxrpc_s64_to_time64(token->rxgk->endtime); @@ -236,8 +241,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, memcpy(token->rxgk->key.data, key, token->rxgk->key.len); =20 /* Pad the ticket so that we can use it directly in XDR */ - token->rxgk->ticket.data =3D kzalloc(round_up(token->rxgk->ticket.len, 4), - GFP_KERNEL); + token->rxgk->ticket.data =3D kzalloc(tktlen, GFP_KERNEL); if (!token->rxgk->ticket.data) goto nomem_yrxgk; memcpy(token->rxgk->ticket.data, ticket, token->rxgk->ticket.len); From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2675F3FB063 for ; Thu, 26 Mar 2026 13:19:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531171; cv=none; b=RV94pnQTlioeik7W8jduIB/z32U5sivFw5hqM92XFqZ7pXhpqEzfGtFMYu8GujKL65o+XR8d5Os3MywOoT01sYmHUWbPy1kNlwDGywhdz+pyAqJXzArddPXsRMD+s8+bIt+UqxJ1kImPXt7bOseFnNI2DTTAn6J42KubqaldipQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531171; c=relaxed/simple; bh=uKQQDvBp/KwfLLfHSXwGqcQ4zZX/GfdRXMjfn3+FICw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HAzTMeYfmR7vHoiGSPjhwx14dBZTSyJH1x5r099xDH2kOgAZbMnjggFi1UoeRVORHDObrCwzP62dwvCa/puuypQyA5V3PL2e1fdG9FdI8rLPg767hh1XmjZr8ClFP3l8ar0UWwVSSxvPimPT218Clzv//aU1fI0QN5KmHPweCWQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=RicnsUEN; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="RicnsUEN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531169; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PD9Fy7wSG+dykOVFU6Ayy0szZH4DtiCgK8ZVa956s6c=; b=RicnsUEN2JegHGv3TShHABqRtldW7fKv+XRiY0QxY5cONH9VvGDRKL+mNDVgEMqoil3mp+ b7MpY79HZwCC75htdc8z4ByPLeNvBgGzFMkK6xjGF5y/Hpr/TyRQ6pOdkNG+mv8S0jdLjR niEXcMc6ctQI9dms30+Jz+v7WxorrJY= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-600-K8vC-LkZPQefbCT5xNprkw-1; Thu, 26 Mar 2026 09:19:27 -0400 X-MC-Unique: K8vC-LkZPQefbCT5xNprkw-1 X-Mimecast-MFC-AGG-ID: K8vC-LkZPQefbCT5xNprkw_1774531164 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 549B01953954; Thu, 26 Mar 2026 13:19:23 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8CBC21800361; Thu, 26 Mar 2026 13:19:19 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 07/11] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial Date: Thu, 26 Mar 2026 13:18:32 +0000 Message-ID: <20260326131838.634095-8-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use. Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for = a RESPONSE") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org Link: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40re= dhat.com [1] --- include/trace/events/rxrpc.h | 1 + net/rxrpc/conn_event.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 869f97c9bf73..5edad6a624ad 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -185,6 +185,7 @@ EM(rxrpc_skb_put_input, "PUT input ") \ EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \ EM(rxrpc_skb_put_oob, "PUT oob ") \ + EM(rxrpc_skb_put_old_response, "PUT old-resp ") \ EM(rxrpc_skb_put_purge, "PUT purge ") \ EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \ EM(rxrpc_skb_put_response, "PUT response ") \ diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 98ad9b51ca2c..c50cbfc5a313 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -557,11 +557,11 @@ void rxrpc_post_response(struct rxrpc_connection *con= n, struct sk_buff *skb) spin_lock_irq(&local->lock); old =3D conn->tx_response; if (old) { - struct rxrpc_skb_priv *osp =3D rxrpc_skb(skb); + struct rxrpc_skb_priv *osp =3D rxrpc_skb(old); =20 /* Always go with the response to the most recent challenge. */ if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) - conn->tx_response =3D old; + conn->tx_response =3D skb; else old =3D skb; } else { @@ -569,4 +569,5 @@ void rxrpc_post_response(struct rxrpc_connection *conn,= struct sk_buff *skb) } spin_unlock_irq(&local->lock); rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response); + rxrpc_free_skb(old, rxrpc_skb_put_old_response); } From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5776D3FB7C9 for ; Thu, 26 Mar 2026 13:19:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531178; cv=none; b=FZwhCs/KuqNHoehwOGyxJHaMkpwoqfaX4kjz6RKhSmsTU9QdEYvOT5AEDMFpFpfpLfBGw6SgVBmg4dptPjH6LYCXLuJIv4Bz6MpLkWUJ1ctl9fM8K5wv1Wdw+9C4nUnFeUKobKq/FP7OGVl6xMsHDgIfYlutu33nB4iQ3GwYhkQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531178; c=relaxed/simple; bh=wiH6DsMqrg29tzFgP11flkS65RZZkVoC9406w0ZzAqc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P1JfYd3fwHXrCufEG0RBUxQqn/bBIJ62hXUFPOW6NpLDe+qDIZvVdn4UgYqF68pVAKkM2a0eD//M8cb/dyLtnI2KrVocyhJRyW6JzXfG/uxC+350fNwHoimieCWIUblXO/nAYQ2nbJUb7b3vrVUNRsQd8tKD+xF66LiHYgbG0q0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=e1N6KN2f; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="e1N6KN2f" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=loVxfrzyxYdQdW2xqgUXj+kDQbA4pbY0Yb3C1QbXM7A=; b=e1N6KN2fh3uACuuDswlMQzofGKYG5cHi++J8Y6Ig8iqY6Y0yTOfFpZMIK+DvYCr9KFPPAM Ba6jPNonX3QHFsKgbbnoyzq+o66QF/YhX8p8BfW0g9sDWzkRebNVtyMYJ6NWlr2LSM5CuP o6Pc3zi42lxORRqRNeyrLMVqUS0b4PA= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-38-06wbql0-MUi0Ryz0epRE0g-1; Thu, 26 Mar 2026 09:19:32 -0400 X-MC-Unique: 06wbql0-MUi0Ryz0epRE0g-1 X-Mimecast-MFC-AGG-ID: 06wbql0-MUi0Ryz0epRE0g_1774531169 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 417C41955D84; Thu, 26 Mar 2026 13:19:29 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 14E373000223; Thu, 26 Mar 2026 13:19:24 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Simon Horman , Jeffrey Altman , stable@kernel.org Subject: [PATCH net v3 08/11] rxrpc: Fix rack timer warning to report unexpected mode Date: Thu, 26 Mar 2026 13:18:33 +0000 Message-ID: <20260326131838.634095-9-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari rxrpc_rack_timer_expired() clears call->rack_timer_mode to OFF before the switch. The default case warning therefore always prints OFF and doesn't identify the unexpected timer mode. Log the saved mode value instead so the warning reports the actual unexpected rack timer mode. Fixes: 7c482665931b ("rxrpc: Implement RACK/TLP to deal with transmission s= talls [RFC8985]") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Simon Horman Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/input_rack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/input_rack.c b/net/rxrpc/input_rack.c index 13c371261e0a..9eb109ffba56 100644 --- a/net/rxrpc/input_rack.c +++ b/net/rxrpc/input_rack.c @@ -413,6 +413,6 @@ void rxrpc_rack_timer_expired(struct rxrpc_call *call, = ktime_t overran_by) break; //case RXRPC_CALL_RACKTIMER_ZEROWIN: default: - pr_warn("Unexpected rack timer %u", call->rack_timer_mode); + pr_warn("Unexpected rack timer %u", mode); } } From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F75D3FEB23 for ; Thu, 26 Mar 2026 13:19:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531182; cv=none; b=jqdFYtKJkMzmRFABGOl61ptIAweh8JUumqw/8LeGh7zq3EurmN+G+gVToN8B1HU5r5kFSWkGWANTOkkpvS4MAmPKLL8Syuu5igZLpV2SiNmBlNWIB6FOZnGAPDLKvygjGxR3ZHXQhAZFBrLAyJu3sNY3OtGvHPXkU0yW0KUXs8U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531182; c=relaxed/simple; bh=I3X9Xgh8JthJcC1AVR46HTecX3GW+jzHyhem1V0naug=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lmML1/q0rlegoeyZgRV+yJkLgr80hPXScOKGOmjzDVkd6HzkqEtq+XlnubfxyJPUCa4S6Pbjezp4b53tfacjGIfDG24c0fATHzniCD8Bxk+a8FTunw6HPa+ewyIIphWcm4F5wCB+2nw8Z1/fTo7VhFVm2keLTgxVLiExPEngycg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=IgqU1Sh1; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="IgqU1Sh1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AN3SQlsqlhxFhvczjAvAzreHONU16FaElSEWYMuHbwQ=; b=IgqU1Sh14vyjUcqo9otnxJ5Blr1nL6V9BXvuIltjYx5vx7+cjf+q5HJUciekHCmt4Z4JpT P9kDWcv4/OzMpFogkZofzvZ+lByhpyNa5IydjwizDH9GczHU3awIWtYH4lh50/dTbYNqAm eg1R98S4hsAJppJkx+4X5aNXMK2HZsU= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-673-wOhxXkSDNLewqnqlukXYvg-1; Thu, 26 Mar 2026 09:19:36 -0400 X-MC-Unique: wOhxXkSDNLewqnqlukXYvg-1 X-Mimecast-MFC-AGG-ID: wOhxXkSDNLewqnqlukXYvg_1774531174 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 961E71800245; Thu, 26 Mar 2026 13:19:34 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D30301955D84; Thu, 26 Mar 2026 13:19:30 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 09/11] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt() Date: Thu, 26 Mar 2026 13:18:34 +0000 Message-ID: <20260326131838.634095-10-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento In rxrpc_setsockopt(), the code checks 'rx->key' when handling the RXRPC_SECURITY_KEYRING option. However, this appears to be a logic error. The code should be checking 'rx->securities' to determine if a keyring has already been defined for the socket. Currently, if a user calls setsockopt(RXRPC_SECURITY_KEYRING) multiple times on the same socket, the check 'if (rx->key)' fails to block subsequent calls because 'rx->key' has not been defined by the function. This results in a reference count leak on the keyring. This patch changes the check to 'rx->securities' to correctly identify if the socket security keyring has already been configured, returning -EINVAL on subsequent attempts. Before the patch: It shows the keyring reference counter elevated. $ cat /proc/keys | grep AFSkeys1 27aca8ae I--Q--- 24469721 perm 3f010000 1000 1000 keyring AFSkeys1: emp= ty $ After the patch: The keyring reference counter remains stable and subsequent calls return an error: $ ./poc setsockopt: Invalid argument $ Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Signed-off-by: Anderson Nascimento Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/af_rxrpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c index 0f90272ac254..0b7ed99a3025 100644 --- a/net/rxrpc/af_rxrpc.c +++ b/net/rxrpc/af_rxrpc.c @@ -665,7 +665,7 @@ static int rxrpc_setsockopt(struct socket *sock, int le= vel, int optname, =20 case RXRPC_SECURITY_KEYRING: ret =3D -EINVAL; - if (rx->key) + if (rx->securities) goto error; ret =3D -EISCONN; if (rx->sk.sk_state !=3D RXRPC_UNBOUND) From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5023345741 for ; Thu, 26 Mar 2026 13:19:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531190; cv=none; b=XxAe6IhrC6vXXcCHL2pwE6PUJ/ii4qt59ijoX5hMIWbcEFA9RJAeHCumWNYnrxPL3wrLJ83C63cWVSBUnXG/iZHoJ9Us9LiN517CKQbGxCj0buW/kGgPC7RvhM1kuDw+9i1QVr/KaxnvqSdhlWwzOsenxuo46MJpYRET4uPv+S0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531190; c=relaxed/simple; bh=+qHAnkIsqP997RWJ6s4umVeu9sIbTOhEQRZ3NRgBWrs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=B40cNHepJKNBgfEzW6FnO0FqTNzXuODypKY7pB71DHfihU2zjdoAOa/0+LMm8DpoNywNS+ajInlaWnFHpx0t5Q5Vney+miRMHDkixpNAh2yBKwDoSM347RgGRC0hAQ12NPJVmwo/cemvn1BsR1v/E1XSWr+EqwRUQhkaqr4Qlx8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=LouZU8jK; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="LouZU8jK" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531187; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VeYaAx0dAJ4NEayyI0atPURUWeMa5ddyG3Tx/cyMm4w=; b=LouZU8jKO0jIMEpIUW0OWEewrqeboRtaUfKmbC3VDyRJtIWkouG9wAA0JhZpfUICkotN0j 2pPpXsb7NXKL0gVod1mI5h0RH79X0RaEzv6gK0l/8I7psjyFDP2v5B3zkB9Eht76OHxY/v 3gFQoSb7LHf0S9l4HYlSUdBSf3czBNE= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-148-mf5e_e9wNH2B5oLOLo3mAw-1; Thu, 26 Mar 2026 09:19:42 -0400 X-MC-Unique: mf5e_e9wNH2B5oLOLo3mAw-1 X-Mimecast-MFC-AGG-ID: mf5e_e9wNH2B5oLOLo3mAw_1774531180 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9F23118002EE; Thu, 26 Mar 2026 13:19:40 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 5197E1955D84; Thu, 26 Mar 2026 13:19:36 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 10/11] rxrpc: Fix key reference count leak from call->key Date: Thu, 26 Mar 2026 13:18:35 +0000 Message-ID: <20260326131838.634095-11-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ After the patch, the invalidated key is removed when the code exits: $ cat /proc/keys | grep afs@54321 $ Fixes: f3441d4125fc ("rxrpc: Copy client call parameters into rxrpc_call ea= rlier") Signed-off-by: Anderson Nascimento Co-developed-by: David Howells Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/call_object.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 0e47751d5937..57c15aa1e9b5 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -694,6 +694,7 @@ static void rxrpc_destroy_call(struct work_struct *work) rxrpc_put_bundle(call->bundle, rxrpc_bundle_put_call); rxrpc_put_peer(call->peer, rxrpc_peer_put_call); rxrpc_put_local(call->local, rxrpc_local_put_call); + key_put(call->key); call_rcu(&call->rcu, rxrpc_rcu_free_call); } From nobody Thu Apr 2 20:26:40 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BE533FFAD2 for ; Thu, 26 Mar 2026 13:19:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531195; cv=none; b=Df2cf5yNIp+m2aEfS9CuIuxiAirk4Ru8akDQ0gIQI/k/8iRLYlQp40bxjSR+zU0lqSVWY1o9b8LRbSbmlSfj9951KDEkcIwpjBqr+0B6GQp7uj/v3ITuoirASF8KWgRlVch68Y8GDfDzd4ttS6KwFS6QchRwnzoCR6ZblpimRiU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774531195; c=relaxed/simple; bh=NGFYlYD9+l3p0625SzoSzlIGuOu01+lpHHSIuU05Km0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=E058DfVHuBHqIoG69Av0W/wYlmvsjX96PMCoqeleh+qIb7A49nysydoO/tM+PqpsPJXLa14n+XMw+Y3u8p9JhREZVr5eJvwtwcmHMOWAW/wQ17id6zbfrCgArwCz8PHdRcfxG4LiJQZuMorOA6j9cdHVuDoqIKTrUeUp9X1aNUs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=VFSC3V8i; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="VFSC3V8i" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774531193; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZvL9BKJRhD36TIM5mfy4GkSTMAVobO75FeaGB2Z1LCs=; b=VFSC3V8izTDhuGIPiYqf+3J5UvbeKt/x7F8eguwvWkhY5Ipcxlplw53fOkjqqnkmEAp8vw tRjjmxCjKuwfd20kYvYBBPn6/nXqIIJ1zMlb5zVk6A7URmSJODM657OiFUeqztDtdgKhw9 mDIm0BcVwT+6NY4PQumHtFmmKQI2QEY= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-141-cb7Z28YKOnW9HqTHyesvrQ-1; Thu, 26 Mar 2026 09:19:47 -0400 X-MC-Unique: cb7Z28YKOnW9HqTHyesvrQ-1 X-Mimecast-MFC-AGG-ID: cb7Z28YKOnW9HqTHyesvrQ_1774531186 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3C33219560AB; Thu, 26 Mar 2026 13:19:46 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.33.121]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 653131800361; Thu, 26 Mar 2026 13:19:42 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Marc Dionne , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v3 11/11] rxrpc: Fix to request an ack if window is limited Date: Thu, 26 Mar 2026 13:18:36 +0000 Message-ID: <20260326131838.634095-12-dhowells@redhat.com> In-Reply-To: <20260326131838.634095-1-dhowells@redhat.com> References: <20260326131838.634095-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Marc Dionne Peers may only send immediate acks for every 2 UDP packets received. When sending a jumbogram, it is important to check that there is sufficient window space to send another same sized jumbogram following the current one, and request an ack if there isn't. Failure to do so may cause the call to stall waiting for an ack until the resend timer fires. Where jumbograms are in use this causes a very significant drop in performance. Fixes: fe24a5494390 ("rxrpc: Send jumbo DATA packets") Signed-off-by: Marc Dionne Signed-off-by: David Howells cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/trace/events/rxrpc.h | 1 + net/rxrpc/ar-internal.h | 2 +- net/rxrpc/output.c | 2 ++ net/rxrpc/proc.c | 5 +++-- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 5edad6a624ad..792d0f944fc2 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -521,6 +521,7 @@ #define rxrpc_req_ack_traces \ EM(rxrpc_reqack_ack_lost, "ACK-LOST ") \ EM(rxrpc_reqack_app_stall, "APP-STALL ") \ + EM(rxrpc_reqack_jumbo_win, "JUMBO-WIN ") \ EM(rxrpc_reqack_more_rtt, "MORE-RTT ") \ EM(rxrpc_reqack_no_srv_last, "NO-SRVLAST") \ EM(rxrpc_reqack_old_rtt, "OLD-RTT ") \ diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 36d6ca0d1089..96ecb83c9071 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -117,7 +117,7 @@ struct rxrpc_net { atomic_t stat_tx_jumbo[10]; atomic_t stat_rx_jumbo[10]; =20 - atomic_t stat_why_req_ack[8]; + atomic_t stat_why_req_ack[9]; =20 atomic_t stat_io_loop; }; diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index d70db367e358..870e59bf06af 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -479,6 +479,8 @@ static size_t rxrpc_prepare_data_subpacket(struct rxrpc= _call *call, why =3D rxrpc_reqack_old_rtt; else if (!last && !after(READ_ONCE(call->send_top), txb->seq)) why =3D rxrpc_reqack_app_stall; + else if (call->tx_winsize <=3D (2 * req->n) || call->cong_cwnd <=3D (2 * = req->n)) + why =3D rxrpc_reqack_jumbo_win; else goto dont_set_request_ack; =20 diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c index 59292f7f9205..7755fca5beb8 100644 --- a/net/rxrpc/proc.c +++ b/net/rxrpc/proc.c @@ -518,11 +518,12 @@ int rxrpc_stats_show(struct seq_file *seq, void *v) atomic_read(&rxnet->stat_rx_acks[RXRPC_ACK_IDLE]), atomic_read(&rxnet->stat_rx_acks[0])); seq_printf(seq, - "Why-Req-A: acklost=3D%u mrtt=3D%u ortt=3D%u stall=3D%u\n", + "Why-Req-A: acklost=3D%u mrtt=3D%u ortt=3D%u stall=3D%u jwin=3D%u\n", atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_ack_lost]), atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_more_rtt]), atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_old_rtt]), - atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall])); + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall]), + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_jumbo_win])); seq_printf(seq, "Why-Req-A: nolast=3D%u retx=3D%u slows=3D%u smtxw=3D%u\n", atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_no_srv_last]),