From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 064E53F880A for ; Wed, 1 Apr 2026 10:56:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041001; cv=none; b=QdDG8eo4YJVdSyvaGMC9+IRzdm/ZJWzyWQIUG2wiMEvNumHJYrTFje58quV3g0ZVLh4+pFWbebiHSto1Or+fj5OGp+gIhBzAXsfgUDrrlRzvmS8MQrO0d3V6RlW55v9J39pNHhKxCFNd6B1IjnhvvoA6OUyStWDvwrUl4Cd6s7Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041001; c=relaxed/simple; bh=lb0GZ4LjZYME6LIEZSDsoau/6K8K5XJGRSMiunj2zEc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OWEp/vdyNRkgIJmdcnSjsHBO3Bcy3/0Y/D5i1vao8BInspW6rT/uDectqHiQPGUcALqPdJGoF/JYkubP5kHfgZanOpKN7COFcr7tZPM2ji4vstTGKERbuxeOp3ZWpzjngq+fyX2+c+V3WdEGHCtaGIbU2xAu1X8dUWWstrTNnXM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ANV9BiVe; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ANV9BiVe" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775040999; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hXfYTLAZKbXpNf47trMTcMM/l7RhE1yxWdNYJ5ar7ck=; b=ANV9BiVe27ttA0UtEUcGaT9w8OX9Z8qbzwrY91d63CNU8Wu0IJbQrKhYlNZzx3oj/+cSxo lWloF1D9OLZNXNagzAePnWF9WE1bfB9KOGKKBzrYZV36lSjbb+Z29HBpfFU/4HWNfQZLhw N+S1B5SmIRRF3NnxL8TTZw4TLK2c2uE= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-678-tJS9f5olMBCBH5_c97W0wA-1; Wed, 01 Apr 2026 06:56:36 -0400 X-MC-Unique: tJS9f5olMBCBH5_c97W0wA-1 X-Mimecast-MFC-AGG-ID: tJS9f5olMBCBH5_c97W0wA_1775040994 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8E6291956089; Wed, 1 Apr 2026 10:56:34 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8542E19560AB; Wed, 1 Apr 2026 10:56:30 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 01/15] rxrpc: Fix key quota calculation for multitoken keys Date: Wed, 1 Apr 2026 11:55:54 +0100 Message-ID: <20260401105614.1696001-2-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" In the rxrpc key preparsing, every token extracted sets the proposed quota value, but for multitoken keys, this will overwrite the previous proposed quota, losing it. Fix this by adding to the proposed quota instead. Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 85078114b2dd..af403f0ccab5 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(struct key_preparsed_= payload *prep, return -EKEYREJECTED; =20 plen =3D sizeof(*token) + sizeof(*token->kad) + tktlen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -199,7 +199,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, } =20 plen =3D sizeof(*token) + sizeof(*token->rxgk) + tktlen + keylen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -460,6 +460,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) memcpy(&kver, prep->data, sizeof(kver)); prep->data +=3D sizeof(kver); prep->datalen -=3D sizeof(kver); + prep->quotalen =3D 0; =20 _debug("KEY I/F VERSION: %u", kver); =20 @@ -497,7 +498,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) goto error; =20 plen =3D sizeof(*token->kad) + v1->ticket_length; - prep->quotalen =3D plen + sizeof(*token); + prep->quotalen +=3D plen + sizeof(*token); =20 ret =3D -ENOMEM; token =3D kzalloc_obj(*token); From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A047D3F9F31 for ; Wed, 1 Apr 2026 10:56:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041006; cv=none; b=nwqEeUkB16kI+wTtYffevBNYFlA9Zfy9HyF4FpFjhdSx01qFs2QLvyMeuDFLsmHJW0LmWY5M8iZJ2urhf5wbi7+jCaHI0C+lfY5oRZoO5qbmbhkezyLtqbYfNJGBcGN3upUbGFFmJcp4QiQFnVAmAHdeY6jhuBOeoeCHIy9MAZ0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041006; c=relaxed/simple; bh=lNi53xaZ2dGL9nGQo2Q5PUubxeSgR378CvFt6gObZgc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=s0RscAnEDqgskwzJmba555O//RGlJF3YENKNn2mkjkXq28WaRyBfFUK3aENBPxARVzvHaeu3rMzQjpmM0I2dsxtkBRmQCRq1M8XRSN1wIacY8X206LLR40XoGhAXXXHIdHYxtp8jRc+6oFLYDx49eN9+hCPQsMVyt6eSHkCDgFg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=axxgE5K/; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="axxgE5K/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YaIw1S56HP9C94n6EHAzBdJx0jJ6g47etF8yPJICPVc=; b=axxgE5K/S+IIKO1w8Fq1Iz2riWtHPKB/geumbJc6lcXpLuFbsI2xxZi3zNunIoh7K/ZJXF qygHCa9zzJOGNj/9mVgeiLZbRLn+1JXeghnJoQmoaYx0VNgclv43hZRevWh8jt8gomr5/h 8usDJM4lIZNm7XWREUL7xv7tqZ54+EE= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-445-Xi3PbgFeOVW-ynxu1hpL2A-1; Wed, 01 Apr 2026 06:56:41 -0400 X-MC-Unique: Xi3PbgFeOVW-ynxu1hpL2A-1 X-Mimecast-MFC-AGG-ID: Xi3PbgFeOVW-ynxu1hpL2A_1775041000 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D896C18005B8; Wed, 1 Apr 2026 10:56:39 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 33D811955F2B; Wed, 1 Apr 2026 10:56:35 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 02/15] rxrpc: Fix key parsing memleak Date: Wed, 1 Apr 2026 11:55:55 +0100 Message-ID: <20260401105614.1696001-3-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" In rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be leaked in a few error paths after it's allocated. Fix this by freeing it in the "reject_token:" case. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index af403f0ccab5..26d4336a4a02 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -274,6 +274,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, nomem: return -ENOMEM; reject_token: + kfree(token->rxgk); kfree(token); reject: return -EKEYREJECTED; From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7FBE3FB077 for ; Wed, 1 Apr 2026 10:56:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041014; cv=none; b=OrBBRk1M8aMZwrE4fQUAD8YMx8wgM4ICGNO6gF0edGBf7Hi2DSOgJircMAe3HlxVuDtE3tU5lltBnEq+Ks7JrFAtKEcepHj9QCihBjsm5TwkOGCC+XyqXDuFSuM0UDcNtuE4bitjzrAFx2I+j2QoI5letimWdYoeowxjM3mMuic= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041014; c=relaxed/simple; bh=GTDitVkkmcP3pmQfGjjQNmdx/6Cfdn8ljMrl4GlS00k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MIwQhWMPiEpLTrK++HI2LFLiPFv52vHi9JQd3FxHifTeJ3SZzWjWbZ5pSKFMNtLMTGqWIAQhI7dMbkyU91wPBUK3XP/RH6grINbZDUPdLL0SFLXn22AAd9JUiyxlvsu6vbVCgreLOpuaoWxlL35pSONaA8N+C7dwxCNeiaoTqfw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=UXw6ng+W; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="UXw6ng+W" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041010; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P4apLx2lQf8nhrvynIjV3RMW+ZpNX1GtOZdWeDq74IM=; b=UXw6ng+WxURui5JfAG6GgDfV6pJLMu0TbtHEspnxRnJwozJiwmz3qsHP08ZrBQpPP1A+RZ emTpL+71Rm7gJLlgBiB9l5yQJ7Jca+JqE2SUGeHcfgLPSLiBzhoFug2NEUjKq+MmyW1aNF RpTKf8qS00ylbw+M6JMG4HDg9uEYKH8= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-513-MZn0AyuZOW-G4-J_kOXSZQ-1; Wed, 01 Apr 2026 06:56:47 -0400 X-MC-Unique: MZn0AyuZOW-G4-J_kOXSZQ-1 X-Mimecast-MFC-AGG-ID: MZn0AyuZOW-G4-J_kOXSZQ_1775041006 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 99E241800464; Wed, 1 Apr 2026 10:56:45 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9A35C1953947; Wed, 1 Apr 2026 10:56:41 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 03/15] rxrpc: Fix anonymous key handling Date: Wed, 1 Apr 2026 11:55:56 +0100 Message-ID: <20260401105614.1696001-4-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to be substituted for a NULL key pointer, but the variable this is done with is subsequently not used. Fix this by using "key" rather than "rx->key" when filling in the connection parameters. Note that this only affects direct use of AF_RXRPC; the kAFS filesystem doesn't use sendmsg() directly and so bypasses the issue. Further, AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key in that manner works. Since this hasn't been noticed to this point, it might be better just to remove the "key" variable and the code that sets it - and, arguably, rxrpc_init_client_call_security() would be a better place to handle it. Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and prot= ocol info") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/sendmsg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c index 04f9c5f2dc24..c35de4fd75e3 100644 --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -637,7 +637,7 @@ rxrpc_new_client_call_for_sendmsg(struct rxrpc_sock *rx= , struct msghdr *msg, memset(&cp, 0, sizeof(cp)); cp.local =3D rx->local; cp.peer =3D peer; - cp.key =3D rx->key; + cp.key =3D key; cp.security_level =3D rx->min_sec_level; cp.exclusive =3D rx->exclusive | p->exclusive; cp.upgrade =3D p->upgrade; From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B9E33FB077 for ; Wed, 1 Apr 2026 10:56:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041018; cv=none; b=bjYa9FC8uvlAJ2vza+44eP2rr8QIXAgD9XW8VnNoGCsQaqMScKnLaB90uJ/+Mkwbj/4FWvQ+suKiBO89xmE+yZScrz9a4W72/+qBsKVDwwBVsxW2XaWCqWfCWTSGVR51OU+Y4yOIfoKlXFB9r0GVupMVQ3qiXfJAQXJf7tqtvhI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041018; c=relaxed/simple; bh=17g4hvNQMMpAUpoaLUiLVXqFttcrTD0anT7Y2Sd8WPE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EwE56R1GFIbZBJQ71PcRRCQsU6B88n1+Yml0Q81gxatgQnW76+IiFSDxW7nOAnbZmW/loHlgpQt0vGa/xBvxatLdd/jtLzomHjSC00zR1lfESQVKetBAzNULYXerawH22na15IpMqt2WhOLVuADU0W8NunH1nGfB5wvIj6VsZkQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Xa8ZJ2wE; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Xa8ZJ2wE" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041016; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S5pjKdmNSjXJ3DxvcxT0rNJEpKaZqy9yPHCzHCad11w=; b=Xa8ZJ2wEc2AFM9dXDwFu7lBIezp6nNpJ1RXtDHXecHtl7v/LFuIyCwcAUwytcER0MTvrGl 0l4ARE8Hr9OLycCThcvQUrsHGGPcQLAFgrwgiwykFdrVbx8FSeIz4zDnbNXoZOKirZUhp9 iMtG/H8rIei7pIbqwlW8lfBbinYwq90= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-125-nNHNcf6UOma6JqVy0MoK6A-1; Wed, 01 Apr 2026 06:56:53 -0400 X-MC-Unique: nNHNcf6UOma6JqVy0MoK6A-1 X-Mimecast-MFC-AGG-ID: nNHNcf6UOma6JqVy0MoK6A_1775041011 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4F3BC1800283; Wed, 1 Apr 2026 10:56:51 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 3F8D91955F2B; Wed, 1 Apr 2026 10:56:47 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Linus Torvalds , Simon Horman , stable@kernel.org Subject: [PATCH net v4 04/15] rxrpc: Fix call removal to use RCU safe deletion Date: Wed, 1 Apr 2026 11:55:57 +0100 Message-ID: <20260401105614.1696001-5-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() rather than list_del_init() to prevent stuffing up reading /proc/net/rxrpc/calls from potentially getting into an infinite loop. This, however, means that list_empty() no longer works on an entry that's been deleted from the list, making it harder to detect prior deletion. Fix this by: Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that are unexpectedly still on the list. Limiting the number of steps means there's no need to call cond_resched() or to remove calls from the list here, thereby eliminating the need for rxrpc_put_call() to check for that. rxrpc_put_call() can then be fixed to unconditionally delete the call from the list as it is the only place that the deletion occurs. Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Linus Torvalds cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/trace/events/rxrpc.h | 2 +- net/rxrpc/call_object.c | 24 +++++++++--------------- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 869f97c9bf73..a826cd80007b 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -347,7 +347,7 @@ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \ - E_(rxrpc_call_see_zap, "SEE zap ") + E_(rxrpc_call_see_still_live, "SEE !still-l") =20 #define rxrpc_txqueue_traces \ EM(rxrpc_txqueue_await_reply, "AWR") \ diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 918f41d97a2f..59329cfe1532 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -654,11 +654,9 @@ void rxrpc_put_call(struct rxrpc_call *call, enum rxrp= c_call_trace why) if (dead) { ASSERTCMP(__rxrpc_call_state(call), =3D=3D, RXRPC_CALL_COMPLETE); =20 - if (!list_empty(&call->link)) { - spin_lock(&rxnet->call_lock); - list_del_init(&call->link); - spin_unlock(&rxnet->call_lock); - } + spin_lock(&rxnet->call_lock); + list_del_rcu(&call->link); + spin_unlock(&rxnet->call_lock); =20 rxrpc_cleanup_call(call); } @@ -730,24 +728,20 @@ void rxrpc_destroy_all_calls(struct rxrpc_net *rxnet) _enter(""); =20 if (!list_empty(&rxnet->calls)) { - spin_lock(&rxnet->call_lock); + int shown =3D 0; =20 - while (!list_empty(&rxnet->calls)) { - call =3D list_entry(rxnet->calls.next, - struct rxrpc_call, link); - _debug("Zapping call %p", call); + spin_lock(&rxnet->call_lock); =20 - rxrpc_see_call(call, rxrpc_call_see_zap); - list_del_init(&call->link); + list_for_each_entry(call, &rxnet->calls, link) { + rxrpc_see_call(call, rxrpc_call_see_still_live); =20 pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", call, refcount_read(&call->ref), rxrpc_call_states[__rxrpc_call_state(call)], call->flags, call->events); =20 - spin_unlock(&rxnet->call_lock); - cond_resched(); - spin_lock(&rxnet->call_lock); + if (++shown >=3D 10) + break; } =20 spin_unlock(&rxnet->call_lock); From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3F54405AA6 for ; Wed, 1 Apr 2026 10:57:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041026; cv=none; b=ANfsM0U+aDN4IJyBHHrLN8yC+BD51WG9NoK/nfMotXEo7YPcs5cxhqleSFBzfTdTRzGd4hpAaMvkb2nmPgE6++xVJzXWh55niyxGH4u9IOqYEhw0EjpA/KmZV66q47zr962sszTIsE4tTSGdKPP1NDe3iNOcG9gZYLjdz9FCzqY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041026; c=relaxed/simple; bh=i2+6T5laS6iXW24MjsOpSAQSe/11jAwSQhKVgP6EJWc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ui7sMXfuSC9UthQ59MVqplq6GXY6pQuqqqrby2Qn1qj/47bvqEJKkQATzwVO2lYSex89mwxiWGnMZMeLvKmfOhsXEqEMyjjiOKXOYj6XdE/zVQo0t3z6MNJANybQhtIXBeU50lGWybbDBf2fz1Q/Fpz+E5AarT/+NztjJLMgzE4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=fm7qZddU; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="fm7qZddU" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LLb+kvWly++E+vGdyFSJ+eIakQ89ZsZ0xRogJGUpqc=; b=fm7qZddUaN8U4xtvycLkYh6BFr3qXhWp+H3Qo1fPqm3ylwWOxM1gepeSPlTzAd2E3oUMRI 0bcKMnO+lutrKbvzAipinQhNTMAkfFDhvSAfndi9Irg53GqboqfLvLdVpveuaYydapf6H/ rn/bmGSDVfzLyCoqK7sRHG+mv8fssNQ= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-526-VsvuYi-5OBS7jgS8dx7PjA-1; Wed, 01 Apr 2026 06:56:58 -0400 X-MC-Unique: VsvuYi-5OBS7jgS8dx7PjA-1 X-Mimecast-MFC-AGG-ID: VsvuYi-5OBS7jgS8dx7PjA_1775041017 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E8C611956062; Wed, 1 Apr 2026 10:56:56 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E9AAD1954102; Wed, 1 Apr 2026 10:56:52 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Oleh Konko , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 05/15] rxrpc: Fix RxGK token loading to check bounds Date: Wed, 1 Apr 2026 11:55:58 +0100 Message-ID: <20260401105614.1696001-6-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" From: Oleh Konko rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >=3D 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call. Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse. The control path (valid token with lengths within bounds) is unaffected. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Signed-off-by: Oleh Konko Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 26d4336a4a02..77237a82be3b 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -171,7 +172,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, size_t plen; const __be32 *ticket, *key; s64 tmp; - u32 tktlen, keylen; + size_t raw_keylen, raw_tktlen, keylen, tktlen; =20 _enter(",{%x,%x,%x,%x},%x", ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), @@ -181,18 +182,22 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_pre= parsed_payload *prep, goto reject; =20 key =3D xdr + (6 * 2 + 1); - keylen =3D ntohl(key[-1]); - _debug("keylen: %x", keylen); - keylen =3D round_up(keylen, 4); + raw_keylen =3D ntohl(key[-1]); + _debug("keylen: %zx", raw_keylen); + if (raw_keylen > AFSTOKEN_GK_KEY_MAX) + goto reject; + keylen =3D round_up(raw_keylen, 4); if ((6 * 2 + 2) * 4 + keylen > toklen) goto reject; =20 ticket =3D xdr + (6 * 2 + 1 + (keylen / 4) + 1); - tktlen =3D ntohl(ticket[-1]); - _debug("tktlen: %x", tktlen); - tktlen =3D round_up(tktlen, 4); + raw_tktlen =3D ntohl(ticket[-1]); + _debug("tktlen: %zx", raw_tktlen); + if (raw_tktlen > AFSTOKEN_GK_TOKEN_MAX) + goto reject; + tktlen =3D round_up(raw_tktlen, 4); if ((6 * 2 + 2) * 4 + keylen + tktlen !=3D toklen) { - kleave(" =3D -EKEYREJECTED [%x!=3D%x, %x,%x]", + kleave(" =3D -EKEYREJECTED [%zx!=3D%x, %zx,%zx]", (6 * 2 + 2) * 4 + keylen + tktlen, toklen, keylen, tktlen); goto reject; @@ -206,7 +211,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, if (!token) goto nomem; =20 - token->rxgk =3D kzalloc(sizeof(*token->rxgk) + keylen, GFP_KERNEL); + token->rxgk =3D kzalloc(struct_size_t(struct rxgk_key, _key, raw_keylen),= GFP_KERNEL); if (!token->rxgk) goto nomem_token; =20 @@ -221,9 +226,9 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, token->rxgk->enctype =3D tmp =3D xdr_dec64(xdr + 5 * 2); if (tmp < 0 || tmp > UINT_MAX) goto reject_token; - token->rxgk->key.len =3D ntohl(key[-1]); + token->rxgk->key.len =3D raw_keylen; token->rxgk->key.data =3D token->rxgk->_key; - token->rxgk->ticket.len =3D ntohl(ticket[-1]); + token->rxgk->ticket.len =3D raw_tktlen; =20 if (token->rxgk->endtime !=3D 0) { expiry =3D rxrpc_s64_to_time64(token->rxgk->endtime); @@ -236,8 +241,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, memcpy(token->rxgk->key.data, key, token->rxgk->key.len); =20 /* Pad the ticket so that we can use it directly in XDR */ - token->rxgk->ticket.data =3D kzalloc(round_up(token->rxgk->ticket.len, 4), - GFP_KERNEL); + token->rxgk->ticket.data =3D kzalloc(tktlen, GFP_KERNEL); if (!token->rxgk->ticket.data) goto nomem_yrxgk; memcpy(token->rxgk->ticket.data, ticket, token->rxgk->ticket.len); From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26277407567 for ; Wed, 1 Apr 2026 10:57:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041030; cv=none; b=k0MIOEmgCocvvFIL72SHmCzQS6xnaflVn+tvGc8X/Ht5qfmwdV96jXTWb90mMOaHvtPT49ElZs3K/e9jGGmhflT4A5DHzgFt/EH+7A5T99XuLA01rWnxCfJ7z6CnYXVrxS0EJdt4MwwOvi5TgCERelCSfxpSFB8MhzMleZxJJKQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041030; c=relaxed/simple; bh=CxAq8sxxdfWME2NDmOhfPSLnwRl2eUhJ1SjQUCVqquU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Gra8jrOet1Ap0FMiwOPZkEWhQe+/qLxyFCxFPPC3n559l80XPQqGUXfC8umN9Qk7b0PSCQJhWzkTHRyftr3OKQVC/qxoBzjCXAWEZK2MZQb/WpyWKYPE9FPW7gznimdOzqfWw1H/Qf0QjUmfhUaQhSujeaugyzG11gPKGImCG8w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=UWQIDhj1; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="UWQIDhj1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041027; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CLPucy+/KOM/ZUAst+Ut2hFjeRnIfKEjJCeuzdkhnmE=; b=UWQIDhj1GrcN0575jYxlvwumaZMH0l098QorUwMUmFCCN/fNFvrZMBXg664kyYSDq5ggml txRJFc2CTTfaLWzJMNd9oaBl0DVA3zQoB7JJREHvK6beXpIY2cezRy9yLquKbMoz3DY9xH ardTcPS31sVDEijYpzPlAdmJ/fvemGs= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-49-bP0FBl4PNSGTmG8tsx0E5g-1; Wed, 01 Apr 2026 06:57:04 -0400 X-MC-Unique: bP0FBl4PNSGTmG8tsx0E5g-1 X-Mimecast-MFC-AGG-ID: bP0FBl4PNSGTmG8tsx0E5g_1775041022 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 717D9180034E; Wed, 1 Apr 2026 10:57:02 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id A132D1800351; Wed, 1 Apr 2026 10:56:58 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 06/15] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial Date: Wed, 1 Apr 2026 11:55:59 +0100 Message-ID: <20260401105614.1696001-7-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use. Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for = a RESPONSE") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org Link: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40re= dhat.com [1] --- include/trace/events/rxrpc.h | 1 + net/rxrpc/conn_event.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index a826cd80007b..f7f559204b87 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -185,6 +185,7 @@ EM(rxrpc_skb_put_input, "PUT input ") \ EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \ EM(rxrpc_skb_put_oob, "PUT oob ") \ + EM(rxrpc_skb_put_old_response, "PUT old-resp ") \ EM(rxrpc_skb_put_purge, "PUT purge ") \ EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \ EM(rxrpc_skb_put_response, "PUT response ") \ diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 98ad9b51ca2c..c50cbfc5a313 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -557,11 +557,11 @@ void rxrpc_post_response(struct rxrpc_connection *con= n, struct sk_buff *skb) spin_lock_irq(&local->lock); old =3D conn->tx_response; if (old) { - struct rxrpc_skb_priv *osp =3D rxrpc_skb(skb); + struct rxrpc_skb_priv *osp =3D rxrpc_skb(old); =20 /* Always go with the response to the most recent challenge. */ if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) - conn->tx_response =3D old; + conn->tx_response =3D skb; else old =3D skb; } else { @@ -569,4 +569,5 @@ void rxrpc_post_response(struct rxrpc_connection *conn,= struct sk_buff *skb) } spin_unlock_irq(&local->lock); rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response); + rxrpc_free_skb(old, rxrpc_skb_put_old_response); } From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8F283F164E for ; Wed, 1 Apr 2026 10:57:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041035; cv=none; b=hlVChGORbEJZB8w7w6BQ1kaK8LstjvaZWgVAm+FK1YY2aeCVOAfo+CrmDw+3B1k71Vflb0mLnbf4YXCG7NC8aFl9dMGT0nFrfWs0dt07pLDJx8Ts++ENNwjSUL1ff8QhO5N9MghSMRify/0D8WpuuW03TlTU8xb7WYvCozcM3aw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041035; c=relaxed/simple; bh=wiH6DsMqrg29tzFgP11flkS65RZZkVoC9406w0ZzAqc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RDqATyk7dAM+ymKFwQU1dhCoicqHXv95uFEDIqA7hE6r459JHp+4foYbJiO16iK8izXQdluzCy6CW/Crg4CmMfpHyjS0fZUZ0ftRWyyBxcbK+V8rkXvlOLKmy+iWv5d4H1KPw/jP1DJqV/Dup7ILc+DzQQ0uA74FGPftt3OGH24= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=F/sfnItI; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="F/sfnItI" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041032; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=loVxfrzyxYdQdW2xqgUXj+kDQbA4pbY0Yb3C1QbXM7A=; b=F/sfnItIX6Iof8Ns7RJZiGgkkDCZbRhKF3w+QYLpBKkhdyqt5VePNiNx3WuI1xLTnuM0zm P3nBmafPalaMusdGClaJplMyFHkmuYspXFyCcukBrDYBY9y45pCxqgRcPJR3bUbptHtLH8 VzS2V+HnIARrnl0tx6S01/sP+F2FXqw= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-50-9LNxeDyuNFCuzQY6NuM-og-1; Wed, 01 Apr 2026 06:57:09 -0400 X-MC-Unique: 9LNxeDyuNFCuzQY6NuM-og-1 X-Mimecast-MFC-AGG-ID: 9LNxeDyuNFCuzQY6NuM-og_1775041028 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E23AF19560B4; Wed, 1 Apr 2026 10:57:07 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 2D8491954102; Wed, 1 Apr 2026 10:57:03 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Simon Horman , Jeffrey Altman , stable@kernel.org Subject: [PATCH net v4 07/15] rxrpc: Fix rack timer warning to report unexpected mode Date: Wed, 1 Apr 2026 11:56:00 +0100 Message-ID: <20260401105614.1696001-8-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari rxrpc_rack_timer_expired() clears call->rack_timer_mode to OFF before the switch. The default case warning therefore always prints OFF and doesn't identify the unexpected timer mode. Log the saved mode value instead so the warning reports the actual unexpected rack timer mode. Fixes: 7c482665931b ("rxrpc: Implement RACK/TLP to deal with transmission s= talls [RFC8985]") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Simon Horman Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/input_rack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/input_rack.c b/net/rxrpc/input_rack.c index 13c371261e0a..9eb109ffba56 100644 --- a/net/rxrpc/input_rack.c +++ b/net/rxrpc/input_rack.c @@ -413,6 +413,6 @@ void rxrpc_rack_timer_expired(struct rxrpc_call *call, = ktime_t overran_by) break; //case RXRPC_CALL_RACKTIMER_ZEROWIN: default: - pr_warn("Unexpected rack timer %u", call->rack_timer_mode); + pr_warn("Unexpected rack timer %u", mode); } } From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38CD2408245 for ; Wed, 1 Apr 2026 10:57:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041039; cv=none; b=PdNYWyUdTIilARKBRIB+4DmpxVvVdlHRp+hAcILOtndcbKeDw2rMOwrGh3zUBmw8pSyNYsJc1riCFNbGw7K2w9D2lDo12nlE1ASlkn7gfpQyclQp5ihAfA381+qcoZo6SVleuM9Hh4ltE+BXnwo8dUf3E3WSp2RpykNZO3mL19A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041039; c=relaxed/simple; bh=I3X9Xgh8JthJcC1AVR46HTecX3GW+jzHyhem1V0naug=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LYqjWPgFl2004HmtHrEfYmd36WHXKUlnQ6tnKgAUqMYWztYH1418wxTK9/2AwBUvTJ56Uf02FW23cy23UTFkaG7KVevxIj+8v22bKvZP6RncV1KuA6h0DnR/QuvHQ4UR+be7mcwPcdx3u/ZZRxCaRPoma+91JIife9it80AJ5s0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=bCILPvBf; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="bCILPvBf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041037; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AN3SQlsqlhxFhvczjAvAzreHONU16FaElSEWYMuHbwQ=; b=bCILPvBfDLswBzCq+9wmpeBqjHrnxdh1kKDjPKADzY336/4a6DkmNCNMdWKlfobBpaKgcj hq0Yd1gjvxBnPoIQNkvpdRS7rzuF+dFBo+47lDpQyPRHTDkvmF77h4YcllbwNgMNDWbfCF 3cc4pNBdKZEEHozlGgV1Sy5uVHARY1c= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-140-xDRS5RMWMi-AeeryTccoxg-1; Wed, 01 Apr 2026 06:57:15 -0400 X-MC-Unique: xDRS5RMWMi-AeeryTccoxg-1 X-Mimecast-MFC-AGG-ID: xDRS5RMWMi-AeeryTccoxg_1775041033 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 645661800464; Wed, 1 Apr 2026 10:57:13 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9FB7930001A2; Wed, 1 Apr 2026 10:57:09 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 08/15] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt() Date: Wed, 1 Apr 2026 11:56:01 +0100 Message-ID: <20260401105614.1696001-9-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento In rxrpc_setsockopt(), the code checks 'rx->key' when handling the RXRPC_SECURITY_KEYRING option. However, this appears to be a logic error. The code should be checking 'rx->securities' to determine if a keyring has already been defined for the socket. Currently, if a user calls setsockopt(RXRPC_SECURITY_KEYRING) multiple times on the same socket, the check 'if (rx->key)' fails to block subsequent calls because 'rx->key' has not been defined by the function. This results in a reference count leak on the keyring. This patch changes the check to 'rx->securities' to correctly identify if the socket security keyring has already been configured, returning -EINVAL on subsequent attempts. Before the patch: It shows the keyring reference counter elevated. $ cat /proc/keys | grep AFSkeys1 27aca8ae I--Q--- 24469721 perm 3f010000 1000 1000 keyring AFSkeys1: emp= ty $ After the patch: The keyring reference counter remains stable and subsequent calls return an error: $ ./poc setsockopt: Invalid argument $ Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Signed-off-by: Anderson Nascimento Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/af_rxrpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c index 0f90272ac254..0b7ed99a3025 100644 --- a/net/rxrpc/af_rxrpc.c +++ b/net/rxrpc/af_rxrpc.c @@ -665,7 +665,7 @@ static int rxrpc_setsockopt(struct socket *sock, int le= vel, int optname, =20 case RXRPC_SECURITY_KEYRING: ret =3D -EINVAL; - if (rx->key) + if (rx->securities) goto error; ret =3D -EISCONN; if (rx->sk.sk_state !=3D RXRPC_UNBOUND) From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE23840B6E1 for ; Wed, 1 Apr 2026 10:57:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041049; cv=none; b=uhxywCwtCrBScz4XeNpH6SqGsmfgV07+Zi5CWESOfBXuKntnfP2w47HwxMG/uqruzl+H7xOh35Q2CbSkIpZegk+afZ+irY6w4Vm1KfR6AC7RJP/Iw+jhPThYY73Uq0m2Ds/8+o7D1bLUzpmlLcbo8vIOwz4S5EKBeQWQaOdNIOE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041049; c=relaxed/simple; bh=0SwzPQiq0K33AI2cjVS+euTUF2s1lCsvoeohpqkDfZM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nre7LB7EKHVAqVskciILrmqvH08GzJ8zTFfSnECnSQwcY8JgHmLCLUpbr+Jwd8P7XFl/DavM8LyU2E1dGBqnXma+S4eGIuAwyzGojLjF5y3twaA3NfZ0PDBDXPWwln9LsASxunbs9F4vIowwU4uMvJtRENw/ov/rt5VBaSntGEM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=So1eXzNi; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="So1eXzNi" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JdpppyRA5L+XT2V7G6SjlP5WRQLvmrVCKEV5uP5VLSc=; b=So1eXzNibojx1PcjcOncV6TPmMZsR/FBAjsbjXRM7FFbBIl984pfAQi2iQfDJ0gh+zy6fa HsuUylF/GLdyfgoDXulcC+1kBJb1HWiSVuJY5oXJGUq079373IHvaqmRDiD8W4vpHmHcoS 5qwJKFKKVTCKi5v79jZZmDUjxWhBmz8= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-562-h6_kB-MTNDWyxOhqrkKjKw-1; Wed, 01 Apr 2026 06:57:20 -0400 X-MC-Unique: h6_kB-MTNDWyxOhqrkKjKw-1 X-Mimecast-MFC-AGG-ID: h6_kB-MTNDWyxOhqrkKjKw_1775041039 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C85541955BCE; Wed, 1 Apr 2026 10:57:18 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0B79C19560AB; Wed, 1 Apr 2026 10:57:14 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 09/15] rxrpc: Fix key reference count leak from call->key Date: Wed, 1 Apr 2026 11:56:02 +0100 Message-ID: <20260401105614.1696001-10-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ After the patch, the invalidated key is removed when the code exits: $ cat /proc/keys | grep afs@54321 $ Fixes: f3441d4125fc ("rxrpc: Copy client call parameters into rxrpc_call ea= rlier") Signed-off-by: Anderson Nascimento Co-developed-by: David Howells Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/call_object.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 59329cfe1532..f035f486c139 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -692,6 +692,7 @@ static void rxrpc_destroy_call(struct work_struct *work) rxrpc_put_bundle(call->bundle, rxrpc_bundle_put_call); rxrpc_put_peer(call->peer, rxrpc_peer_put_call); rxrpc_put_local(call->local, rxrpc_local_put_call); + key_put(call->key); call_rcu(&call->rcu, rxrpc_rcu_free_call); } From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 945CB40B6F2 for ; Wed, 1 Apr 2026 10:57:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041053; cv=none; b=tUXBxfJDwkqdj5+P9qsUvunMN0l5VSv0sepr2UGjbyRfmSbNHGdr3Lv7TRR8/IFlWmCV7mnOIrKV1OSmkyBRaJY3POudVl7ZMB/Py67yerUuMYexefkOLCAh/tDbMH8GOK5ooAN0B3D8d3CLLMlcNnMl5o4JhwZn6udFpSuATl8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041053; c=relaxed/simple; bh=GVaGOg5XzUZkGQvl2oMBK566BhyRcXzXiuQrO4tMk2g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DYpBMR30Xp1b3/zxzBUHoUUGajDM1BaXk3NS2zvhqzgLIdE9c+ZE3BGyPzZsrkj7y+GGEafeCd0hxMm8cVOK/E0almRPoUKmkNIfSXdZiWbofwu887oMroDVuG1FcsKsiTWFivjTcOK8uJhMMyJJKjmIPuGdrTto5XfkXrSFOqw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=TExyw3AO; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="TExyw3AO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041051; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0XgIGNcrY/xUhk108tuLpob5a6M3Bi/f07YnbtomyLc=; b=TExyw3AOu8nfY8bqB2PTxkpRJwH7sCOs7SEm3uX61A+t9x5WrMLC2KTktz+SCzpXOQyTkq k3PSdZP5vPTQWcyo0NGjcu8R4pYkA/DwJj7/5VCePUeJUyxfapeYlW2YfhzqNE8fl2CTWp g1L47xdl+Hm8pM1+yednaGLSTCImKGQ= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-635-JRV-RMLrM6aOxjLlMnhlpQ-1; Wed, 01 Apr 2026 06:57:26 -0400 X-MC-Unique: JRV-RMLrM6aOxjLlMnhlpQ-1 X-Mimecast-MFC-AGG-ID: JRV-RMLrM6aOxjLlMnhlpQ_1775041044 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BAE4A18005B6; Wed, 1 Apr 2026 10:57:24 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id BF27A18016F9; Wed, 1 Apr 2026 10:57:20 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Marc Dionne , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v4 10/15] rxrpc: Fix to request an ack if window is limited Date: Wed, 1 Apr 2026 11:56:03 +0100 Message-ID: <20260401105614.1696001-11-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Marc Dionne Peers may only send immediate acks for every 2 UDP packets received. When sending a jumbogram, it is important to check that there is sufficient window space to send another same sized jumbogram following the current one, and request an ack if there isn't. Failure to do so may cause the call to stall waiting for an ack until the resend timer fires. Where jumbograms are in use this causes a very significant drop in performance. Fixes: fe24a5494390 ("rxrpc: Send jumbo DATA packets") Signed-off-by: Marc Dionne Signed-off-by: David Howells cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/trace/events/rxrpc.h | 1 + net/rxrpc/ar-internal.h | 2 +- net/rxrpc/output.c | 2 ++ net/rxrpc/proc.c | 5 +++-- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index f7f559204b87..578b8038b211 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -521,6 +521,7 @@ #define rxrpc_req_ack_traces \ EM(rxrpc_reqack_ack_lost, "ACK-LOST ") \ EM(rxrpc_reqack_app_stall, "APP-STALL ") \ + EM(rxrpc_reqack_jumbo_win, "JUMBO-WIN ") \ EM(rxrpc_reqack_more_rtt, "MORE-RTT ") \ EM(rxrpc_reqack_no_srv_last, "NO-SRVLAST") \ EM(rxrpc_reqack_old_rtt, "OLD-RTT ") \ diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 36d6ca0d1089..96ecb83c9071 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -117,7 +117,7 @@ struct rxrpc_net { atomic_t stat_tx_jumbo[10]; atomic_t stat_rx_jumbo[10]; =20 - atomic_t stat_why_req_ack[8]; + atomic_t stat_why_req_ack[9]; =20 atomic_t stat_io_loop; }; diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index d70db367e358..870e59bf06af 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -479,6 +479,8 @@ static size_t rxrpc_prepare_data_subpacket(struct rxrpc= _call *call, why =3D rxrpc_reqack_old_rtt; else if (!last && !after(READ_ONCE(call->send_top), txb->seq)) why =3D rxrpc_reqack_app_stall; + else if (call->tx_winsize <=3D (2 * req->n) || call->cong_cwnd <=3D (2 * = req->n)) + why =3D rxrpc_reqack_jumbo_win; else goto dont_set_request_ack; =20 diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c index 59292f7f9205..7755fca5beb8 100644 --- a/net/rxrpc/proc.c +++ b/net/rxrpc/proc.c @@ -518,11 +518,12 @@ int rxrpc_stats_show(struct seq_file *seq, void *v) atomic_read(&rxnet->stat_rx_acks[RXRPC_ACK_IDLE]), atomic_read(&rxnet->stat_rx_acks[0])); seq_printf(seq, - "Why-Req-A: acklost=3D%u mrtt=3D%u ortt=3D%u stall=3D%u\n", + "Why-Req-A: acklost=3D%u mrtt=3D%u ortt=3D%u stall=3D%u jwin=3D%u\n", atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_ack_lost]), atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_more_rtt]), atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_old_rtt]), - atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall])); + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall]), + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_jumbo_win])); seq_printf(seq, "Why-Req-A: nolast=3D%u retx=3D%u slows=3D%u smtxw=3D%u\n", atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_no_srv_last]), From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA0DE40F8DE for ; Wed, 1 Apr 2026 10:57:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041061; cv=none; b=CAIxxBS926DHfPtz1tMJyA23jspgqnGAXaurwFItUOPIn8ojRjDXNcSKPFCVkJ8JkfdLRIRNf5sL1V4YibXZYb2qLRlz/7wXs8/DmJ3AZ6ASWvGBP0AC8dbQPTlpxm3Txk4mejr+b6wT5crzu4oa2Ourx+P+kuf6tv0JtttoBcE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041061; c=relaxed/simple; bh=dETvW09GhXLGNeO1xyDqPkq/bSzSBmA0bRuVutPwoNE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VXrWBPxIpUQjnn0U7GcXa3Pit7zDyLHCJboh7rBEolxs6soshspxgw2wbonMT1bVB3E+8SaJJxWhm9tpHyd37faB7MMbZSWQUnnQuOl2Z/0mnBtlrBsy1OwagEJNTZFfuGQrj/bky+u74/E4owsw08uRCGWurwOvLlv6ZqIOU/U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=SGQzDVeD; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="SGQzDVeD" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041058; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IyvzpHLTaSD//xZgQtcTYLO3HI+bGdy75Y+Sf6QrB0M=; b=SGQzDVeDrReorFWVnjBW3ln5LYMfhHfpOx21GxKrkF9MBsvCSXRjA3p+km4EOw25gpDIOC ekaf8YOmmD4EllQBf+XWlQYr2s6gOsOZUPKBkuuF0VchVqyeWyebwWoemHK00hxpZ/U0sN GIGJGqOcdM8WmOmkR0/Y1hsbcLj0n3o= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-693-nmXir3hmOnmwrU3GiVMbDw-1; Wed, 01 Apr 2026 06:57:33 -0400 X-MC-Unique: nmXir3hmOnmwrU3GiVMbDw-1 X-Mimecast-MFC-AGG-ID: nmXir3hmOnmwrU3GiVMbDw_1775041051 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4553E18005B0; Wed, 1 Apr 2026 10:57:31 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8923119560AB; Wed, 1 Apr 2026 10:57:26 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Douya Le , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ao Zhou , Simon Horman , stable@kernel.org Subject: [PATCH net v4 11/15] rxrpc: Only put the call ref if one was acquired Date: Wed, 1 Apr 2026 11:56:04 +0100 Message-ID: <20260401105614.1696001-12-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Douya Le rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged. Fixes: 5e6ef4f1017c ("rxrpc: Make the I/O thread take over the call and loc= al processor work") Reported-by: Yifan Wu Reported-by: Juefei Pu Signed-off-by: Douya Le Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Signed-off-by: Ao Zhou Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/io_thread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index e939ecf417c4..697956931925 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -419,7 +419,8 @@ static int rxrpc_input_packet_on_conn(struct rxrpc_conn= ection *conn, =20 if (sp->hdr.callNumber > chan->call_id) { if (rxrpc_to_client(sp)) { - rxrpc_put_call(call, rxrpc_call_put_input); + if (call) + rxrpc_put_call(call, rxrpc_call_put_input); return rxrpc_protocol_error(skb, rxrpc_eproto_unexpected_implicit_end); } From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A29E40FDA7 for ; Wed, 1 Apr 2026 10:57:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041070; cv=none; b=S3rWzrmdmQClTz/+4wxKu6XCYpibUGRKkq3+ZFVkoxYa6YdiDEdtHE6z+9CrLcgyIoYs4SLuQ9jF1cRQOyQQrwFqcimQZ1P+Ojd04gO6hlJZ6PYX0QeJgJCy40/poFYifvSXlIBvznmH7WmqrSr8B/xWQHLKCI8jhlijqVwM1ZQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041070; c=relaxed/simple; bh=7MLTMlM7F0ak10w0E2LplrY8tvTboOdFeE2eoMmUNUM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=E/30WfspQ2vEQg/fyliITFqzUZpj1FKjBWZelR8VMi6GMFnjCbf2WJZDyB76wlkJoFZ7/yaVjKVFEUD2MtmZ0NfcHwEpnK1jlCSygdHCg/huXm8ENmaHzoRAQLcGvYbdtoZbdexeck75PudSzema9LhlNz4B7iBcEvMl6cXqP6k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=c2GO0tCB; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="c2GO0tCB" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KppfArEcP/QUXz58nWtzKdGZYsRDSnk43Kui514i9+Q=; b=c2GO0tCB7egFyBI9n//oN+TppvfQ1iJa/zs3Aye2z44F0HiV0OSV1rS/VYx1Ook8p5updq Sexr8t0Qo49LU/xmse/m5VC80XMMuFqZPpWoVhrMfbJguVFFX9q+iuIZjj7Vv0XNoBI1zr JtzEGSQEBkPTiZ0NoS4y1KaDSh2Z/yQ= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-352-VupY1O3zNxKC3hBNVmvdzQ-1; Wed, 01 Apr 2026 06:57:41 -0400 X-MC-Unique: VupY1O3zNxKC3hBNVmvdzQ-1 X-Mimecast-MFC-AGG-ID: VupY1O3zNxKC3hBNVmvdzQ_1775041058 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9EE7F195608B; Wed, 1 Apr 2026 10:57:38 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E16581953947; Wed, 1 Apr 2026 10:57:32 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Yuqi Xu , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Ren Wei , Simon Horman , stable@kernel.org Subject: [PATCH net v4 12/15] rxrpc: reject undecryptable rxkad response tickets Date: Wed, 1 Apr 2026 11:56:05 +0100 Message-ID: <20260401105614.1696001-13-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" From: Yuqi Xu rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Ren Wei Signed-off-by: Yuqi Xu Signed-off-by: Ren Wei Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxkad.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index e923d6829008..0f79d694cb08 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c @@ -958,6 +958,7 @@ static int rxkad_decrypt_ticket(struct rxrpc_connection= *conn, struct in_addr addr; unsigned int life; time64_t issue, now; + int ret; bool little_endian; u8 *p, *q, *name, *end; =20 @@ -977,8 +978,11 @@ static int rxkad_decrypt_ticket(struct rxrpc_connectio= n *conn, sg_init_one(&sg[0], ticket, ticket_len); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); - crypto_skcipher_decrypt(req); + ret =3D crypto_skcipher_decrypt(req); skcipher_request_free(req); + if (ret < 0) + return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO, + rxkad_abort_resp_tkt_short); =20 p =3D ticket; end =3D p + ticket_len; From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E98783F99EF for ; Wed, 1 Apr 2026 10:57:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041074; cv=none; b=otPseNYhibW8BCUnyO8x+gE6/AxRJagWh4Me6XEX9ZVWslgZYdJqpGLAt+N6L5LB5GLfPvsR9RuGBiLnoxAnxwQxJ/eVGElS8rjHf3t+MVUU9V9RciNErvjjz2YiECf2Af6xD9n88bhA7IIS+5wfsd7zQpfOqGrW7Uqc7Y5UNSs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041074; c=relaxed/simple; bh=tvUyRhVMalpubI17pjs0i9TXl4S24YaRmP7WTttQ+xA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HRZbTlIYa2Hj/O1j5zwfe3q6Ef+ucqwJWgQm/MeMA+OatvNtjrniv2pB9dnfoLOkH0sH7L3HRYLv33pK28ef7a/Al/xCCgy4p1hHdKZyveAOLBimSJiM9HrXPj0oQFo8N9eoZZ3sh/+R85Xyhb78nWRVuVY+XBV79ZLZp+u24XU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=d/MzyNCN; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="d/MzyNCN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041071; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sQYqrHt7oIuaj7mcOONb87DdoY4Fd56NWEpjp2O/8Ag=; b=d/MzyNCN+wVaCGdBwuwOQ4n2gnaTJCTetw7r1uab18BphHoVmHDYAnwJLjrfkruV6IDUd7 uAyvkFvBVCye3Q9dUFrTvZUN2HOUI8WDf8fzqVU74y03F6WXS86A/joO7MH8cQPa4fBaYI EzRIR0N51FJjoZelGddUXWKzNrdYZF4= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-378-59YMH-8-MUmyyDw-YuOLWw-1; Wed, 01 Apr 2026 06:57:48 -0400 X-MC-Unique: 59YMH-8-MUmyyDw-YuOLWw-1 X-Mimecast-MFC-AGG-ID: 59YMH-8-MUmyyDw-YuOLWw_1775041064 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0418219560A1; Wed, 1 Apr 2026 10:57:44 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1B08E180035F; Wed, 1 Apr 2026 10:57:39 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Keenan Dong , Simon Horman , Willy Tarreau , stable@kernel.org Subject: [PATCH net v4 13/15] rxrpc: fix RESPONSE authenticator parser OOB read Date: Wed, 1 Apr 2026 11:56:06 +0100 Message-ID: <20260401105614.1696001-14-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Keenan Dong rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer. Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] Convert the byte count to __be32 units before constructing the parser limit. Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (G= SSAPI)") Signed-off-by: Keenan Dong Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: Willy Tarreau cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index f9f5a2dc62ed..01dbdf0b5cf2 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -1164,7 +1164,8 @@ static int rxgk_verify_authenticator(struct rxrpc_con= nection *conn, } =20 p =3D auth; - ret =3D rxgk_do_verify_authenticator(conn, krb5, skb, p, p + auth_len); + ret =3D rxgk_do_verify_authenticator(conn, krb5, skb, p, + p + auth_len / sizeof(*p)); error: kfree(auth); return ret; From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D673410D1E for ; Wed, 1 Apr 2026 10:57:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041076; cv=none; b=pkfKLwXvcaCAsQQW40zbF0IpBE1YH4gNNltK6Rq9YK2DNfcRlQT/kVNNtVGegV/akLMEerWxTf4rG0MIIovKuEQNBLW/Kvu33950e5cNT5ZUX0SFAyZ8dpsGq+eYMzi/xv6VyKGn/tQlXvGu5VZr2LD1szPgmh4N4m4y7hT0mhA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041076; c=relaxed/simple; bh=E5Ktr5ujZ7VRhGZNliJlSlHfN++85hVgVhq64IAONJQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uoFuWmhhG6t08+HljWzRxDEBbMBgKTEI/WQycHnTFKxRmzUe82lBBbS0gf22Gck7fS6wju0ZTTAsU7i2DFAoN563T0btFWPkhp0Ad0/KdOTcRZc2JfgsZxLxVlGcMWwKPNGpKJ0JnQHCZb62Qb5IptWEKM9JMVC0KUd8zGsz3UI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=OMmpB5Cu; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="OMmpB5Cu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041074; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=svfAwTnHVWeMxDrZSO9dpHkcb5nEFh4Zczxno4SRn7Y=; b=OMmpB5CuUIEQwIHKBLOLxPLP6rMTUuDQUSsDPpng7j8TZ7bGmqqHXNebEArhxMnx0T9CP8 fDpJTRKDzKt49u3C5pEZyXlKIuYysWnmgcJVvgYzN2ekW+QBdyEYA5tyocc2ke6RB6zBF2 73zB7mPBGxLZvyF2DqWIZKWY3El201k= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-433-uGEGZSpYOnyW0kxwK7WGGQ-1; Wed, 01 Apr 2026 06:57:51 -0400 X-MC-Unique: uGEGZSpYOnyW0kxwK7WGGQ-1 X-Mimecast-MFC-AGG-ID: uGEGZSpYOnyW0kxwK7WGGQ_1775041070 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id ABDD6180035C; Wed, 1 Apr 2026 10:57:49 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id BB68B1800351; Wed, 1 Apr 2026 10:57:45 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Keenan Dong , Simon Horman , Willy Tarreau , stable@kernel.org Subject: [PATCH net v4 14/15] rxrpc: fix oversized RESPONSE authenticator length check Date: Wed, 1 Apr 2026 11:56:07 +0100 Message-ID: <20260401105614.1696001-15-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Keenan Dong rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload. Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (G= SSAPI)") Signed-off-by: Keenan Dong Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: Willy Tarreau cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index 01dbdf0b5cf2..9e4a4ff28913 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -1224,7 +1224,7 @@ static int rxgk_verify_response(struct rxrpc_connecti= on *conn, =20 auth_offset =3D offset; auth_len =3D ntohl(xauth_len); - if (auth_len < len) + if (auth_len > len) goto short_packet; if (auth_len & 3) goto inconsistent; From nobody Wed Apr 1 20:37:32 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B63853FA5D9 for ; Wed, 1 Apr 2026 10:58:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041084; cv=none; b=fpbXHUiJDGhZcGrZ9x2I1kMQ+FdpdlVUA96i6QoLpTkwWYmiRoEMUJE/UF8gkAATPDPOVRq8CLQHnt/AUZaleziP2GBZoUq656UWgrukCKdVtCWkrD81tN6QTCSjH7Zc79YW3MR4GoqjFIy3iQ3w6GMIFFCgJc1s+VOs4wRxm0Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041084; c=relaxed/simple; bh=JwJGdbweTuuDjN+NXcqYxN+qucEYzBfYu1eIx/secDQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=g70ivd4j/LNi5gYS9tZyU4YkSGRYFUPjHezWmFLSUTB9VNvlHSB3LICqXCFRE1x2sEsrGYXkWjrVjqm/kjDhjRAprZ89A05eHUrSX8llTGNCqOfmuPjUluQxm489f+T04F7srjpkrFkivykSXFDoj4tKAIiGSILmgLw272gZSDc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=X5VDOX1M; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="X5VDOX1M" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775041081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qQyK5djJUrk3jo4ippjZIsLsgYqKegjuq875Nu7Zr74=; b=X5VDOX1Me9tpgSB/VC3VcnoyISnL6/t1kpeKm7w1fngnHIRwzEc21rSOxp1m3ucVOgTviq OGjP2Xhoo4ucH47r8etaO7qnLytgNh+rDu1FMhDnw0GrOP0wCLmMs1ppvLihvBWlPVIL+Q FCJgPk0wnikV7kqggYFeCVm0x7S2PpQ= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-374-_l04Z0iCNL6WDu-06kIelg-1; Wed, 01 Apr 2026 06:57:58 -0400 X-MC-Unique: _l04Z0iCNL6WDu-06kIelg-1 X-Mimecast-MFC-AGG-ID: _l04Z0iCNL6WDu-06kIelg_1775041076 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 676FB18005B2; Wed, 1 Apr 2026 10:57:56 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.35.245]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 6EB2330001A2; Wed, 1 Apr 2026 10:57:51 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Luxiao Xu , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Ren Wei , Simon Horman , stable@kernel.org Subject: [PATCH net v4 15/15] rxrpc: fix reference count leak in rxrpc_server_keyring() Date: Wed, 1 Apr 2026 11:56:08 +0100 Message-ID: <20260401105614.1696001-16-dhowells@redhat.com> In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com> References: <20260401105614.1696001-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Luxiao Xu This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Ren Wei Signed-off-by: Luxiao Xu Signed-off-by: Ren Wei Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/server_key.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/server_key.c b/net/rxrpc/server_key.c index 36b05fd842a7..d4777851079f 100644 --- a/net/rxrpc/server_key.c +++ b/net/rxrpc/server_key.c @@ -125,6 +125,9 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, sockptr= _t optval, int optlen) =20 _enter(""); =20 + if (rx->securities) + return -EEXIST; + if (optlen <=3D 0 || optlen > PAGE_SIZE - 1) return -EINVAL;