From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE0473C0605 for ; Wed, 8 Apr 2026 12:13:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650391; cv=none; b=txwDkPyNx5tJzJVd1D8t3aY0W1J8EG0GmradW5ah6IThlmA7DCPCwrvUaO5au2Py/3HLGeDTJrbXm54yMNcjl1W6xgTB2/eONuAA4OBPwjE70JZ1tcieNfEOYCT691jEGUoel6JVXA0I2qnIATUSh/94Pygl7aMsxwhCoe2Ak5k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650391; c=relaxed/simple; bh=lb0GZ4LjZYME6LIEZSDsoau/6K8K5XJGRSMiunj2zEc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dL6yoRnPkmKW7sRLMvES5KZXJfZPm9ltwkG2HH5h9hTy2pEwhonWue28QMYajPZeNExuVB61ZWnqUw3g3pXPD0IoJ6366MUUBj8Y9ZiMqP8GEruKhIu0p1466WPa4JZz1LgtcDWP3xi1WUUAmSwJNnyDy6WcuJ9u1H3B2DdP3pg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=CQcmrDuu; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="CQcmrDuu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650389; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hXfYTLAZKbXpNf47trMTcMM/l7RhE1yxWdNYJ5ar7ck=; b=CQcmrDuuBvvtlL3Go6/ETNnBQAbOFQe4RQpLSIk782L/YBHSKibJbhMuRAp7XHxNsKYXkm xMud52huKFmG2ZCvEOCvZy9D8p2tXKpSySHsNzbewzXLVFPYPQUkAaXBgcNUpgkRNfZkmd xUBToufZ/x9aUI5lLDO5z3HwzTHMmAI= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-130-dUWjyVVEMKSNktTtESDVEA-1; Wed, 08 Apr 2026 08:13:07 -0400 X-MC-Unique: dUWjyVVEMKSNktTtESDVEA-1 X-Mimecast-MFC-AGG-ID: dUWjyVVEMKSNktTtESDVEA_1775650386 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BF7AB195606B; Wed, 8 Apr 2026 12:13:05 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id AAA3E1955D6B; Wed, 8 Apr 2026 12:13:01 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 01/21] rxrpc: Fix key quota calculation for multitoken keys Date: Wed, 8 Apr 2026 13:12:29 +0100 Message-ID: <20260408121252.2249051-2-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" In the rxrpc key preparsing, every token extracted sets the proposed quota value, but for multitoken keys, this will overwrite the previous proposed quota, losing it. Fix this by adding to the proposed quota instead. Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 85078114b2dd..af403f0ccab5 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(struct key_preparsed_= payload *prep, return -EKEYREJECTED; =20 plen =3D sizeof(*token) + sizeof(*token->kad) + tktlen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -199,7 +199,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, } =20 plen =3D sizeof(*token) + sizeof(*token->rxgk) + tktlen + keylen; - prep->quotalen =3D datalen + plen; + prep->quotalen +=3D datalen + plen; =20 plen -=3D sizeof(*token); token =3D kzalloc_obj(*token); @@ -460,6 +460,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) memcpy(&kver, prep->data, sizeof(kver)); prep->data +=3D sizeof(kver); prep->datalen -=3D sizeof(kver); + prep->quotalen =3D 0; =20 _debug("KEY I/F VERSION: %u", kver); =20 @@ -497,7 +498,7 @@ static int rxrpc_preparse(struct key_preparsed_payload = *prep) goto error; =20 plen =3D sizeof(*token->kad) + v1->ticket_length; - prep->quotalen =3D plen + sizeof(*token); + prep->quotalen +=3D plen + sizeof(*token); =20 ret =3D -ENOMEM; token =3D kzalloc_obj(*token); From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 656903BFE3B for ; Wed, 8 Apr 2026 12:13:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650404; cv=none; b=EMGdvo//rw4TBu3WHa/AfNrODSg/KnJNPTUXVjn7LVfvhSWVG/iGZ3acEatBy3gXu3pxt7ZFlgcShFjTRANjT4pcE8+lExEK2dQwMsipdCxKP7VnMhbGpO29lnhITz8r7LJBh2U+x0OkBH8gEc82p51zVe0T8p6M1YZ4ImKc7e0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650404; c=relaxed/simple; bh=lNi53xaZ2dGL9nGQo2Q5PUubxeSgR378CvFt6gObZgc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EeJTVs8aqgKvVufXPTn8V+a48YXu+e03ttmR2LpPB9rby45ty9p10++a5p1UG7vHqsmDTYGXAWUowX9HlxFzN84n1ocFjkDCPIkXE7TLO4W2Ii10uUWlmUKKRS+8ByUbswg0xfg/OVljyYYWzOhnL8J1Pd81RVPmWx8FHx2WRT4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=OQAiQdN/; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="OQAiQdN/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650400; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YaIw1S56HP9C94n6EHAzBdJx0jJ6g47etF8yPJICPVc=; b=OQAiQdN/hUY3FTArwcjJYUatGekMGiUJS5cwvCG80XWIJPvyo6BE610Tm/f99rRH0ePjYa nBrFY5+Kfcfx4G9+zBFvIeKQy/mQ3woVQrP5uofrZmK6dow+kLPgm3jf9weVjSVMmGSHCf h7JqBkAC61BXMFwehzQV0nCXT+91ug8= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-435-H3cC5RknMy-uuBfEMh8tmw-1; Wed, 08 Apr 2026 08:13:17 -0400 X-MC-Unique: H3cC5RknMy-uuBfEMh8tmw-1 X-Mimecast-MFC-AGG-ID: H3cC5RknMy-uuBfEMh8tmw_1775650391 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 33C8518002CD; Wed, 8 Apr 2026 12:13:11 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 870C618001FE; Wed, 8 Apr 2026 12:13:07 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 02/21] rxrpc: Fix key parsing memleak Date: Wed, 8 Apr 2026 13:12:30 +0100 Message-ID: <20260408121252.2249051-3-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" In rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be leaked in a few error paths after it's allocated. Fix this by freeing it in the "reject_token:" case. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index af403f0ccab5..26d4336a4a02 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -274,6 +274,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, nomem: return -ENOMEM; reject_token: + kfree(token->rxgk); kfree(token); reject: return -EKEYREJECTED; From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A81033C0602 for ; Wed, 8 Apr 2026 12:13:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650411; cv=none; b=OKDUWL7FOkqk4suIQvQ2fu+v/GPgm6XxhmewhdRR42QUbT1L5et8W25zULN4jJgEYgDhWWs3ju6xZMDKB0fdx5pu0CrfPL47XZFmWOrkR0SWF+xhXEH/Zesd1F3IrVX/IzxVGBRT/fPF5/pme2Ap7dlU3lw6xnXyFLSgp+nelLk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650411; c=relaxed/simple; bh=GTDitVkkmcP3pmQfGjjQNmdx/6Cfdn8ljMrl4GlS00k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ct4ppEItMfj1vPnjeejKg1hWB7ANu/mdJpiTg4BGZMWMsIqqOUVBWElSdhL2uPFwF8TbaWupMmqPJG7T7DfkCiMYCFe4DWayK9Gy0EV+fXvrzxT0rBgg61XuO5X5dEVisZXunTa5jEJTRPuRLbhH5WPpFjfD62/fNhKsyC4Xzsw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=RwVlDp5l; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="RwVlDp5l" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P4apLx2lQf8nhrvynIjV3RMW+ZpNX1GtOZdWeDq74IM=; b=RwVlDp5lxOQPgDrjXfG5ZTNcukZ2kKz+SZJZ7PObdo7sTu9Byjo8xrABOoLVVUulG4PGTJ Wyu2rMeqXIdR8oXx27ntkW5RZBvpK74TYG/POisC6vtphCyHLl7PJqDMcJ569lnFaHYVjt Tx+lJv/n6/yQ3XSixofn0B+rK3s39eU= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-616-8rqjp-J6NcOG-6kpM2zStg-1; Wed, 08 Apr 2026 08:13:18 -0400 X-MC-Unique: 8rqjp-J6NcOG-6kpM2zStg-1 X-Mimecast-MFC-AGG-ID: 8rqjp-J6NcOG-6kpM2zStg_1775650396 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7ECF61955D9C; Wed, 8 Apr 2026 12:13:16 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D6121300019F; Wed, 8 Apr 2026 12:13:12 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 03/21] rxrpc: Fix anonymous key handling Date: Wed, 8 Apr 2026 13:12:31 +0100 Message-ID: <20260408121252.2249051-4-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to be substituted for a NULL key pointer, but the variable this is done with is subsequently not used. Fix this by using "key" rather than "rx->key" when filling in the connection parameters. Note that this only affects direct use of AF_RXRPC; the kAFS filesystem doesn't use sendmsg() directly and so bypasses the issue. Further, AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key in that manner works. Since this hasn't been noticed to this point, it might be better just to remove the "key" variable and the code that sets it - and, arguably, rxrpc_init_client_call_security() would be a better place to handle it. Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and prot= ocol info") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/sendmsg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c index 04f9c5f2dc24..c35de4fd75e3 100644 --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -637,7 +637,7 @@ rxrpc_new_client_call_for_sendmsg(struct rxrpc_sock *rx= , struct msghdr *msg, memset(&cp, 0, sizeof(cp)); cp.local =3D rx->local; cp.peer =3D peer; - cp.key =3D rx->key; + cp.key =3D key; cp.security_level =3D rx->min_sec_level; cp.exclusive =3D rx->exclusive | p->exclusive; cp.upgrade =3D p->upgrade; From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DEEB73C13FC for ; Wed, 8 Apr 2026 12:13:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650442; cv=none; b=mG4SKRXLzxX+M0j6DrjcN2PRfwo+2ssq3avITx1yP7+GMttrz0nKWF8W0ewWDo/8hyH6R0PThHdEN2QXb6Poll5yjMfUZeSgljH/zixUtcRpYziuMAsh7JI7C3qgsK21WWpZmG9JOf3PMAqZvmoJuLYLf6baJLAYWmnVnoBv6XA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650442; c=relaxed/simple; bh=c65U58IymmhFs6mm6gCyGxJ220gcEnGj2kP2z0DZZkI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nbJDY7pjyrLIg4fiOrrRCsC439ufKo42lUs7jTFHQ5Ilt0GMOh3t/FLy61kmOHG0KNNWeIsRs4DaIO/kr71IoeO0a8VQGqwapKZciu+hSBO5ptUqaqfnE4mylNS3yg0Uh/RXsEyNJogylKHSxl2+gSmmyDEYpCIoXbxLt1rckHU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=bx39SdRS; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="bx39SdRS" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650434; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G0naaNtpjzkU1+nfEy3HMUBkaru1VrZvHmnSx79IMDc=; b=bx39SdRSItZPzBYI1kGN0cDp7/7ufUpnktB26iafXSPq1ZpTRrneZh2+wMZgc3kha1GELs QeKnSt+KuB6n/6oW5UTY0U4HAnqjP2gUPyZkS1F3FiURpnRAgN/HE8dEFu+V/y68PBVT0S LfGAbc6pUUAHX/vNZBY+wg5azZkZk18= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-631-ae_G_KntNge-9qT3XoGwhA-1; Wed, 08 Apr 2026 08:13:51 -0400 X-MC-Unique: ae_G_KntNge-9qT3XoGwhA-1 X-Mimecast-MFC-AGG-ID: ae_G_KntNge-9qT3XoGwhA_1775650427 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id ABDA91955DBB; Wed, 8 Apr 2026 12:13:46 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4D9DF1955D84; Wed, 8 Apr 2026 12:13:18 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Linus Torvalds , Simon Horman , stable@kernel.org Subject: [PATCH net v5 04/21] rxrpc: Fix call removal to use RCU safe deletion Date: Wed, 8 Apr 2026 13:12:32 +0100 Message-ID: <20260408121252.2249051-5-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() rather than list_del_init() to prevent stuffing up reading /proc/net/rxrpc/calls from potentially getting into an infinite loop. This, however, means that list_empty() no longer works on an entry that's been deleted from the list, making it harder to detect prior deletion. Fix this by: Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that are unexpectedly still on the list. Limiting the number of steps means there's no need to call cond_resched() or to remove calls from the list here, thereby eliminating the need for rxrpc_put_call() to check for that. rxrpc_put_call() can then be fixed to unconditionally delete the call from the list as it is the only place that the deletion occurs. Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing") Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Linus Torvalds cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/trace/events/rxrpc.h | 2 +- net/rxrpc/call_object.c | 24 +++++++++--------------- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 869f97c9bf73..a826cd80007b 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -347,7 +347,7 @@ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \ - E_(rxrpc_call_see_zap, "SEE zap ") + E_(rxrpc_call_see_still_live, "SEE !still-l") =20 #define rxrpc_txqueue_traces \ EM(rxrpc_txqueue_await_reply, "AWR") \ diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 918f41d97a2f..59329cfe1532 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -654,11 +654,9 @@ void rxrpc_put_call(struct rxrpc_call *call, enum rxrp= c_call_trace why) if (dead) { ASSERTCMP(__rxrpc_call_state(call), =3D=3D, RXRPC_CALL_COMPLETE); =20 - if (!list_empty(&call->link)) { - spin_lock(&rxnet->call_lock); - list_del_init(&call->link); - spin_unlock(&rxnet->call_lock); - } + spin_lock(&rxnet->call_lock); + list_del_rcu(&call->link); + spin_unlock(&rxnet->call_lock); =20 rxrpc_cleanup_call(call); } @@ -730,24 +728,20 @@ void rxrpc_destroy_all_calls(struct rxrpc_net *rxnet) _enter(""); =20 if (!list_empty(&rxnet->calls)) { - spin_lock(&rxnet->call_lock); + int shown =3D 0; =20 - while (!list_empty(&rxnet->calls)) { - call =3D list_entry(rxnet->calls.next, - struct rxrpc_call, link); - _debug("Zapping call %p", call); + spin_lock(&rxnet->call_lock); =20 - rxrpc_see_call(call, rxrpc_call_see_zap); - list_del_init(&call->link); + list_for_each_entry(call, &rxnet->calls, link) { + rxrpc_see_call(call, rxrpc_call_see_still_live); =20 pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", call, refcount_read(&call->ref), rxrpc_call_states[__rxrpc_call_state(call)], call->flags, call->events); =20 - spin_unlock(&rxnet->call_lock); - cond_resched(); - spin_lock(&rxnet->call_lock); + if (++shown >=3D 10) + break; } =20 spin_unlock(&rxnet->call_lock); From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2863F3C198A for ; Wed, 8 Apr 2026 12:13:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650418; cv=none; b=IkRSj/MPL3RgAQa9lFrWEkJ0dqmnyzy5kLg8Edn9RwK5l7zKJY4GSUMQfv/2Xc1SQ+xZ+WWPNXt2ACuLwSofN48vXW54RP2VM8Q7AA01io/DpmmKJUEtm6bst8ag/lv/XgtwdhsTVQxTH8vKwjrX/e8kSUT3Il9k8DVzTRDyD/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650418; c=relaxed/simple; bh=i2+6T5laS6iXW24MjsOpSAQSe/11jAwSQhKVgP6EJWc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=INP2gGq/kSs1QEO4+b+qhMaO1p3OWu5IB5SHLYcbulZP6Nhj6vriiBYxA/kTTZKmeGtGk5LC2oHXsvOHjfuY2ZANwFHR2PHsrun5484CynQDsOBDD8t1aipqyL8IEtZRgv/JoxAYQVLEP3RTjdzwJvdTUIDyGs+u3UHjmK6ux70= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=NST89sBF; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="NST89sBF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650413; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LLb+kvWly++E+vGdyFSJ+eIakQ89ZsZ0xRogJGUpqc=; b=NST89sBFn5K9dcRt+KiNsDGaZ+Qk/BPl8DolA6NKpw8lo21RAZP+G1yqzB1NUVN41DyXyH /8TgAB4YpwXcR/JEgzGC4dxCjbm/WiWpcZ00AOkSzGunhno1AJPCHIhiG+4B/R0Qg+m8un 4c/nYCHHxXQPRAqREm7rNIN+HHKxpeY= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-444-xpHPACY4M-K3zM1GdCYF_g-1; Wed, 08 Apr 2026 08:13:29 -0400 X-MC-Unique: xpHPACY4M-K3zM1GdCYF_g-1 X-Mimecast-MFC-AGG-ID: xpHPACY4M-K3zM1GdCYF_g_1775650407 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BFBC919560A3; Wed, 8 Apr 2026 12:13:27 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id DACA019560A6; Wed, 8 Apr 2026 12:13:23 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Oleh Konko , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 05/21] rxrpc: Fix RxGK token loading to check bounds Date: Wed, 8 Apr 2026 13:12:33 +0100 Message-ID: <20260408121252.2249051-6-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Oleh Konko rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >=3D 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call. Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse. The control path (valid token with lengths within bounds) is unaffected. Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") Signed-off-by: Oleh Konko Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/key.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 26d4336a4a02..77237a82be3b 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -171,7 +172,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, size_t plen; const __be32 *ticket, *key; s64 tmp; - u32 tktlen, keylen; + size_t raw_keylen, raw_tktlen, keylen, tktlen; =20 _enter(",{%x,%x,%x,%x},%x", ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), @@ -181,18 +182,22 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_pre= parsed_payload *prep, goto reject; =20 key =3D xdr + (6 * 2 + 1); - keylen =3D ntohl(key[-1]); - _debug("keylen: %x", keylen); - keylen =3D round_up(keylen, 4); + raw_keylen =3D ntohl(key[-1]); + _debug("keylen: %zx", raw_keylen); + if (raw_keylen > AFSTOKEN_GK_KEY_MAX) + goto reject; + keylen =3D round_up(raw_keylen, 4); if ((6 * 2 + 2) * 4 + keylen > toklen) goto reject; =20 ticket =3D xdr + (6 * 2 + 1 + (keylen / 4) + 1); - tktlen =3D ntohl(ticket[-1]); - _debug("tktlen: %x", tktlen); - tktlen =3D round_up(tktlen, 4); + raw_tktlen =3D ntohl(ticket[-1]); + _debug("tktlen: %zx", raw_tktlen); + if (raw_tktlen > AFSTOKEN_GK_TOKEN_MAX) + goto reject; + tktlen =3D round_up(raw_tktlen, 4); if ((6 * 2 + 2) * 4 + keylen + tktlen !=3D toklen) { - kleave(" =3D -EKEYREJECTED [%x!=3D%x, %x,%x]", + kleave(" =3D -EKEYREJECTED [%zx!=3D%x, %zx,%zx]", (6 * 2 + 2) * 4 + keylen + tktlen, toklen, keylen, tktlen); goto reject; @@ -206,7 +211,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, if (!token) goto nomem; =20 - token->rxgk =3D kzalloc(sizeof(*token->rxgk) + keylen, GFP_KERNEL); + token->rxgk =3D kzalloc(struct_size_t(struct rxgk_key, _key, raw_keylen),= GFP_KERNEL); if (!token->rxgk) goto nomem_token; =20 @@ -221,9 +226,9 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, token->rxgk->enctype =3D tmp =3D xdr_dec64(xdr + 5 * 2); if (tmp < 0 || tmp > UINT_MAX) goto reject_token; - token->rxgk->key.len =3D ntohl(key[-1]); + token->rxgk->key.len =3D raw_keylen; token->rxgk->key.data =3D token->rxgk->_key; - token->rxgk->ticket.len =3D ntohl(ticket[-1]); + token->rxgk->ticket.len =3D raw_tktlen; =20 if (token->rxgk->endtime !=3D 0) { expiry =3D rxrpc_s64_to_time64(token->rxgk->endtime); @@ -236,8 +241,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_prepa= rsed_payload *prep, memcpy(token->rxgk->key.data, key, token->rxgk->key.len); =20 /* Pad the ticket so that we can use it directly in XDR */ - token->rxgk->ticket.data =3D kzalloc(round_up(token->rxgk->ticket.len, 4), - GFP_KERNEL); + token->rxgk->ticket.data =3D kzalloc(tktlen, GFP_KERNEL); if (!token->rxgk->ticket.data) goto nomem_yrxgk; memcpy(token->rxgk->ticket.data, ticket, token->rxgk->ticket.len); From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B773B3C1411 for ; Wed, 8 Apr 2026 12:13:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650428; cv=none; b=qKiJtG+D1i0xScfuy36JbXtRkQsu+F22YocO8Cn09E06nvOLrJ4Yb3uVA3kkD7X7fl2B/PbhCKwHRDFtpHGzTXB8MwY62qoH9UK+QAngAeOOFdRO1+Gd7vC5R6vBA54/OmvOpTLtkqwxyeYDo28zjJtqsO/JMOgnhlZ/lpwIlSA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650428; c=relaxed/simple; bh=CxAq8sxxdfWME2NDmOhfPSLnwRl2eUhJ1SjQUCVqquU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Z9wdcKfDVTwgQlEpK8ytV5xSzvNhxEqrYpPZP5sl60lz/IBFByRy8fQmK9wPydvi1T1WpzPh3tc+oT2+XwIgcLoqkz4UXQrnVmZy6mZLY6kJladhIDDhYW2x7qe17+VGqe9vcLIkMtgGAoI/WxArao01CnJNMpbOjzFCfP7lorE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=hTuvVOES; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="hTuvVOES" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650421; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CLPucy+/KOM/ZUAst+Ut2hFjeRnIfKEjJCeuzdkhnmE=; b=hTuvVOESUQDI7LWCMIX+i8mWnUfdrvkFJ5tDeAkIDS0ZPObMY5B9F2JY4xs0d03WZq1gn5 VjVaEp9TLc7ABU/Z9p8ZxBf3aGkwgWiN6LedH2eIW5lnM3W2z3hjzX3M1XVleN8xOpuEP6 Rlns3knENemEasTxmtH/gk2htZLWzOM= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-613-zq0SZ0xwNiKD0LiurotUSA-1; Wed, 08 Apr 2026 08:13:35 -0400 X-MC-Unique: zq0SZ0xwNiKD0LiurotUSA-1 X-Mimecast-MFC-AGG-ID: zq0SZ0xwNiKD0LiurotUSA_1775650413 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5667A18002E3; Wed, 8 Apr 2026 12:13:33 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 765021800351; Wed, 8 Apr 2026 12:13:29 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 06/21] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial Date: Wed, 8 Apr 2026 13:12:34 +0100 Message-ID: <20260408121252.2249051-7-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use. Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for = a RESPONSE") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org Link: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40re= dhat.com [1] --- include/trace/events/rxrpc.h | 1 + net/rxrpc/conn_event.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index a826cd80007b..f7f559204b87 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -185,6 +185,7 @@ EM(rxrpc_skb_put_input, "PUT input ") \ EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \ EM(rxrpc_skb_put_oob, "PUT oob ") \ + EM(rxrpc_skb_put_old_response, "PUT old-resp ") \ EM(rxrpc_skb_put_purge, "PUT purge ") \ EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \ EM(rxrpc_skb_put_response, "PUT response ") \ diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 98ad9b51ca2c..c50cbfc5a313 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -557,11 +557,11 @@ void rxrpc_post_response(struct rxrpc_connection *con= n, struct sk_buff *skb) spin_lock_irq(&local->lock); old =3D conn->tx_response; if (old) { - struct rxrpc_skb_priv *osp =3D rxrpc_skb(skb); + struct rxrpc_skb_priv *osp =3D rxrpc_skb(old); =20 /* Always go with the response to the most recent challenge. */ if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) - conn->tx_response =3D old; + conn->tx_response =3D skb; else old =3D skb; } else { @@ -569,4 +569,5 @@ void rxrpc_post_response(struct rxrpc_connection *conn,= struct sk_buff *skb) } spin_unlock_irq(&local->lock); rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response); + rxrpc_free_skb(old, rxrpc_skb_put_old_response); } From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB7E83C2781 for ; Wed, 8 Apr 2026 12:13:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650433; cv=none; b=EthowZlkWr6UvM2rg49lKDwPDjeDfkF/YKcu7JMmD5WXjlCzdSrSwuAgkzG/Bj3vHU+urjPSbPt+0AksU4pbEUuJWJHdWJ4GMfABMpAUh4W9fphKvLdx8tltwB6D9xCNZ2U3TAasSmAo/dSuLnBtscQdMoSSNOj4B983KC8kzu0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650433; c=relaxed/simple; bh=wiH6DsMqrg29tzFgP11flkS65RZZkVoC9406w0ZzAqc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LyC6bPV5skogxPbR9rOwdoVBrenOK3z4ce4SO2e41DrlODSFV4B89Ufm12OzPaQU4R2Dz7BQ30maz7V+cvSbcW178Y/sIKQ/FoQRc+bSulfyDtReDTp3JFLeoo3FroBk8LVrXE2FE4j/LHd2173NJizbzUUHjaQYR3xe9Q0rZNs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=CMzfGh/l; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="CMzfGh/l" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650424; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=loVxfrzyxYdQdW2xqgUXj+kDQbA4pbY0Yb3C1QbXM7A=; b=CMzfGh/lyUIXQE4FZpZH1yQjJoHykpBdKIFCwB+r4xbek70krDBWSVqPujmE+YOfuGZ4FW oIzR/07s0tkOOebIEujznoa64OmwfwYDd3MtRVhyqvOVDw2PklnkBVFva3lRO7MfYJPMCw FUiHkyEnHJslkuxnWCd+Usa+qEUDGKs= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-68-3wvny4PWNceQ4c6qEX-JPA-1; Wed, 08 Apr 2026 08:13:41 -0400 X-MC-Unique: 3wvny4PWNceQ4c6qEX-JPA-1 X-Mimecast-MFC-AGG-ID: 3wvny4PWNceQ4c6qEX-JPA_1775650419 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 80F7E18002EE; Wed, 8 Apr 2026 12:13:39 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 239581955F2B; Wed, 8 Apr 2026 12:13:34 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Alok Tiwari , Simon Horman , Jeffrey Altman , stable@kernel.org Subject: [PATCH net v5 07/21] rxrpc: Fix rack timer warning to report unexpected mode Date: Wed, 8 Apr 2026 13:12:35 +0100 Message-ID: <20260408121252.2249051-8-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Alok Tiwari rxrpc_rack_timer_expired() clears call->rack_timer_mode to OFF before the switch. The default case warning therefore always prints OFF and doesn't identify the unexpected timer mode. Log the saved mode value instead so the warning reports the actual unexpected rack timer mode. Fixes: 7c482665931b ("rxrpc: Implement RACK/TLP to deal with transmission s= talls [RFC8985]") Signed-off-by: Alok Tiwari Signed-off-by: David Howells Reviewed-by: Simon Horman Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/input_rack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/input_rack.c b/net/rxrpc/input_rack.c index 13c371261e0a..9eb109ffba56 100644 --- a/net/rxrpc/input_rack.c +++ b/net/rxrpc/input_rack.c @@ -413,6 +413,6 @@ void rxrpc_rack_timer_expired(struct rxrpc_call *call, = ktime_t overran_by) break; //case RXRPC_CALL_RACKTIMER_ZEROWIN: default: - pr_warn("Unexpected rack timer %u", call->rack_timer_mode); + pr_warn("Unexpected rack timer %u", mode); } } From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACC383BFE4D for ; Wed, 8 Apr 2026 12:13:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650439; cv=none; b=SZfoDIEBJ0sOjDJz9iJ9UjD1bHzsyjwykV07VALGgW0dF2yVvIxAvtrgXQ1eKEyo3BYVD5fhHr8YJb6pOyYC7gjYVEI1ks0WDCyvaX3P/dQ9qFbt006QZ9hs0sS5EZJ20Ahxkdp20z3pTQPBVk/lcNy/Zy01O2xncBtE+5IVekw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650439; c=relaxed/simple; bh=0SwzPQiq0K33AI2cjVS+euTUF2s1lCsvoeohpqkDfZM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ID9hbZ0aOzn4PQxwh1kWMrvd/5DUFuH4+lmXLY4cClIeXXFZg9M3LKXXGwi5tnoBgijrJQ62DUMjNj9EsQak+DGJsSi4JxgQBBu2yxhKKEewoo/rCbMGucO2kUPlXoFgjfS3hi6oy0xmRcUwgVJFODBdh5bwKFaUF5DKdiiyptQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=GyrZ6cSs; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="GyrZ6cSs" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650430; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JdpppyRA5L+XT2V7G6SjlP5WRQLvmrVCKEV5uP5VLSc=; b=GyrZ6cSstmjAO+X2d2IEpLbmak8cWO4fKbq3XtAlznAmuqY2iGHUfnGZYgCR+BZt5fx4Mj 6IePIe+OwlaFH7vIP/ZWAVsRJ0BD7gTzeX80IiWclNhwqwk1XPO0jfxEGZGXiLTjhK3XhD ouhvekt26FdqkefFKEWxQRPICjryr20= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-480-bwaO0MSsPI6-ik3rVQQh9g-1; Wed, 08 Apr 2026 08:13:47 -0400 X-MC-Unique: bwaO0MSsPI6-ik3rVQQh9g-1 X-Mimecast-MFC-AGG-ID: bwaO0MSsPI6-ik3rVQQh9g_1775650425 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 11F6D1955E75; Wed, 8 Apr 2026 12:13:45 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 48C5F1800762; Wed, 8 Apr 2026 12:13:41 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 08/21] rxrpc: Fix key reference count leak from call->key Date: Wed, 8 Apr 2026 13:12:36 +0100 Message-ID: <20260408121252.2249051-9-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" From: Anderson Nascimento When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ After the patch, the invalidated key is removed when the code exits: $ cat /proc/keys | grep afs@54321 $ Fixes: f3441d4125fc ("rxrpc: Copy client call parameters into rxrpc_call ea= rlier") Signed-off-by: Anderson Nascimento Co-developed-by: David Howells Signed-off-by: David Howells Reviewed-by: Jeffrey Altman cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/call_object.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 59329cfe1532..f035f486c139 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -692,6 +692,7 @@ static void rxrpc_destroy_call(struct work_struct *work) rxrpc_put_bundle(call->bundle, rxrpc_bundle_put_call); rxrpc_put_peer(call->peer, rxrpc_peer_put_call); rxrpc_put_local(call->local, rxrpc_local_put_call); + key_put(call->key); call_rcu(&call->rcu, rxrpc_rcu_free_call); } From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E5353C13FF for ; Wed, 8 Apr 2026 12:14:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650450; cv=none; b=c5FB8PXdIFq8Qt2YHZ8iWqr6gCgP5wUSyYfMNi2hOhzKDRF2e6LLewjSdjyd+1+SyLfEn5wPm+1p/vbVqNa1Xxe1VjD59vAPdfeHGBtkSxZfa11/3P+Tg57hEqXzd6CEPoPR9co7a0Iy3I0VT6xhV8gkYfxgsJyhN9I7WDZxVKQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650450; c=relaxed/simple; bh=GVaGOg5XzUZkGQvl2oMBK566BhyRcXzXiuQrO4tMk2g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HFE+ZMArJYMGueHuK4bYDTuV92XTHBMbvZ1jWzX5YUO51EMvj5kJM7yOK/JuSXM4bCa6Z5K564fcMY/fEGT0Sfg63oOgzgFiXkqx01vh730qr0XKwP99cRCTpAEhwUnhjaO19D3xYyNYLlVdWpJyXlpPrjEepIPgnuLoXi5ehkw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Nxg8VMD7; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Nxg8VMD7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650445; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0XgIGNcrY/xUhk108tuLpob5a6M3Bi/f07YnbtomyLc=; b=Nxg8VMD7idnAfIKXGQ+KYMSMdMhgypjy6AfzyqGhNgJIUAiu/++26gyNtgw516hcNt7uKw AFWk0GTkCkhJo+Rm70NfRoRO2ZoqRZZGjzsJyU4xOrz57hC7cJRFHmUdHMqh/k2dP1PK7x Axuy2zSkcIko6c9k42YZXEEhSlByn1g= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-317-90NqyNFtMHqbBQkDungO7g-1; Wed, 08 Apr 2026 08:14:00 -0400 X-MC-Unique: 90NqyNFtMHqbBQkDungO7g-1 X-Mimecast-MFC-AGG-ID: 90NqyNFtMHqbBQkDungO7g_1775650438 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A7B9B18002EA; Wed, 8 Apr 2026 12:13:58 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D28D730030D9; Wed, 8 Apr 2026 12:13:54 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Marc Dionne , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 09/21] rxrpc: Fix to request an ack if window is limited Date: Wed, 8 Apr 2026 13:12:37 +0100 Message-ID: <20260408121252.2249051-10-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Marc Dionne Peers may only send immediate acks for every 2 UDP packets received. When sending a jumbogram, it is important to check that there is sufficient window space to send another same sized jumbogram following the current one, and request an ack if there isn't. Failure to do so may cause the call to stall waiting for an ack until the resend timer fires. Where jumbograms are in use this causes a very significant drop in performance. Fixes: fe24a5494390 ("rxrpc: Send jumbo DATA packets") Signed-off-by: Marc Dionne Signed-off-by: David Howells cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/trace/events/rxrpc.h | 1 + net/rxrpc/ar-internal.h | 2 +- net/rxrpc/output.c | 2 ++ net/rxrpc/proc.c | 5 +++-- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index f7f559204b87..578b8038b211 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -521,6 +521,7 @@ #define rxrpc_req_ack_traces \ EM(rxrpc_reqack_ack_lost, "ACK-LOST ") \ EM(rxrpc_reqack_app_stall, "APP-STALL ") \ + EM(rxrpc_reqack_jumbo_win, "JUMBO-WIN ") \ EM(rxrpc_reqack_more_rtt, "MORE-RTT ") \ EM(rxrpc_reqack_no_srv_last, "NO-SRVLAST") \ EM(rxrpc_reqack_old_rtt, "OLD-RTT ") \ diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 36d6ca0d1089..96ecb83c9071 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -117,7 +117,7 @@ struct rxrpc_net { atomic_t stat_tx_jumbo[10]; atomic_t stat_rx_jumbo[10]; =20 - atomic_t stat_why_req_ack[8]; + atomic_t stat_why_req_ack[9]; =20 atomic_t stat_io_loop; }; diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index d70db367e358..870e59bf06af 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -479,6 +479,8 @@ static size_t rxrpc_prepare_data_subpacket(struct rxrpc= _call *call, why =3D rxrpc_reqack_old_rtt; else if (!last && !after(READ_ONCE(call->send_top), txb->seq)) why =3D rxrpc_reqack_app_stall; + else if (call->tx_winsize <=3D (2 * req->n) || call->cong_cwnd <=3D (2 * = req->n)) + why =3D rxrpc_reqack_jumbo_win; else goto dont_set_request_ack; =20 diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c index 59292f7f9205..7755fca5beb8 100644 --- a/net/rxrpc/proc.c +++ b/net/rxrpc/proc.c @@ -518,11 +518,12 @@ int rxrpc_stats_show(struct seq_file *seq, void *v) atomic_read(&rxnet->stat_rx_acks[RXRPC_ACK_IDLE]), atomic_read(&rxnet->stat_rx_acks[0])); seq_printf(seq, - "Why-Req-A: acklost=3D%u mrtt=3D%u ortt=3D%u stall=3D%u\n", + "Why-Req-A: acklost=3D%u mrtt=3D%u ortt=3D%u stall=3D%u jwin=3D%u\n", atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_ack_lost]), atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_more_rtt]), atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_old_rtt]), - atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall])); + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall]), + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_jumbo_win])); seq_printf(seq, "Why-Req-A: nolast=3D%u retx=3D%u slows=3D%u smtxw=3D%u\n", atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_no_srv_last]), From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 447C83BFE4D for ; Wed, 8 Apr 2026 12:14:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650455; cv=none; b=e5qFFq/po1iGTr7+gbOX7SAPqECL+jNqIKZGg5csvw6OfAF8VfwrZa/FhbAT3/RsoKNE+UUMOer+P3ABh2wiH4AneUV9QohcbyPDCfZqnBc4V9YSFH9/MU2cvr6jf42+GmNuOOPuYhHtn/Cfd6FCJzfaD/7TiaqqMnm6vp39h9w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650455; c=relaxed/simple; bh=dETvW09GhXLGNeO1xyDqPkq/bSzSBmA0bRuVutPwoNE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gUk+I8+aOg5nBMYFcT+uW5twJLaLGnAW/aDf10uugYzsnr+7whWcsEho2+dyFSmsxVspX0zxgp6KSgMFPahBxYC66fMDBkUIIDCxwM4rQb6ioaN4CcJYTpg7/hO2W61/YiulVodpntYwVm/xStVcmDMRfTkZzEJbUCrwsUj5f/4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Md8A6tPd; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Md8A6tPd" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650451; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IyvzpHLTaSD//xZgQtcTYLO3HI+bGdy75Y+Sf6QrB0M=; b=Md8A6tPdDAsm90SCJu9j26A4d5mgpjB3t1TH9vgGvw3hO/bE4kAof61xwA2HNpQBic9L2j AxKzHFPEWkd+hcXlAWkdMJLY1TO4ih/jkTw2cCFoEENKgdIyv76MKHDsGFjGPYy/N4/HFK jwXndL1vuEC34L+7CTskBbIKxRHV6MQ= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-247-GnbRUtTzMsW1BrbqpX05vw-1; Wed, 08 Apr 2026 08:14:07 -0400 X-MC-Unique: GnbRUtTzMsW1BrbqpX05vw-1 X-Mimecast-MFC-AGG-ID: GnbRUtTzMsW1BrbqpX05vw_1775650445 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 565681800614; Wed, 8 Apr 2026 12:14:05 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8D3AA1953944; Wed, 8 Apr 2026 12:14:00 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Douya Le , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ao Zhou , Simon Horman , stable@kernel.org Subject: [PATCH net v5 10/21] rxrpc: Only put the call ref if one was acquired Date: Wed, 8 Apr 2026 13:12:38 +0100 Message-ID: <20260408121252.2249051-11-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" From: Douya Le rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged. Fixes: 5e6ef4f1017c ("rxrpc: Make the I/O thread take over the call and loc= al processor work") Reported-by: Yifan Wu Reported-by: Juefei Pu Signed-off-by: Douya Le Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Signed-off-by: Ao Zhou Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/io_thread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index e939ecf417c4..697956931925 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -419,7 +419,8 @@ static int rxrpc_input_packet_on_conn(struct rxrpc_conn= ection *conn, =20 if (sp->hdr.callNumber > chan->call_id) { if (rxrpc_to_client(sp)) { - rxrpc_put_call(call, rxrpc_call_put_input); + if (call) + rxrpc_put_call(call, rxrpc_call_put_input); return rxrpc_protocol_error(skb, rxrpc_eproto_unexpected_implicit_end); } From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1F183BFE2E for ; Wed, 8 Apr 2026 12:14:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650463; cv=none; b=m24woh6yiBAJ0aqZr7itgVfMQ3CijbVpLDNPLtWwbpB1ynZdJWBJl+kV3vOpxVIDrBxf8xJByzSVFS0sUs9nTAsayIuUdEdKu6s7vXRx9dhYOBQ97Z0sda/glMD6awht+6bI1QVmqWDmekp7ekKrB//4d+7xafvh2EL3PQp+YMI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650463; c=relaxed/simple; bh=7MLTMlM7F0ak10w0E2LplrY8tvTboOdFeE2eoMmUNUM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JoSmvAQqZe4ek5iVWd8WVgNFZNW89lA/KUqH70A9ek9NUCOFEXnVgJ4x/Ud7YAgv4bYJloC5xGEE9jAQgVS8gI+TIITK4/zMvifH+sI71YF5TeQPFIpX7T+mpIzXcgLl9alwpEBQSAauPEb+knkwCt2Fj5KyPEOkqUUfdo2DJCE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ahTRNcey; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ahTRNcey" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650459; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KppfArEcP/QUXz58nWtzKdGZYsRDSnk43Kui514i9+Q=; b=ahTRNcey+DNLmxWYjXulvGD0mp2dBhcAQpF7Y4fW3FcTE4+J0rPEWWQ8iikSrk5RH8o0Cv ldw6h1sP4EK/CLn8nVZ0+HRrZXYD3mQDsqaEPEUjZLMF+vtj0imQ8zO2wuTcxPPhhqONUR g9VgFEKAAbCh0b7OiTbBsFUh7UGf+90= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-549--AO82pVSOrSjhEun3O7lAQ-1; Wed, 08 Apr 2026 08:14:14 -0400 X-MC-Unique: -AO82pVSOrSjhEun3O7lAQ-1 X-Mimecast-MFC-AGG-ID: -AO82pVSOrSjhEun3O7lAQ_1775650452 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3628518005BB; Wed, 8 Apr 2026 12:14:12 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 06C5F19560A6; Wed, 8 Apr 2026 12:14:06 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Yuqi Xu , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Ren Wei , Simon Horman , stable@kernel.org Subject: [PATCH net v5 11/21] rxrpc: reject undecryptable rxkad response tickets Date: Wed, 8 Apr 2026 13:12:39 +0100 Message-ID: <20260408121252.2249051-12-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Yuqi Xu rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Ren Wei Signed-off-by: Yuqi Xu Signed-off-by: Ren Wei Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxkad.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index e923d6829008..0f79d694cb08 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c @@ -958,6 +958,7 @@ static int rxkad_decrypt_ticket(struct rxrpc_connection= *conn, struct in_addr addr; unsigned int life; time64_t issue, now; + int ret; bool little_endian; u8 *p, *q, *name, *end; =20 @@ -977,8 +978,11 @@ static int rxkad_decrypt_ticket(struct rxrpc_connectio= n *conn, sg_init_one(&sg[0], ticket, ticket_len); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); - crypto_skcipher_decrypt(req); + ret =3D crypto_skcipher_decrypt(req); skcipher_request_free(req); + if (ret < 0) + return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO, + rxkad_abort_resp_tkt_short); =20 p =3D ticket; end =3D p + ticket_len; From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 872713C872A for ; Wed, 8 Apr 2026 12:14:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650468; cv=none; b=jE8n+JDjKPFcNV4RgguU8hracZq8gsrIB5eRgURnFpVSsda64TxSKX3HF3Cwh69z1O/ra5ub1Bugxyn5+tyTcSyxl2g4TxMmcfTxczhtuAq0v023stolFswM76FuOthGwZzwe+OrdTYNfKIxvpr95jSiKmonjaxYf8yKA+Dj/pA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650468; c=relaxed/simple; bh=tvUyRhVMalpubI17pjs0i9TXl4S24YaRmP7WTttQ+xA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AWz/8aGKuKUbZ/NSy1o5ZBMHK561Iwo48njEFGV+et1nJCpTITK7t0xxNjtqkBAzHawhacZy558NsHI53GX8Gk5C9P/56gFaLd/0FD1NNWM7ikzl+IcSj7241JjepC30Re7pIm7IT5eqODQ61OH48LMi7DBMPBbvu09IFiqeRhg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=cb6FXE+R; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="cb6FXE+R" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650464; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sQYqrHt7oIuaj7mcOONb87DdoY4Fd56NWEpjp2O/8Ag=; b=cb6FXE+Rh0IPNN5raiiqPT6WFIqTAju7QyeXxuuBl/mrAS8RKUVgmOj58PhiOW3miqXF4q 0/a3Jo9uF3TSDEiid4KnkOXcTqYB9djeMqYYObLsSwvFFO5BIeW5mNW34UbjMpc8asbHj4 TfZwPnPXv6y7HNTSMcrS1xfjVdwJ2U8= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-687-8bgfIHUFOxu4ou7An34KrA-1; Wed, 08 Apr 2026 08:14:20 -0400 X-MC-Unique: 8bgfIHUFOxu4ou7An34KrA-1 X-Mimecast-MFC-AGG-ID: 8bgfIHUFOxu4ou7An34KrA_1775650459 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6DCE519560B5; Wed, 8 Apr 2026 12:14:18 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id F31AE19560A6; Wed, 8 Apr 2026 12:14:13 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Keenan Dong , Simon Horman , Willy Tarreau , stable@kernel.org Subject: [PATCH net v5 12/21] rxrpc: fix RESPONSE authenticator parser OOB read Date: Wed, 8 Apr 2026 13:12:40 +0100 Message-ID: <20260408121252.2249051-13-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Keenan Dong rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer. Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] Convert the byte count to __be32 units before constructing the parser limit. Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (G= SSAPI)") Signed-off-by: Keenan Dong Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: Willy Tarreau cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index f9f5a2dc62ed..01dbdf0b5cf2 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -1164,7 +1164,8 @@ static int rxgk_verify_authenticator(struct rxrpc_con= nection *conn, } =20 p =3D auth; - ret =3D rxgk_do_verify_authenticator(conn, krb5, skb, p, p + auth_len); + ret =3D rxgk_do_verify_authenticator(conn, krb5, skb, p, + p + auth_len / sizeof(*p)); error: kfree(auth); return ret; From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A6B53C0611 for ; Wed, 8 Apr 2026 12:14:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650472; cv=none; b=ODeGiSWDofqNQkqCYNm4kG2UdVOpxdAGvwwlXSr9qwadZ15JyCP3kY1wg5h7IQfHf0c59Ntw/xHEeUCdJdaMMtVa9y7RgHDqNwKjSsZZDCzloMTipQ39oVmXlNeNhxsjP4GoL7E34fh0+J3Di8xygUI5P9D9bQq4J2Lx02tliC4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650472; c=relaxed/simple; bh=E5Ktr5ujZ7VRhGZNliJlSlHfN++85hVgVhq64IAONJQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OfRtXLnluqUeAOF2bWFp/TW6BWDqBYQV3V5dM8z7VxLX5awcGqm3rBJSbvVzEvoiScaYkpRfCoUoeFYqt0EKMCcjEGWtH7mKUIB3V8AnvyrcUhffADteCNfLg5GvBDlGYZo03DfFvxaG9R2YjPc3m6aDk35Xa4EkfDS2VEKXa54= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=OZ5BVkjy; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="OZ5BVkjy" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650470; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=svfAwTnHVWeMxDrZSO9dpHkcb5nEFh4Zczxno4SRn7Y=; b=OZ5BVkjyHUZqtG/f2J5lCRgX/G68X1iqIk9azsRMeRtjiHhpIkVcHNQ2VlVU8nuTFYk+WR k26PJqqsAzm1xxSLTwIDMBzK8K1Kt9xFZqtj86doks+0ffUptNpADtALhU5PqxP5JjWekU X4/PeozVlijWblRyA2iHBD14Wkajq/8= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-695-sxm-dZtYOum-Q4iZwHKarQ-1; Wed, 08 Apr 2026 08:14:26 -0400 X-MC-Unique: sxm-dZtYOum-Q4iZwHKarQ-1 X-Mimecast-MFC-AGG-ID: sxm-dZtYOum-Q4iZwHKarQ_1775650464 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id DFCC41956059; Wed, 8 Apr 2026 12:14:23 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1AE741800764; Wed, 8 Apr 2026 12:14:19 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Keenan Dong , Simon Horman , Willy Tarreau , stable@kernel.org Subject: [PATCH net v5 13/21] rxrpc: fix oversized RESPONSE authenticator length check Date: Wed, 8 Apr 2026 13:12:41 +0100 Message-ID: <20260408121252.2249051-14-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" From: Keenan Dong rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload. Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (G= SSAPI)") Signed-off-by: Keenan Dong Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: Willy Tarreau cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index 01dbdf0b5cf2..9e4a4ff28913 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -1224,7 +1224,7 @@ static int rxgk_verify_response(struct rxrpc_connecti= on *conn, =20 auth_offset =3D offset; auth_len =3D ntohl(xauth_len); - if (auth_len < len) + if (auth_len > len) goto short_packet; if (auth_len & 3) goto inconsistent; From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0ACB3C061C for ; Wed, 8 Apr 2026 12:14:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650481; cv=none; b=ITqtyby1yYShOZKVAgZ60EATLEvZ50nrd42/WX5yx+kGxTt7ZuMBOSyyT7vjI6j7AURZRt5A/xTqdYqlzNJatjd7bi/rw+S5If4vVxRn6w9V8lC1hBBE3UODwNSn+0FblnC6ZbXjpANMbNjasMz/8cc6SYddnIuSqx8nVt/3Ruo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650481; c=relaxed/simple; bh=bYKxGh0sBBosU4EaUNSLuPu83ir1V4Smqx9LbkwXjy8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jvvV+25IWAgkrTlsxWgOqK75XgtiOvvnjZWOBk/NhtOpBWIFkMvINPAdRM6dfGi8aPfNhCENyf2+2uRyVbSyQY5BmcBzNkGqX9n1GwZgT57bAxTQy36wShH3uJkl+wY3nGCfH8GayIXr8Kz+glrARfGjArL5uyV8vFntrF+xJxA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=emADf6Zm; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="emADf6Zm" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650479; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n6XNczCkwDCt7t1gxsO2/fOhjxSVsxJjDzpMQ5MgmqQ=; b=emADf6ZmdQ86e4W5TGfW5j9S7zWKBx+ZSaHCKqc4oDv7UYY783hJ8iCUfcW9IOBUl7D/kr ggDX2K7sbAEOnu5b5cDdFcAoD0zY3fXcWtZ98gBvslub++h1DEaUNyiTDNOZfFKVGe2NOZ vhN2khn98UjC9HMyjO4bQEFlgpU5jyI= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-580-UQhCuPNeMSaIDwmPZDtkdg-1; Wed, 08 Apr 2026 08:14:33 -0400 X-MC-Unique: UQhCuPNeMSaIDwmPZDtkdg-1 X-Mimecast-MFC-AGG-ID: UQhCuPNeMSaIDwmPZDtkdg_1775650471 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 708611800283; Wed, 8 Apr 2026 12:14:31 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8EB4F1800351; Wed, 8 Apr 2026 12:14:25 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Luxiao Xu , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Ren Wei , Simon Horman , stable@kernel.org Subject: [PATCH net v5 14/21] rxrpc: fix reference count leak in rxrpc_server_keyring() Date: Wed, 8 Apr 2026 13:12:42 +0100 Message-ID: <20260408121252.2249051-15-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Luxiao Xu This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Ren Wei Signed-off-by: Luxiao Xu Signed-off-by: Ren Wei Signed-off-by: David Howells cc: Marc Dionne cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/server_key.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/server_key.c b/net/rxrpc/server_key.c index 36b05fd842a7..27491f1e1273 100644 --- a/net/rxrpc/server_key.c +++ b/net/rxrpc/server_key.c @@ -125,6 +125,9 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, sockptr= _t optval, int optlen) =20 _enter(""); =20 + if (rx->securities) + return -EINVAL; + if (optlen <=3D 0 || optlen > PAGE_SIZE - 1) return -EINVAL; From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FEF23C457D for ; Wed, 8 Apr 2026 12:14:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650487; cv=none; b=B1d5BBlTlEImqoPHcoocI0b7d+XW6E4KyHz3iPgwlbqLFrHlMObdfvQjJ+w/uVAwFLCheZ5K4lT/8Yv2K0t24vCneoJSuahAfmRBlbwTyrWO7RfGipdsO3UNiOv0lp3xvd3bGX54NlnuwuqCtXNfw1/cPmbwr2yq5eGOoyF6zJs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650487; c=relaxed/simple; bh=beGJuU9skD7m491lqex8vOCYtcbF3Q/sMS3Pa73ZCI8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iJARtyJ9LaF72j7GNnr/x938rhJUALJ1KYl4/nN8p3SnNKfxkKxshjjrFIxxu1sx50eM2ldBY8xlxJz2W0fv1K4hvQbs4O9XSvAYmt2Qlp9qqrOITJgDRgE6463m6H6nDEhqP+1d0phH3aZB/dtRrmAJtQuqFjOWvEKY5QnGkuM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=IZdu8/sY; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="IZdu8/sY" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650484; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VYsHbkB9wbBGMb7BtZTkPbdDjv+J6Tj1kUmJm8EnXKE=; b=IZdu8/sYUH+y3g12Rz7eZN8s2CtJOxmGNGOc0q4n2FvG8w9ySjsRl6AmWMpaaoFTRouekb jQ+PWD2alD5Y5FALf9TAPgMlw4EOo8IoKy0FZZYDSfgDX7bsDkrFUszOLpoVJJVjVvrEgk aEkmD/ZcOwRU1WCF58wKKAnLg2VK7ec= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-277-EAE3IF1GNQqfjNbhvIQezg-1; Wed, 08 Apr 2026 08:14:39 -0400 X-MC-Unique: EAE3IF1GNQqfjNbhvIQezg-1 X-Mimecast-MFC-AGG-ID: EAE3IF1GNQqfjNbhvIQezg_1775650477 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 180BA19560B0; Wed, 8 Apr 2026 12:14:37 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id EF6961800673; Wed, 8 Apr 2026 12:14:32 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Anderson Nascimento , Luxiao Xu , Yuan Tan , Simon Horman , stable@kernel.org Subject: [PATCH net v5 15/21] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) Date: Wed, 8 Apr 2026 13:12:43 +0100 Message-ID: <20260408121252.2249051-16-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" An AF_RXRPC socket can be both client and server at the same time. When sending new calls (ie. it's acting as a client), it uses rx->key to set the security, and when accepting incoming calls (ie. it's acting as a server), it uses rx->securities. setsockopt(RXRPC_SECURITY_KEY) sets rx->key to point to an rxrpc-type key and setsockopt(RXRPC_SECURITY_KEYRING) sets rx->securities to point to a keyring of rxrpc_s-type keys. Now, it should be possible to use both rx->key and rx->securities on the same socket - but for userspace AF_RXRPC sockets rxrpc_setsockopt() prevents that. Fix this by: (1) Remove the incorrect check rxrpc_setsockopt(RXRPC_SECURITY_KEYRING) makes on rx->key. (2) Move the check that rxrpc_setsockopt(RXRPC_SECURITY_KEY) makes on rx->key down into rxrpc_request_key(). (3) Remove rxrpc_request_key()'s check on rx->securities. This (in combination with a previous patch) pushes the checks down into the functions that set those pointers and removes the cross-checks that prevent both key and keyring being set. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@r= edhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Anderson Nascimento cc: Luxiao Xu cc: Yuan Tan cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/af_rxrpc.c | 6 ------ net/rxrpc/key.c | 2 +- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c index 0f90272ac254..32ec91fa938f 100644 --- a/net/rxrpc/af_rxrpc.c +++ b/net/rxrpc/af_rxrpc.c @@ -654,9 +654,6 @@ static int rxrpc_setsockopt(struct socket *sock, int le= vel, int optname, goto success; =20 case RXRPC_SECURITY_KEY: - ret =3D -EINVAL; - if (rx->key) - goto error; ret =3D -EISCONN; if (rx->sk.sk_state !=3D RXRPC_UNBOUND) goto error; @@ -664,9 +661,6 @@ static int rxrpc_setsockopt(struct socket *sock, int le= vel, int optname, goto error; =20 case RXRPC_SECURITY_KEYRING: - ret =3D -EINVAL; - if (rx->key) - goto error; ret =3D -EISCONN; if (rx->sk.sk_state !=3D RXRPC_UNBOUND) goto error; diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 77237a82be3b..6301d79ee35a 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -622,7 +622,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, sockptr_t = optval, int optlen) =20 _enter(""); =20 - if (optlen <=3D 0 || optlen > PAGE_SIZE - 1 || rx->securities) + if (optlen <=3D 0 || optlen > PAGE_SIZE - 1 || rx->key) return -EINVAL; =20 description =3D memdup_sockptr_nul(optval, optlen); From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 574DA3C5540 for ; Wed, 8 Apr 2026 12:14:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650494; cv=none; b=QzfQcbqQeTCnsYr18f32h2i7k6CWF16ejmwTyruMej8Bt3b/Tz0QlDmyFGorCpF5fIPk2bu71cCyp0BBO5GcIWoejX+i1TmdtW/TElTMHGaXaEXGvwIl1pmi6i645lWdqAJeAmBHS9+l+rpU+4mvnTtR6wFbnUigCOukh4O2flY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650494; c=relaxed/simple; bh=4bGG+WKlmZnQE5+xJAZsK8+RDV2RYPOrI4xFceiOOTI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uoNf4DFGtADKXSCwQ051wEgycMwMJPBhPt7AnKOORioKB3Kj/oXr9iBObilwJ3A5ro4vLDMK18WHOxyGsbpq+zT0LJOU+0GFeW615rhOKBapYi6INrJUDbAgF8a1bzdKTmtXQnPS/RcF+u0TccEmEfozBQztEbEnAKSwiSLKk9E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ekIS9CJX; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ekIS9CJX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650489; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lzGK/ehoWIQ6RR+Dx+R5NC8SLfFD5hvf0fr4eyBqMw0=; b=ekIS9CJXaa1iilslR70CL7DGG734qaOZkplWqKQaOffLpYckhxZo8GXvkPhMxsB6EoT1zq hgPJ39+ZIjKkt/K7mmh7RDZ2zRmtyZEilVBa+9yiW1b4sJ1lkGjVyix+hY2VYNPFQvXozS Ie8ai/wvzseW7nfu1J7pzMz3SL0WnGU= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-314-M_wJmC8KOPWoZ_pQHs-ILA-1; Wed, 08 Apr 2026 08:14:44 -0400 X-MC-Unique: M_wJmC8KOPWoZ_pQHs-ILA-1 X-Mimecast-MFC-AGG-ID: M_wJmC8KOPWoZ_pQHs-ILA_1775650482 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 64FD81800464; Wed, 8 Apr 2026 12:14:42 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C1A1C300019F; Wed, 8 Apr 2026 12:14:38 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 16/21] rxrpc: Fix missing error checks for rxkad encryption/decryption failure Date: Wed, 8 Apr 2026 13:12:44 +0100 Message-ID: <20260408121252.2249051-17-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" Add error checking for failure of crypto_skcipher_en/decrypt() to various rxkad function as the crypto functions can fail with ENOMEM at least. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@r= edhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxkad.c | 57 +++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 19 deletions(-) diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index 0f79d694cb08..eb7f2769d2b1 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c @@ -197,6 +197,7 @@ static int rxkad_prime_packet_security(struct rxrpc_con= nection *conn, struct rxrpc_crypt iv; __be32 *tmpbuf; size_t tmpsize =3D 4 * sizeof(__be32); + int ret; =20 _enter(""); =20 @@ -225,13 +226,13 @@ static int rxkad_prime_packet_security(struct rxrpc_c= onnection *conn, skcipher_request_set_sync_tfm(req, ci); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); - crypto_skcipher_encrypt(req); + ret =3D crypto_skcipher_encrypt(req); skcipher_request_free(req); =20 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv)); kfree(tmpbuf); - _leave(" =3D 0"); - return 0; + _leave(" =3D %d", ret); + return ret; } =20 /* @@ -264,6 +265,7 @@ static int rxkad_secure_packet_auth(const struct rxrpc_= call *call, struct scatterlist sg; size_t pad; u16 check; + int ret; =20 _enter(""); =20 @@ -286,11 +288,11 @@ static int rxkad_secure_packet_auth(const struct rxrp= c_call *call, skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); - crypto_skcipher_encrypt(req); + ret =3D crypto_skcipher_encrypt(req); skcipher_request_zero(req); =20 - _leave(" =3D 0"); - return 0; + _leave(" =3D %d", ret); + return ret; } =20 /* @@ -345,7 +347,7 @@ static int rxkad_secure_packet(struct rxrpc_call *call,= struct rxrpc_txbuf *txb) union { __be32 buf[2]; } crypto __aligned(8); - u32 x, y; + u32 x, y =3D 0; int ret; =20 _enter("{%d{%x}},{#%u},%u,", @@ -376,8 +378,10 @@ static int rxkad_secure_packet(struct rxrpc_call *call= , struct rxrpc_txbuf *txb) skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); - crypto_skcipher_encrypt(req); + ret =3D crypto_skcipher_encrypt(req); skcipher_request_zero(req); + if (ret < 0) + goto out; =20 y =3D ntohl(crypto.buf[1]); y =3D (y >> 16) & 0xffff; @@ -413,6 +417,7 @@ static int rxkad_secure_packet(struct rxrpc_call *call,= struct rxrpc_txbuf *txb) memset(p + txb->pkt_len, 0, gap); } =20 +out: skcipher_request_free(req); _leave(" =3D %d [set %x]", ret, y); return ret; @@ -453,8 +458,10 @@ static int rxkad_verify_packet_1(struct rxrpc_call *ca= ll, struct sk_buff *skb, skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, sg, sg, 8, iv.x); - crypto_skcipher_decrypt(req); + ret =3D crypto_skcipher_decrypt(req); skcipher_request_zero(req); + if (ret < 0) + return ret; =20 /* Extract the decrypted packet length */ if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) @@ -531,10 +538,14 @@ static int rxkad_verify_packet_2(struct rxrpc_call *c= all, struct sk_buff *skb, skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x); - crypto_skcipher_decrypt(req); + ret =3D crypto_skcipher_decrypt(req); skcipher_request_zero(req); if (sg !=3D _sg) kfree(sg); + if (ret < 0) { + WARN_ON_ONCE(ret !=3D -ENOMEM); + return ret; + } =20 /* Extract the decrypted packet length */ if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) @@ -602,8 +613,10 @@ static int rxkad_verify_packet(struct rxrpc_call *call= , struct sk_buff *skb) skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); - crypto_skcipher_encrypt(req); + ret =3D crypto_skcipher_encrypt(req); skcipher_request_zero(req); + if (ret < 0) + goto out; =20 y =3D ntohl(crypto.buf[1]); cksum =3D (y >> 16) & 0xffff; @@ -1077,21 +1090,23 @@ static int rxkad_decrypt_ticket(struct rxrpc_connec= tion *conn, /* * decrypt the response packet */ -static void rxkad_decrypt_response(struct rxrpc_connection *conn, - struct rxkad_response *resp, - const struct rxrpc_crypt *session_key) +static int rxkad_decrypt_response(struct rxrpc_connection *conn, + struct rxkad_response *resp, + const struct rxrpc_crypt *session_key) { struct skcipher_request *req =3D rxkad_ci_req; struct scatterlist sg[1]; struct rxrpc_crypt iv; + int ret; =20 _enter(",,%08x%08x", ntohl(session_key->n[0]), ntohl(session_key->n[1])); =20 mutex_lock(&rxkad_ci_mutex); - if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, - sizeof(*session_key)) < 0) - BUG(); + ret =3D crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, + sizeof(*session_key)); + if (ret < 0) + goto unlock; =20 memcpy(&iv, session_key, sizeof(iv)); =20 @@ -1100,12 +1115,14 @@ static void rxkad_decrypt_response(struct rxrpc_con= nection *conn, skcipher_request_set_sync_tfm(req, rxkad_ci); skcipher_request_set_callback(req, 0, NULL, NULL); skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); - crypto_skcipher_decrypt(req); + ret =3D crypto_skcipher_decrypt(req); skcipher_request_zero(req); =20 +unlock: mutex_unlock(&rxkad_ci_mutex); =20 _leave(""); + return ret; } =20 /* @@ -1198,7 +1215,9 @@ static int rxkad_verify_response(struct rxrpc_connect= ion *conn, =20 /* use the session key from inside the ticket to decrypt the * response */ - rxkad_decrypt_response(conn, response, &session_key); + ret =3D rxkad_decrypt_response(conn, response, &session_key); + if (ret < 0) + goto temporary_error_free_ticket; =20 if (ntohl(response->encrypted.epoch) !=3D conn->proto.epoch || ntohl(response->encrypted.cid) !=3D conn->proto.cid || From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4FF0C3C5550 for ; Wed, 8 Apr 2026 12:14:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650493; cv=none; b=o65QeSTGIF+Ue3GWFUFhnveKXgDhQ92Wovrxm079T4w4NXH9SUrtRqnNq0CEnC6wbKLirxKbJVt8VbtfVTjISfXO1nU4E+zF3wnptkaNueBSymH1J1cwBt/kZm2HVlcvkeOt90RuUaMgzgM6un6h5hXH5zCLMQO6PIjrrS92+AA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650493; c=relaxed/simple; bh=bXVu2+Z0GwpRAmBHYjgAE256FwRZ8IdCkhvPqkkIQgw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jizLfQmoCIQDkqcSd4CzlVqV1fTXctH6YhRbdJevKTZ8CPtcWqs1jqod6Hdzb/C9Z+3JO2laafPOH5mSAMcRZKX5G5wtH0mPlx4Y214gHCKiuD1TdvAJbTACPx5f5C37he02PkqznpVAu4QsM2pJQhBQGY6mHx2hKUL6pn9cfaQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=cLBeoa3a; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="cLBeoa3a" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650491; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AEHnp+JVnC2Jv+iS7wQfAaLkI3qGTmWEKZbSWHYr80Y=; b=cLBeoa3a4D2u++YPVminc9oeJ7mLQRkt+30St/+7CifGYQgPNKC2wx5eDkUZ4VePI6n484 mJsxjAYCW6dQzwf/MGO5sNisZ5n5O6oe9bK+oXmDYKhqrK835fKSb9qM5NckDReFXT9Rrn IIfkscbBbt3o1OUUqNowS02gDPOgeDU= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-539-FRliI0X9MImOngLZwT1rdg-1; Wed, 08 Apr 2026 08:14:49 -0400 X-MC-Unique: FRliI0X9MImOngLZwT1rdg-1 X-Mimecast-MFC-AGG-ID: FRliI0X9MImOngLZwT1rdg_1775650487 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B8F1F1956052; Wed, 8 Apr 2026 12:14:47 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 30E261800673; Wed, 8 Apr 2026 12:14:43 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 17/21] rxrpc: Fix integer overflow in rxgk_verify_response() Date: Wed, 8 Apr 2026 13:12:45 +0100 Message-ID: <20260408121252.2249051-18-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" In rxgk_verify_response(), there's a potential integer overflow due to rounding up token_len before checking it, thereby allowing the length check= to be bypassed. Fix this by checking the unrounded value against len too (len is limited as the response must fit in a single UDP packet). Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (G= SSAPI)") Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@r= edhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index 9e4a4ff28913..064c1531fc99 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -1209,7 +1209,8 @@ static int rxgk_verify_response(struct rxrpc_connecti= on *conn, =20 token_offset =3D offset; token_len =3D ntohl(rhdr.token_len); - if (xdr_round_up(token_len) + sizeof(__be32) > len) + if (token_len > len || + xdr_round_up(token_len) + sizeof(__be32) > len) goto short_packet; =20 trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, token_len= ); From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23DE53BED6C for ; Wed, 8 Apr 2026 12:15:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650502; cv=none; b=OC7fQhc8nU2nvgj8d58yMADk9UzE+VVheuYbdnnsN30v27bYQshjpp04LrACMKLLc6IO+WPxqnVUHwOzmVfSP39LPUvjfuv3CWH/dE3PVTKgTwpfiwtW7RxQKkw96Fj+0BmHahWfGfKoNcriMxtVxg9BpEPSo3/IjwOzGdRNJWM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650502; c=relaxed/simple; bh=gSdG3lxZtbodJ/8L44TqxhLcf6+Icb6oHxg0d94YVWI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AZQTy9k3tHEh1J/OGKXic65mJdVk8AiTSt5XhO7TsXlu7QZdYkZDiZpFI5zXQcNkyBPESgZNGx583ZcTI01RaG8QaFz+u8yBlfVDDsBlOCMY1Cv2dw1WUN38iM5jwIPgFP28xzXcJPgNXDhKZb64FiKDW3MMsxCEmDqIo1LvNSA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=AqMXOJXu; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="AqMXOJXu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650500; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lv404gsX5xBUYBtRPDG/l4DcWqX3w7GtKwD1LHT73lQ=; b=AqMXOJXuHI88l2UBTORfUmBHh76A0Y2UqX8Gi1f8mQDUjaO+RKokLtp4eylUfCQjjkuYue hsIdxZSMDt8Tr3sM8Seg+10KaPXI4wAyc0Z/H2iZTnEHKuyxqSgCmKoBkyNZBDRyeS4Rjy 4xf9P6U6+3tIN7UYahQpeyOQEch1MYo= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-32-s2qtJE0vNXai7eDuy0zPZg-1; Wed, 08 Apr 2026 08:14:55 -0400 X-MC-Unique: s2qtJE0vNXai7eDuy0zPZg-1 X-Mimecast-MFC-AGG-ID: s2qtJE0vNXai7eDuy0zPZg_1775650493 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 13ECE19560B2; Wed, 8 Apr 2026 12:14:53 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 86E6D3000203; Wed, 8 Apr 2026 12:14:49 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 18/21] rxrpc: Fix leak of rxgk context in rxgk_verify_response() Date: Wed, 8 Apr 2026 13:12:46 +0100 Message-ID: <20260408121252.2249051-19-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" Fix rxgk_verify_response() to clean up the rxgk context it creates. Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (G= SSAPI)") Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@r= edhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index 064c1531fc99..c67e3c2ca871 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -1270,16 +1270,18 @@ static int rxgk_verify_response(struct rxrpc_connec= tion *conn, if (ret < 0) { rxrpc_abort_conn(conn, skb, RXGK_SEALEDINCON, ret, rxgk_abort_resp_auth_dec); - goto out; + goto out_gk; } =20 ret =3D rxgk_verify_authenticator(conn, krb5, skb, auth_offset, auth_len); if (ret < 0) - goto out; + goto out_gk; =20 conn->key =3D key; key =3D NULL; ret =3D 0; +out_gk: + rxgk_put(gk); out: key_put(key); _leave(" =3D %d", ret); From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C4AC3CAE81 for ; Wed, 8 Apr 2026 12:15:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650505; cv=none; b=BwVFiRAhJO0sbCrMTA0h1AM6MMLKht8wqDeOWHUmRJVJ4e8amrDQwzJK9cjej5z8pv94ZHEtaGSQGAjsp0ZyERARx/StQqU3Njv1pfc5KnCqrZX9AyrloA/+3KafJ880B0d3u6HSg6M7x83UNuyRUR3TXR3ua1I8djQQjd3O98o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650505; c=relaxed/simple; bh=T6TilaaPcQx10cZAsNBHZzVvjhKcJMP/qPlWI6udbkw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mCsAgdyw3mnjjTv7KtdamqclKacyPsY4O+VUMqLczMj7XaHEmgjTF5y6JWF0OKUwNICZzNaeFMUjc1U3yPhhdBAIPidfvH+Yg3U6FfT7k0R/LSsRa7yph2fopshnpt0rb3f/jxxY34jlcxa7c8OOCyxw/7OdFKeKLycFWoQ0Fh4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=TsG65N+w; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="TsG65N+w" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NNFmcPNUgneo4XuRXgzehK/i+zm2EVaFKz9uL41HpS8=; b=TsG65N+wPuMg5WXm+U4MIU5gB+HJ+a8xraccojB88TXO9rC9jHkFuHo5rI8/qWibe7dJLx KpSs2XBbcPQrovkeaDqQeh9zsNJZ+yjz1kIUrsJTH49mBFZugFHG/h4xkSkc5gi05HJvvA bx59RNJvq9meQt8KT7aM3CKYUKOjYv0= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-6-mVKjSYyOMYGezGe01-pe8w-1; Wed, 08 Apr 2026 08:15:00 -0400 X-MC-Unique: mVKjSYyOMYGezGe01-pe8w-1 X-Mimecast-MFC-AGG-ID: mVKjSYyOMYGezGe01-pe8w_1775650498 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 46AD01800616; Wed, 8 Apr 2026 12:14:58 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id BBAB119560A6; Wed, 8 Apr 2026 12:14:54 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 19/21] rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() Date: Wed, 8 Apr 2026 13:12:47 +0100 Message-ID: <20260408121252.2249051-20-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" Fix rxgk_do_verify_authenticator() to check the buffer size before checking the nonce. Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (G= SSAPI)") Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@r= edhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c index c67e3c2ca871..0d5e654da918 100644 --- a/net/rxrpc/rxgk.c +++ b/net/rxrpc/rxgk.c @@ -1085,6 +1085,9 @@ static int rxgk_do_verify_authenticator(struct rxrpc_= connection *conn, =20 _enter(""); =20 + if ((end - p) * sizeof(__be32) < 24) + return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, + rxgk_abort_resp_short_auth); if (memcmp(p, conn->rxgk.nonce, 20) !=3D 0) return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, rxgk_abort_resp_bad_nonce); @@ -1098,7 +1101,7 @@ static int rxgk_do_verify_authenticator(struct rxrpc_= connection *conn, p +=3D xdr_round_up(app_len) / sizeof(__be32); if (end - p < 4) return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, - rxgk_abort_resp_short_applen); + rxgk_abort_resp_short_auth); =20 level =3D ntohl(*p++); epoch =3D ntohl(*p++); From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 59BBE34AAF7 for ; Wed, 8 Apr 2026 12:15:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650513; cv=none; b=EHNt1IJCwadh9MkYsTtzXf+IKZ7ZF1RvARm6H4r33SdBXRVm1WL+oFMJG9RjtzCBHL15GV7fuNUm/yoeXpG/9jfRKj1n34jCca2k3XDTzRC3itzvCQ1A4X58o4NFqI8gYTbFZcVRfUPCsk+lXPAl4A5NCJvsrkbOjLV1oUAu52g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650513; c=relaxed/simple; bh=wEzSkK7Crlc3chEp2Nz/wl2pXtl4IbkDnHmIcED4Q9o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qpnLf3hiCjIPshIM4Mq08/9aFF3TQagU0/+gbaz3i+UTUPZrPkWb+JcNAhEwOUI5ps8YseojAfVugAo4gyD8ZANmzw+a1AyZo0P8HMKIuqKjKZIfW/oz8KTCWxOhScEKqwOWe5Yj8iK3nm50byzFfaB+ClkKP9PNd/uklI213yg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=XXGb9dV0; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="XXGb9dV0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650511; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q5N4y8rajQ0IsNQ9scqfoNcTpHF8JV0bgLhkEwi8KvI=; b=XXGb9dV0fxjE4n+CpDyspCsWEe0euNvSe3aM3PHLPHpv428bFLhZyt9s+tfVhSUjXGHE1K 9PFKvn1o6OrI7/4ve+mb0/ur0VN3TCUdRWtqUf1P2OXUc6J0l6zCGpX0GqxdIo0PfBWiNe Cs7J1G6Bx/Y9lK5OBpXjYYMqDYQLix4= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-331-Vpg1D1fGP1OSuZldGj6XMA-1; Wed, 08 Apr 2026 08:15:08 -0400 X-MC-Unique: Vpg1D1fGP1OSuZldGj6XMA-1 X-Mimecast-MFC-AGG-ID: Vpg1D1fGP1OSuZldGj6XMA_1775650505 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id EAE9618002DD; Wed, 8 Apr 2026 12:15:04 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id EF41619560A6; Wed, 8 Apr 2026 12:14:59 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Wang Jie , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Yang Yang , Jeffrey Altman , Simon Horman , stable@kernel.org Subject: [PATCH net v5 20/21] rxrpc: only handle RESPONSE during service challenge Date: Wed, 8 Apr 2026 13:12:48 +0100 Message-ID: <20260408121252.2249051-21-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: Wang Jie Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test. Fixes: 17926a79320a ("net: AF_RXRPC: Provide secure RxRPC sockets for use b= y userspace and kernel both") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Signed-off-by: Jie Wang Signed-off-by: Yang Yang Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/conn_event.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index c50cbfc5a313..9a41ec708aeb 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -247,6 +247,7 @@ static int rxrpc_process_event(struct rxrpc_connection = *conn, struct sk_buff *skb) { struct rxrpc_skb_priv *sp =3D rxrpc_skb(skb); + bool secured =3D false; int ret; =20 if (conn->state =3D=3D RXRPC_CONN_ABORTED) @@ -262,6 +263,13 @@ static int rxrpc_process_event(struct rxrpc_connection= *conn, return ret; =20 case RXRPC_PACKET_TYPE_RESPONSE: + spin_lock_irq(&conn->state_lock); + if (conn->state !=3D RXRPC_CONN_SERVICE_CHALLENGING) { + spin_unlock_irq(&conn->state_lock); + return 0; + } + spin_unlock_irq(&conn->state_lock); + ret =3D conn->security->verify_response(conn, skb); if (ret < 0) return ret; @@ -272,11 +280,13 @@ static int rxrpc_process_event(struct rxrpc_connectio= n *conn, return ret; =20 spin_lock_irq(&conn->state_lock); - if (conn->state =3D=3D RXRPC_CONN_SERVICE_CHALLENGING) + if (conn->state =3D=3D RXRPC_CONN_SERVICE_CHALLENGING) { conn->state =3D RXRPC_CONN_SERVICE; + secured =3D true; + } spin_unlock_irq(&conn->state_lock); =20 - if (conn->state =3D=3D RXRPC_CONN_SERVICE) { + if (secured) { /* Offload call state flipping to the I/O thread. As * we've already received the packet, put it on the * front of the queue. From nobody Fri Apr 10 16:15:08 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63B673CCFCA for ; Wed, 8 Apr 2026 12:15:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650517; cv=none; b=OKzPUxo9q314g/ZvWCpJWBsZiNsiUu5Hi3k3P19pLm9oIlpb5BgAZ1gJKrtmBwuqT76eq4c2mPERSblKgo7s1GnCqPYtLXRM06mw3YJgyLY1camCBPFV4qULuEwQ2gEciiWyNf1q8NeqirVyJcvMJiEC2s+EHhx1ZpQICVYmpqs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775650517; c=relaxed/simple; bh=Et6yGs720kVknMVl9s0I+XX4KouT4cXatpKU16ThSGE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aX4QKpzc7ZewXsBSNtN0Lw8vgNMwrjcNamd054cu6onoB0zlQ7qD6PDi3mk3Zuc53kMg9bfzFW1Q3+sqYBXKpTf7R+dQXgps6xW3MeqnnFJ4zXFqQHT7gSo7i15megS4boPgxYbUCst1ED1qr4Ay43HCyn1TJKW/4erA/unP4Co= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=GL82x/e5; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="GL82x/e5" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775650515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zffADKwK5UmhyPePO5vHGRZx+qe5QD7r9zx/8s155P0=; b=GL82x/e5l6YYBLLQwBUMsma+CSeBlcy44bv3sRMBQrgE7syPoy8p0DIztcj/r1qCT0hmZo NrTRzOjJSo2OJsFLrF6YX7oQyG2ROqIisq5D4leKrSKcpGXOZWcc9HmjNDvBUqc3kukl23 UDJJvZ7ViSkiyNXymHnCfpOAmqoV9Fs= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-447-zJ4bNqfmPx2h5vRWw3e-jQ-1; Wed, 08 Apr 2026 08:15:12 -0400 X-MC-Unique: zJ4bNqfmPx2h5vRWw3e-jQ-1 X-Mimecast-MFC-AGG-ID: zJ4bNqfmPx2h5vRWw3e-jQ_1775650510 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8760E195608E; Wed, 8 Apr 2026 12:15:10 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.32.94]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C4ED61800361; Wed, 8 Apr 2026 12:15:06 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Pengpeng Hou , Anderson Nascimento , Simon Horman , stable@kernel.org Subject: [PATCH net v5 21/21] rxrpc: proc: size address buffers for %pISpc output Date: Wed, 8 Apr 2026 13:12:49 +0100 Message-ID: <20260408121252.2249051-22-dhowells@redhat.com> In-Reply-To: <20260408121252.2249051-1-dhowells@redhat.com> References: <20260408121252.2249051-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Pengpeng Hou The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") Signed-off-by: Pengpeng Hou Signed-off-by: David Howells cc: Marc Dionne cc: Anderson Nascimento cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/proc.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c index 7755fca5beb8..e9a27fa7b25d 100644 --- a/net/rxrpc/proc.c +++ b/net/rxrpc/proc.c @@ -10,6 +10,10 @@ #include #include "ar-internal.h" =20 +#define RXRPC_PROC_ADDRBUF_SIZE \ + (sizeof("[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255]") + \ + sizeof(":12345")) + static const char *const rxrpc_conn_states[RXRPC_CONN__NR_STATES] =3D { [RXRPC_CONN_UNUSED] =3D "Unused ", [RXRPC_CONN_CLIENT_UNSECURED] =3D "ClUnsec ", @@ -53,7 +57,7 @@ static int rxrpc_call_seq_show(struct seq_file *seq, void= *v) struct rxrpc_net *rxnet =3D rxrpc_net(seq_file_net(seq)); enum rxrpc_call_state state; rxrpc_seq_t tx_bottom; - char lbuff[50], rbuff[50]; + char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; long timeout =3D 0; =20 if (v =3D=3D &rxnet->calls) { @@ -69,11 +73,11 @@ static int rxrpc_call_seq_show(struct seq_file *seq, vo= id *v) =20 local =3D call->local; if (local) - sprintf(lbuff, "%pISpc", &local->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &local->srx.transport); else strcpy(lbuff, "no_local"); =20 - sprintf(rbuff, "%pISpc", &call->dest_srx.transport); + scnprintf(rbuff, sizeof(rbuff), "%pISpc", &call->dest_srx.transport); =20 state =3D rxrpc_call_state(call); if (state !=3D RXRPC_CALL_SERVER_PREALLOC) @@ -142,7 +146,7 @@ static int rxrpc_connection_seq_show(struct seq_file *s= eq, void *v) struct rxrpc_connection *conn; struct rxrpc_net *rxnet =3D rxrpc_net(seq_file_net(seq)); const char *state; - char lbuff[50], rbuff[50]; + char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; =20 if (v =3D=3D &rxnet->conn_proc_list) { seq_puts(seq, @@ -161,8 +165,8 @@ static int rxrpc_connection_seq_show(struct seq_file *s= eq, void *v) goto print; } =20 - sprintf(lbuff, "%pISpc", &conn->local->srx.transport); - sprintf(rbuff, "%pISpc", &conn->peer->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &conn->local->srx.transport); + scnprintf(rbuff, sizeof(rbuff), "%pISpc", &conn->peer->srx.transport); print: state =3D rxrpc_is_conn_aborted(conn) ? rxrpc_call_completions[conn->completion] : @@ -228,7 +232,7 @@ static int rxrpc_bundle_seq_show(struct seq_file *seq, = void *v) { struct rxrpc_bundle *bundle; struct rxrpc_net *rxnet =3D rxrpc_net(seq_file_net(seq)); - char lbuff[50], rbuff[50]; + char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; =20 if (v =3D=3D &rxnet->bundle_proc_list) { seq_puts(seq, @@ -242,8 +246,8 @@ static int rxrpc_bundle_seq_show(struct seq_file *seq, = void *v) =20 bundle =3D list_entry(v, struct rxrpc_bundle, proc_link); =20 - sprintf(lbuff, "%pISpc", &bundle->local->srx.transport); - sprintf(rbuff, "%pISpc", &bundle->peer->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &bundle->local->srx.transport); + scnprintf(rbuff, sizeof(rbuff), "%pISpc", &bundle->peer->srx.transport); seq_printf(seq, "UDP %-47.47s %-47.47s %4x %3u %3d" " %c%c%c %08x | %08x %08x %08x %08x %08x\n", @@ -279,7 +283,7 @@ static int rxrpc_peer_seq_show(struct seq_file *seq, vo= id *v) { struct rxrpc_peer *peer; time64_t now; - char lbuff[50], rbuff[50]; + char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; =20 if (v =3D=3D SEQ_START_TOKEN) { seq_puts(seq, @@ -290,9 +294,9 @@ static int rxrpc_peer_seq_show(struct seq_file *seq, vo= id *v) =20 peer =3D list_entry(v, struct rxrpc_peer, hash_link); =20 - sprintf(lbuff, "%pISpc", &peer->local->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &peer->local->srx.transport); =20 - sprintf(rbuff, "%pISpc", &peer->srx.transport); + scnprintf(rbuff, sizeof(rbuff), "%pISpc", &peer->srx.transport); =20 now =3D ktime_get_seconds(); seq_printf(seq, @@ -401,7 +405,7 @@ const struct seq_operations rxrpc_peer_seq_ops =3D { static int rxrpc_local_seq_show(struct seq_file *seq, void *v) { struct rxrpc_local *local; - char lbuff[50]; + char lbuff[RXRPC_PROC_ADDRBUF_SIZE]; =20 if (v =3D=3D SEQ_START_TOKEN) { seq_puts(seq, @@ -412,7 +416,7 @@ static int rxrpc_local_seq_show(struct seq_file *seq, v= oid *v) =20 local =3D hlist_entry(v, struct rxrpc_local, link); =20 - sprintf(lbuff, "%pISpc", &local->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &local->srx.transport); =20 seq_printf(seq, "UDP %-47.47s %3u %3u %3u\n",