From nobody Tue Jun 16 19:32:19 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 103E9345CAA for ; Mon, 20 Apr 2026 14:59:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697159; cv=none; b=HYzUfa7ncYl5dWA7dPca7ksfUHdVcP3S/6HWavM8+kaH2ZyJ8X4GJsckOM5ujRJrSdeT0TaHd4pCEMFYPXDOcH/4iBGCu3Xwu8JTSJPX9PCr9lFqjch8eQ7pPxUoJ6K/TIRPp/tmNiAoFZnUVuGJAdTw2OuiDfNPB7JXbhI3SYE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697159; c=relaxed/simple; bh=AETbByEE0rw3gQfCb+AzDaqSkv1wpeGEPIitanum73Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mKSbiUHK9x30sODdyK1+d4ww2aT/AZvlDqS9Ii2iyILygA24C1H/LXJ4fJno48QRAGPDRNO66nI56nXIyUcZ2IKzfHY06EQkd0njOOvxjuuT4pXOXM9eHh1vLRYUyBEtMnSvchFeJg95/E0/hGCJ2Pdzxg9U5j1OJ3U4qGLCc1c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=HFiUll1o; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="HFiUll1o" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776697157; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CpunXl3cNRxJtECI+04AK4+bUELE1MCI4XgfkPLjNLw=; b=HFiUll1oXk1UN2/ygCCtu1MSqNMIN8Js4SPthUMRYEEbr7V7Am4sGSoNPA/dlP2W/Oba7A D0LSTU9jS/3FUNbUh2EzH6CwK2EivzQuuvydZ50b8jwZT2hcgjVYyqD0vqlsmg5y0OTsAm APCzuLemcGnv2jmfyJ7oE6HVMb1Ckm0= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-668-VaU60qdCMp65sf7vL92Anw-1; Mon, 20 Apr 2026 10:59:15 -0400 X-MC-Unique: VaU60qdCMp65sf7vL92Anw-1 X-Mimecast-MFC-AGG-ID: VaU60qdCMp65sf7vL92Anw_1776697154 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8DBF11956054; Mon, 20 Apr 2026 14:59:13 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.17]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D46061956095; Mon, 20 Apr 2026 14:59:09 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , Simon Horman , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , stable@kernel.org Subject: [PATCH net 1/4] rxrpc: Fix memory leaks in rxkad_verify_response() Date: Mon, 20 Apr 2026 15:58:54 +0100 Message-ID: <20260420145900.1223732-2-dhowells@redhat.com> In-Reply-To: <20260420145900.1223732-1-dhowells@redhat.com> References: <20260420145900.1223732-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" Fix rxkad_verify_response() to free ticket by using a __free() construct rather than explicitly freeing it. Also fix rxkad_verify_response() to free the server key by using a __free() construct. Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure") Fixes: ec832bd06d6f ("rxrpc: Don't retain the server key in the connection") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/linux/key.h | 2 + net/rxrpc/rxkad.c | 133 +++++++++++++++----------------------------- 2 files changed, 48 insertions(+), 87 deletions(-) diff --git a/include/linux/key.h b/include/linux/key.h index 81b8f05c6898..1cafbc3827c2 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -304,6 +304,8 @@ extern void key_put(struct key *key); extern bool key_put_tag(struct key_tag *tag); extern void key_remove_domain(struct key_tag *domain_tag); =20 +DEFINE_FREE(key_put, struct key *, if (!IS_ERR(_T)) key_put(_T)) + static inline struct key *__key_get(struct key *key) { refcount_inc(&key->usage); diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index eb7f2769d2b1..0acdc46f42c2 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c @@ -1131,21 +1131,20 @@ static int rxkad_decrypt_response(struct rxrpc_conn= ection *conn, static int rxkad_verify_response(struct rxrpc_connection *conn, struct sk_buff *skb) { - struct rxkad_response *response; struct rxrpc_skb_priv *sp =3D rxrpc_skb(skb); struct rxrpc_crypt session_key; - struct key *server_key; time64_t expiry; - void *ticket; u32 version, kvno, ticket_len, level; __be32 csum; int ret, i; =20 _enter("{%d}", conn->debug_id); =20 - server_key =3D rxrpc_look_up_server_security(conn, skb, 0, 0); + struct key *server_key __free(key_put) =3D + rxrpc_look_up_server_security(conn, skb, 0, 0); if (IS_ERR(server_key)) { ret =3D PTR_ERR(server_key); + server_key =3D NULL; switch (ret) { case -ENOKEY: return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret, @@ -1160,16 +1159,15 @@ static int rxkad_verify_response(struct rxrpc_conne= ction *conn, } =20 ret =3D -ENOMEM; - response =3D kzalloc_obj(struct rxkad_response, GFP_NOFS); + struct rxkad_response *response __free(kfree) =3D + kzalloc_obj(struct rxkad_response, GFP_NOFS); if (!response) goto temporary_error; =20 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), - response, sizeof(*response)) < 0) { - rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, - rxkad_abort_resp_short); - goto protocol_error; - } + response, sizeof(*response)) < 0) + return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, + rxkad_abort_resp_short); =20 version =3D ntohl(response->version); ticket_len =3D ntohl(response->ticket_len); @@ -1177,103 +1175,79 @@ static int rxkad_verify_response(struct rxrpc_conn= ection *conn, =20 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len); =20 - if (version !=3D RXKAD_VERSION) { - rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, - rxkad_abort_resp_version); - goto protocol_error; - } + if (version !=3D RXKAD_VERSION) + return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, + rxkad_abort_resp_version); =20 - if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) { - rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO, - rxkad_abort_resp_tkt_len); - goto protocol_error; - } + if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) + return rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO, + rxkad_abort_resp_tkt_len); =20 - if (kvno >=3D RXKAD_TKT_TYPE_KERBEROS_V5) { - rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO, - rxkad_abort_resp_unknown_tkt); - goto protocol_error; - } + if (kvno >=3D RXKAD_TKT_TYPE_KERBEROS_V5) + return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO, + rxkad_abort_resp_unknown_tkt); =20 /* extract the kerberos ticket and decrypt and decode it */ ret =3D -ENOMEM; - ticket =3D kmalloc(ticket_len, GFP_NOFS); + void *ticket __free(kfree) =3D kmalloc(ticket_len, GFP_NOFS); if (!ticket) - goto temporary_error_free_resp; + goto temporary_error; =20 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*respons= e), - ticket, ticket_len) < 0) { - rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, - rxkad_abort_resp_short_tkt); - goto protocol_error; - } + ticket, ticket_len) < 0) + return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, + rxkad_abort_resp_short_tkt); =20 ret =3D rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len, &session_key, &expiry); if (ret < 0) - goto temporary_error_free_ticket; + goto temporary_error; =20 /* use the session key from inside the ticket to decrypt the * response */ ret =3D rxkad_decrypt_response(conn, response, &session_key); if (ret < 0) - goto temporary_error_free_ticket; + goto temporary_error; =20 if (ntohl(response->encrypted.epoch) !=3D conn->proto.epoch || ntohl(response->encrypted.cid) !=3D conn->proto.cid || - ntohl(response->encrypted.securityIndex) !=3D conn->security_ix) { - rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, - rxkad_abort_resp_bad_param); - goto protocol_error_free; - } + ntohl(response->encrypted.securityIndex) !=3D conn->security_ix) + return rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, + rxkad_abort_resp_bad_param); =20 csum =3D response->encrypted.checksum; response->encrypted.checksum =3D 0; rxkad_calc_response_checksum(response); - if (response->encrypted.checksum !=3D csum) { - rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, - rxkad_abort_resp_bad_checksum); - goto protocol_error_free; - } + if (response->encrypted.checksum !=3D csum) + return rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, + rxkad_abort_resp_bad_checksum); =20 for (i =3D 0; i < RXRPC_MAXCALLS; i++) { u32 call_id =3D ntohl(response->encrypted.call_id[i]); u32 counter =3D READ_ONCE(conn->channels[i].call_counter); =20 - if (call_id > INT_MAX) { - rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, - rxkad_abort_resp_bad_callid); - goto protocol_error_free; - } - - if (call_id < counter) { - rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, - rxkad_abort_resp_call_ctr); - goto protocol_error_free; - } - + if (call_id > INT_MAX) + return rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, + rxkad_abort_resp_bad_callid); + if (call_id < counter) + return rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, + rxkad_abort_resp_call_ctr); if (call_id > counter) { - if (conn->channels[i].call) { - rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, - rxkad_abort_resp_call_state); - goto protocol_error_free; - } + if (conn->channels[i].call) + return rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, + rxkad_abort_resp_call_state); conn->channels[i].call_counter =3D call_id; } } =20 - if (ntohl(response->encrypted.inc_nonce) !=3D conn->rxkad.nonce + 1) { - rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO, - rxkad_abort_resp_ooseq); - goto protocol_error_free; - } + if (ntohl(response->encrypted.inc_nonce) !=3D conn->rxkad.nonce + 1) + return rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO, + rxkad_abort_resp_ooseq); =20 level =3D ntohl(response->encrypted.level); - if (level > RXRPC_SECURITY_ENCRYPT) { - rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO, - rxkad_abort_resp_level); - goto protocol_error_free; - } + if (level > RXRPC_SECURITY_ENCRYPT) + return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO, + rxkad_abort_resp_level); conn->security_level =3D level; =20 /* create a key to hold the security data and expiration time - after @@ -1281,30 +1255,15 @@ static int rxkad_verify_response(struct rxrpc_conne= ction *conn, * as for a client connection */ ret =3D rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); if (ret < 0) - goto temporary_error_free_ticket; - - kfree(ticket); - kfree(response); + goto temporary_error; _leave(" =3D 0"); return 0; =20 -protocol_error_free: - kfree(ticket); -protocol_error: - kfree(response); - key_put(server_key); - return -EPROTO; - -temporary_error_free_ticket: - kfree(ticket); -temporary_error_free_resp: - kfree(response); temporary_error: /* Ignore the response packet if we got a temporary error such as * ENOMEM. We just want to send the challenge again. Note that we * also come out this way if the ticket decryption fails. */ - key_put(server_key); return ret; } From nobody Tue Jun 16 19:32:19 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 365D4346FC3 for ; Mon, 20 Apr 2026 14:59:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697167; cv=none; b=N1yl4YtYBfxoVLr8VXFUjVUwm67D/5NZZmh7nk7wHzt0FYTET5pE9KDFIOTWXWq+8Nff7DQv9d4HApsr6rDpYvGPIJHQs6fEPA0S865kYtIEStCx0F4DuZVv2aE44Yf/Sv7fMh+jnxuSjvlUK9TAzmNfV3Jv/Q0Oda2nhESNQnc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697167; c=relaxed/simple; bh=v2zzwE6VyFTZPkgYuv9Co64r31ktBbRkcw1Qr1LfnPg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y2qLTiZBiZqASYCLP7q4999aAn/giCK0NII+Bdh0cQQTYD0UMgpDVmOSI9jeIW/j1fPs4S7CmiRHA9/REZlNw9N2EK7Ch4Rkewiff13QGNYhMQdCwdRllOutoWlzZ2FCp7t3tl352mJayC393+UgSaXpXP8GD2O8VmWrEOmDjs4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=h0anD0Az; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="h0anD0Az" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776697165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rmh45SXHj8wUhzhHKXRW6xTk8h2s31Ocg8BsaflyDFE=; b=h0anD0Aztq3yP3wk1NF1o1MGRy2yhJVZwY2CaaL8jWLgpwgIy6IWL5Tec+LG6YkpmifNJm yB9e+EoRIlz/yIjtQJ82TkyB7N0Rx2a5KZcFnDZci5E8PqvFQznJ+rtlTKyUj44+L/zKcP h9Tmep4jJRI3EUZz+f8eB0t3ZRA+sjo= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-144-VNl9UP2ENO2lJW066Xmf6Q-1; Mon, 20 Apr 2026 10:59:20 -0400 X-MC-Unique: VNl9UP2ENO2lJW066Xmf6Q-1 X-Mimecast-MFC-AGG-ID: VNl9UP2ENO2lJW066Xmf6Q_1776697159 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id F19E718001F9; Mon, 20 Apr 2026 14:59:18 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.17]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4ACDF3000C15; Mon, 20 Apr 2026 14:59:15 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , Simon Horman , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , stable@kernel.org Subject: [PATCH net 2/4] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Date: Mon, 20 Apr 2026 15:58:55 +0100 Message-ID: <20260420145900.1223732-3-dhowells@redhat.com> In-Reply-To: <20260420145900.1223732-1-dhowells@redhat.com> References: <20260420145900.1223732-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by unsharing the skbuff before handing it off to the specific security handler. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by u= serspace and kernel both") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/ar-internal.h | 2 +- net/rxrpc/conn_event.c | 12 ++++++++++-- net/rxrpc/io_thread.c | 15 +++------------ net/rxrpc/skbuff.c | 26 ++++++++++++++++++++++---- 4 files changed, 36 insertions(+), 19 deletions(-) diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 96ecb83c9071..fb04d2ffdb27 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -1486,7 +1486,7 @@ int rxrpc_server_keyring(struct rxrpc_sock *, sockptr= _t, int); void rxrpc_kernel_data_consumed(struct rxrpc_call *, struct sk_buff *); void rxrpc_new_skb(struct sk_buff *, enum rxrpc_skb_trace); void rxrpc_see_skb(struct sk_buff *, enum rxrpc_skb_trace); -void rxrpc_eaten_skb(struct sk_buff *, enum rxrpc_skb_trace); +struct sk_buff *rxrpc_unshare_skb(struct sk_buff **_old, gfp_t gfp); void rxrpc_get_skb(struct sk_buff *, enum rxrpc_skb_trace); void rxrpc_free_skb(struct sk_buff *, enum rxrpc_skb_trace); void rxrpc_purge_queue(struct sk_buff_head *); diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 9a41ec708aeb..3d56a5d23369 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -244,8 +244,9 @@ static void rxrpc_call_is_secure(struct rxrpc_call *cal= l) * connection-level Rx packet processor */ static int rxrpc_process_event(struct rxrpc_connection *conn, - struct sk_buff *skb) + struct sk_buff **_skb) { + struct sk_buff *skb =3D *_skb; struct rxrpc_skb_priv *sp =3D rxrpc_skb(skb); bool secured =3D false; int ret; @@ -270,6 +271,13 @@ static int rxrpc_process_event(struct rxrpc_connection= *conn, } spin_unlock_irq(&conn->state_lock); =20 + skb =3D rxrpc_unshare_skb(_skb, GFP_NOFS); + if (!skb) + return -ENOMEM; + + /* If unshared, skb will have changed. */ + sp =3D rxrpc_skb(skb); + ret =3D conn->security->verify_response(conn, skb); if (ret < 0) return ret; @@ -371,7 +379,7 @@ static void rxrpc_do_process_connection(struct rxrpc_co= nnection *conn) * connection that each one has when we've finished with it */ while ((skb =3D skb_dequeue(&conn->rx_queue))) { rxrpc_see_skb(skb, rxrpc_skb_see_conn_work); - ret =3D rxrpc_process_event(conn, skb); + ret =3D rxrpc_process_event(conn, &skb); switch (ret) { case -ENOMEM: case -EAGAIN: diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index 697956931925..0592ce644fc3 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -249,19 +249,10 @@ static bool rxrpc_input_packet(struct rxrpc_local *lo= cal, struct sk_buff **_skb) * decryption. */ if (sp->hdr.securityIndex !=3D 0) { - skb =3D skb_unshare(skb, GFP_ATOMIC); - if (!skb) { - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); - *_skb =3D NULL; + skb =3D rxrpc_unshare_skb(_skb, GFP_ATOMIC); + if (!skb) return just_discard; - } - - if (skb !=3D *_skb) { - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); - *_skb =3D skb; - rxrpc_new_skb(skb, rxrpc_skb_new_unshared); - sp =3D rxrpc_skb(skb); - } + sp =3D rxrpc_skb(skb); } break; =20 diff --git a/net/rxrpc/skbuff.c b/net/rxrpc/skbuff.c index 3bcd6ee80396..0dca9ca163f1 100644 --- a/net/rxrpc/skbuff.c +++ b/net/rxrpc/skbuff.c @@ -47,12 +47,30 @@ void rxrpc_get_skb(struct sk_buff *skb, enum rxrpc_skb_= trace why) } =20 /* - * Note the dropping of a ref on a socket buffer by the core. + * Do the unsharing of a socket buffer, noting the event in the traces. */ -void rxrpc_eaten_skb(struct sk_buff *skb, enum rxrpc_skb_trace why) +struct sk_buff *rxrpc_unshare_skb(struct sk_buff **_old, gfp_t gfp) { - int n =3D atomic_inc_return(&rxrpc_n_rx_skbs); - trace_rxrpc_skb(skb, 0, n, why); + struct sk_buff *skb, *old =3D *_old; + int n, r =3D refcount_read(&old->users); + + skb =3D skb_unshare(old, gfp); + if (!skb) { + n =3D atomic_dec_return(&rxrpc_n_rx_skbs); + trace_rxrpc_skb(old, r, n, rxrpc_skb_eaten_by_unshare_nomem); + *_old =3D NULL; + return skb; + } + + if (skb !=3D old) { + n =3D atomic_read(&rxrpc_n_rx_skbs); + trace_rxrpc_skb(old, r, n, rxrpc_skb_eaten_by_unshare); + trace_rxrpc_skb(skb, refcount_read(&skb->users), n, + rxrpc_skb_new_unshared); + *_old =3D skb; + } + + return skb; } =20 /* From nobody Tue Jun 16 19:32:19 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDBE134889F for ; Mon, 20 Apr 2026 14:59:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697172; cv=none; b=QLo+OIJ3bXEeswMVHVte0A83PFwUxlad/c3nh2e1qjUHJLWBKM/+Y3QFBWIfK2Dm5fKu+0ATdgLVhceZQu7XqJwB/b+NMdvvVoLPcdLb44ulJT1HVWapbTOyhdIUqcAXL/8F1bzrg7AT0QDcFy1T/1/fvuUQ5vlD72Q3d7GXuDU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697172; c=relaxed/simple; bh=VC0xaEp18VE11/4HL93isyezfiB6giE7QUc/XgHBk/w=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=B01oQKuoMXsbTT1TJxNyoTqnPux76L7LC8F+r6uc8iG1L8AbmWhY4gtQteLDlKc7fJzO1AMCLEr2FY2SdlhDwxBwIsVD/DYQb7e8rkXKzsLU20tRk3vnh3HbwkTkPPCD1xYkMzWujSo4yYd49UFBeENu7NlYwg/f0u5GTTYPP44= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Vr0ROeMq; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Vr0ROeMq" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776697169; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Tg/xm4khmGTMt0O8denk3V8PJT+Q+STOFvsXoz9Lch4=; b=Vr0ROeMqJWoaLnOCUQmcbLVctg05HpiTgE7VEmjzB6TlBavRFv9mz/GLYfk1n06GVZ/QZQ Y/PTcksUsHNUpCRIWv85kA2AuwnBaZdTJIz3DFVI7ExV7lBKuvIqu9E17E8QPGaO3QtXtn biGEdbfz4XeNyUqpaLDCT3sJlBAukhA= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-647-0EbEly_tPTmYfR0DpIyXwQ-1; Mon, 20 Apr 2026 10:59:25 -0400 X-MC-Unique: 0EbEly_tPTmYfR0DpIyXwQ-1 X-Mimecast-MFC-AGG-ID: 0EbEly_tPTmYfR0DpIyXwQ_1776697164 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3AB2D19560B9; Mon, 20 Apr 2026 14:59:24 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.17]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id AF11B19560B1; Mon, 20 Apr 2026 14:59:20 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , Simon Horman , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , stable@kernel.org Subject: [PATCH net 3/4] rxgk: Fix potential integer overflow in length check Date: Mon, 20 Apr 2026 15:58:56 +0100 Message-ID: <20260420145900.1223732-4-dhowells@redhat.com> In-Reply-To: <20260420145900.1223732-1-dhowells@redhat.com> References: <20260420145900.1223732-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" Fix potential integer overflow in rxgk_extract_token() when checking the length of the ticket. Rather than rounding up the value to be tested (which might overflow), round down the size of the available data. Fixes: 2429a1976481 ("rxrpc: Fix untrusted unsigned subtract") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- net/rxrpc/rxgk_app.c | 2 +- net/rxrpc/rxgk_common.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c index 30275cb5ba3e..5587639d60c5 100644 --- a/net/rxrpc/rxgk_app.c +++ b/net/rxrpc/rxgk_app.c @@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, s= truct sk_buff *skb, ticket_len =3D ntohl(container.token_len); ticket_offset =3D token_offset + sizeof(container); =20 - if (xdr_round_up(ticket_len) > token_len - sizeof(container)) + if (ticket_len > xdr_round_down(token_len - sizeof(container))) goto short_packet; =20 _debug("KVNO %u", kvno); diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h index 80164d89e19c..1e257d7ab8ec 100644 --- a/net/rxrpc/rxgk_common.h +++ b/net/rxrpc/rxgk_common.h @@ -34,6 +34,7 @@ struct rxgk_context { }; =20 #define xdr_round_up(x) (round_up((x), sizeof(__be32))) +#define xdr_round_down(x) (round_down((x), sizeof(__be32))) #define xdr_object_len(x) (4 + xdr_round_up(x)) =20 /* From nobody Tue Jun 16 19:32:19 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8911C34C134 for ; Mon, 20 Apr 2026 14:59:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697177; cv=none; b=RR9+Iud3bXYLITlf4D2VuBfMZzn6l/Q2pAdY3anMAGMqJcqPcyRllo5wMlnhIXgWCXPyi7gocYGRxc2x5DupJXPdvPxRut0JtrbHy91wa2887mi9O9yFsrAlfYiPojCsgU/05UY5G9pJzw6Tf5vRuvqqrl9qkjsWdKdspupT2YY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776697177; c=relaxed/simple; bh=p0W12jB3ALgskZd7ZgPKN4gV+rve7nGSbftbA7m+wk0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IkdnfwZITrJgd3t7n7fJpC8yJ1Gn65rnil+COnpAgO0ktN6ix2zBkcRfJ8ySOKtlltGCmUNImfpSlUFOo0yUqOHTC2N8T6rc27HQmAxOdiKTFKtvhdKxc0FIV2t6G1HY9ovwgOVqdpUVqNTYPxC1XgoXUvnobRCfEo6wwuHb9Is= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=TkuJhAz5; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="TkuJhAz5" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776697175; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iv83NO4YI3DPReeljDl/HkFdk6aqOlDwziKw4as8W48=; b=TkuJhAz5oPKFaR1YkjwDpPHMSNf8/O5g81FvPIX5e98/ubUrH+eUgP84tZMALY9djlRKHe M6ECa/Eb4zc3EuukLxS8ysg8FVdgjmIER58KnfidZ9B+wpyjaYmw9H/9sSpwLneqU/abMi sEVAm+CpRDnP9TEi0VkkoRQNV3PmAdA= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-314-0p-2dpALP_aANnc1ZYTRXQ-1; Mon, 20 Apr 2026 10:59:31 -0400 X-MC-Unique: 0p-2dpALP_aANnc1ZYTRXQ-1 X-Mimecast-MFC-AGG-ID: 0p-2dpALP_aANnc1ZYTRXQ_1776697170 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D05CD19560BA; Mon, 20 Apr 2026 14:59:29 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.17]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id DA52F19560AB; Mon, 20 Apr 2026 14:59:25 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , Simon Horman , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, Jeffrey Altman , stable@kernel.org Subject: [PATCH net 4/4] rxrpc: Fix rxkad crypto unalignment handling Date: Mon, 20 Apr 2026 15:58:57 +0100 Message-ID: <20260420145900.1223732-5-dhowells@redhat.com> In-Reply-To: <20260420145900.1223732-1-dhowells@redhat.com> References: <20260420145900.1223732-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" Fix handling of a packet with a misaligned crypto length. Also handle non-ENOMEM errors from decryption by aborting. Further, remove the WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can still be emitted). Fixes: f93af41b9f5f ("rxrpc: Fix missing error checks for rxkad encryption/= decryption failure") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40= redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Eric Dumazet cc: "David S. Miller" cc: Jakub Kicinski cc: Paolo Abeni cc: Simon Horman cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: stable@kernel.org --- include/trace/events/rxrpc.h | 1 + net/rxrpc/rxkad.c | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 578b8038b211..5820d7e41ea0 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -37,6 +37,7 @@ EM(rxkad_abort_1_short_encdata, "rxkad1-short-encdata") \ EM(rxkad_abort_1_short_header, "rxkad1-short-hdr") \ EM(rxkad_abort_2_short_check, "rxkad2-short-check") \ + EM(rxkad_abort_2_crypto_unaligned, "rxkad2-crypto-unaligned") \ EM(rxkad_abort_2_short_data, "rxkad2-short-data") \ EM(rxkad_abort_2_short_header, "rxkad2-short-hdr") \ EM(rxkad_abort_2_short_len, "rxkad2-short-len") \ diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index 0acdc46f42c2..2c4697063ab2 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c @@ -510,6 +510,9 @@ static int rxkad_verify_packet_2(struct rxrpc_call *cal= l, struct sk_buff *skb, return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, rxkad_abort_2_short_header); =20 + /* Don't let the crypto algo see a misaligned length. */ + sp->len =3D round_down(sp->len, 8); + /* Decrypt the skbuff in-place. TODO: We really want to decrypt * directly into the target buffer. */ @@ -543,8 +546,10 @@ static int rxkad_verify_packet_2(struct rxrpc_call *ca= ll, struct sk_buff *skb, if (sg !=3D _sg) kfree(sg); if (ret < 0) { - WARN_ON_ONCE(ret !=3D -ENOMEM); - return ret; + if (ret =3D=3D -ENOMEM) + return ret; + return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, + rxkad_abort_2_crypto_unaligned); } =20 /* Extract the decrypted packet length */