From: Simon Horman <horms@kernel.org>
To: Anderson Nascimento <anderson@allelesecurity.com>
Cc: dhowells@redhat.com, marc.dionne@auristor.com,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, linux-afs@lists.infradead.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt()
Date: Thu, 19 Mar 2026 16:10:04 +0000 [thread overview]
Message-ID: <20260319161004.GH1753385@horms.kernel.org> (raw)
In-Reply-To: <20260313132327.409785-2-anderson@allelesecurity.com>
On Fri, Mar 13, 2026 at 10:23:26AM -0300, Anderson Nascimento wrote:
> In rxrpc_setsockopt(), the code checks 'rx->key' when handling the
> RXRPC_SECURITY_KEYRING option. However, this appears to be a logic error.
> The code should be checking 'rx->securities' to determine if a keyring
> has already been defined for the socket.
>
> Currently, if a user calls setsockopt(RXRPC_SECURITY_KEYRING) multiple
> times on the same socket, the check 'if (rx->key)' fails to block
> subsequent calls because 'rx->key' has not been defined by the function.
> This results in a reference count leak on the keyring.
>
> This patch changes the check to 'rx->securities' to correctly identify
> if the socket security keyring has already been configured, returning -EINVAL
> on subsequent attempts.
>
> Before the patch:
>
> It shows the keyring reference counter elevated.
>
> $ cat /proc/keys | grep AFSkeys1
> 27aca8ae I--Q--- 24469721 perm 3f010000 1000 1000 keyring AFSkeys1: empty
> $
>
> After the patch:
>
> The keyring reference counter remains stable and subsequent calls return an error:
>
> $ ./poc
> setsockopt: Invalid argument
> $
>
> Fixes: 17926a7 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
nit: Please use 12 (or more if needed to avoid a collision) bytes
for the hash in Fixes tags.
> Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
...
next prev parent reply other threads:[~2026-03-19 16:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 13:23 [PATCH 0/2] rxrpc: Fix key and keyring reference count leaks Anderson Nascimento
2026-03-13 13:23 ` [PATCH 1/2] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt() Anderson Nascimento
2026-03-19 16:10 ` Simon Horman [this message]
2026-03-19 16:55 ` David Howells
2026-03-20 8:24 ` Simon Horman
2026-03-13 13:23 ` [PATCH 2/2] rxrpc: Fix key reference count leak in rxrpc_alloc_client_call() Anderson Nascimento
2026-03-18 21:46 ` David Howells
2026-03-18 22:20 ` David Howells
2026-03-18 22:30 ` Anderson Nascimento
2026-03-19 14:46 ` Anderson Nascimento
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260319161004.GH1753385@horms.kernel.org \
--to=horms@kernel.org \
--cc=anderson@allelesecurity.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.