From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org,
Anderson Nascimento <anderson@allelesecurity.com>,
Jeffrey Altman <jaltman@auristor.com>,
Simon Horman <horms@kernel.org>,
stable@kernel.org
Subject: [PATCH net v2 09/10] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt()
Date: Mon, 23 Mar 2026 15:05:00 +0000 [thread overview]
Message-ID: <20260323150505.3513839-10-dhowells@redhat.com> (raw)
In-Reply-To: <20260323150505.3513839-1-dhowells@redhat.com>
From: Anderson Nascimento <anderson@allelesecurity.com>
In rxrpc_setsockopt(), the code checks 'rx->key' when handling the
RXRPC_SECURITY_KEYRING option. However, this appears to be a logic error.
The code should be checking 'rx->securities' to determine if a keyring has
already been defined for the socket.
Currently, if a user calls setsockopt(RXRPC_SECURITY_KEYRING) multiple
times on the same socket, the check 'if (rx->key)' fails to block
subsequent calls because 'rx->key' has not been defined by the function.
This results in a reference count leak on the keyring.
This patch changes the check to 'rx->securities' to correctly identify if
the socket security keyring has already been configured, returning -EINVAL
on subsequent attempts.
Before the patch:
It shows the keyring reference counter elevated.
$ cat /proc/keys | grep AFSkeys1
27aca8ae I--Q--- 24469721 perm 3f010000 1000 1000 keyring AFSkeys1: empty
$
After the patch:
The keyring reference counter remains stable and subsequent calls return an
error:
$ ./poc
setsockopt: Invalid argument
$
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
cc: stable@kernel.org
---
net/rxrpc/af_rxrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 0f90272ac254..0b7ed99a3025 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -665,7 +665,7 @@ static int rxrpc_setsockopt(struct socket *sock, int level, int optname,
case RXRPC_SECURITY_KEYRING:
ret = -EINVAL;
- if (rx->key)
+ if (rx->securities)
goto error;
ret = -EISCONN;
if (rx->sk.sk_state != RXRPC_UNBOUND)
next prev parent reply other threads:[~2026-03-23 15:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 15:04 [PATCH net v2 00/10] rxrpc: Miscellaneous fixes David Howells
2026-03-23 15:04 ` [PATCH net v2 01/10] rxrpc: Fix key quota calculation for multitoken keys David Howells
2026-03-23 15:04 ` [PATCH net v2 02/10] rxrpc: Fix key parsing memleak David Howells
2026-03-23 15:04 ` [PATCH net v2 03/10] rxrpc: Fix anonymous key handling David Howells
2026-03-23 15:04 ` [PATCH net v2 04/10] list: Move on_list_rcu() to list.h and add on_list() also David Howells
2026-03-23 22:44 ` kernel test robot
2026-03-23 22:55 ` kernel test robot
2026-03-23 15:04 ` [PATCH net v2 05/10] rxrpc: Fix call removal to use RCU safe deletion David Howells
2026-03-23 15:04 ` [PATCH net v2 06/10] rxrpc: Fix RxGK token loading to check bounds David Howells
2026-03-23 15:04 ` [PATCH net v2 07/10] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial David Howells
2026-03-23 15:04 ` [PATCH net v2 08/10] rxrpc: Fix rack timer warning to report unexpected mode David Howells
2026-03-23 15:05 ` David Howells [this message]
2026-03-23 15:05 ` [PATCH net v2 10/10] rxrpc: Fix key reference count leak from call->key David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260323150505.3513839-10-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=anderson@allelesecurity.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.