From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org,
Luxiao Xu <rakukuip@gmail.com>, Yifan Wu <yifanwucs@gmail.com>,
Juefei Pu <tomapufckgml@gmail.com>,
Yuan Tan <yuantan098@gmail.com>, Xin Liu <bird@lzu.edu.cn>,
Ren Wei <enjou1224z@gmail.com>, Ren Wei <n05ec@lzu.edu.cn>,
Simon Horman <horms@kernel.org>,
stable@kernel.org
Subject: [PATCH net v4 15/15] rxrpc: fix reference count leak in rxrpc_server_keyring()
Date: Wed, 1 Apr 2026 11:56:08 +0100 [thread overview]
Message-ID: <20260401105614.1696001-16-dhowells@redhat.com> (raw)
In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com>
From: Luxiao Xu <rakukuip@gmail.com>
This patch fixes a reference count leak in rxrpc_server_keyring()
by checking if rx->securities is already set.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
cc: stable@kernel.org
---
net/rxrpc/server_key.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/rxrpc/server_key.c b/net/rxrpc/server_key.c
index 36b05fd842a7..d4777851079f 100644
--- a/net/rxrpc/server_key.c
+++ b/net/rxrpc/server_key.c
@@ -125,6 +125,9 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, sockptr_t optval, int optlen)
_enter("");
+ if (rx->securities)
+ return -EEXIST;
+
if (optlen <= 0 || optlen > PAGE_SIZE - 1)
return -EINVAL;
next prev parent reply other threads:[~2026-04-01 10:58 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-01 10:55 [PATCH net v4 00/15] rxrpc: Miscellaneous fixes David Howells
2026-04-01 10:55 ` [PATCH net v4 01/15] rxrpc: Fix key quota calculation for multitoken keys David Howells
2026-04-01 10:55 ` [PATCH net v4 02/15] rxrpc: Fix key parsing memleak David Howells
2026-04-01 10:55 ` [PATCH net v4 03/15] rxrpc: Fix anonymous key handling David Howells
2026-04-01 10:55 ` [PATCH net v4 04/15] rxrpc: Fix call removal to use RCU safe deletion David Howells
2026-04-01 12:42 ` David Howells
2026-04-01 10:55 ` [PATCH net v4 05/15] rxrpc: Fix RxGK token loading to check bounds David Howells
2026-04-01 10:55 ` [PATCH net v4 06/15] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial David Howells
2026-04-01 10:56 ` [PATCH net v4 07/15] rxrpc: Fix rack timer warning to report unexpected mode David Howells
2026-04-01 10:56 ` [PATCH net v4 08/15] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt() David Howells
2026-04-01 10:56 ` [PATCH net v4 09/15] rxrpc: Fix key reference count leak from call->key David Howells
2026-04-01 10:56 ` [PATCH net v4 10/15] rxrpc: Fix to request an ack if window is limited David Howells
2026-04-01 10:56 ` [PATCH net v4 11/15] rxrpc: Only put the call ref if one was acquired David Howells
2026-04-01 10:56 ` [PATCH net v4 12/15] rxrpc: reject undecryptable rxkad response tickets David Howells
2026-04-01 10:56 ` [PATCH net v4 13/15] rxrpc: fix RESPONSE authenticator parser OOB read David Howells
2026-04-01 10:56 ` [PATCH net v4 14/15] rxrpc: fix oversized RESPONSE authenticator length check David Howells
2026-04-01 10:56 ` David Howells [this message]
2026-04-01 16:14 ` [PATCH net v4 15/15] rxrpc: fix reference count leak in rxrpc_server_keyring() Anderson Nascimento
2026-04-01 19:32 ` David Howells
2026-04-02 2:22 ` Jakub Kicinski
2026-04-08 10:49 ` David Howells
2026-04-08 17:52 ` Jakub Kicinski
2026-04-08 10:50 ` David Howells
2026-04-08 10:53 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260401105614.1696001-16-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=bird@lzu.edu.cn \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=enjou1224z@gmail.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=n05ec@lzu.edu.cn \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rakukuip@gmail.com \
--cc=stable@kernel.org \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.