From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jeffrey Altman <jaltman@auristor.com>,
Simon Horman <horms@kernel.org>,
linux-afs@lists.infradead.org, stable@kernel.org,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.12 68/70] rxrpc: Fix missing error checks for rxkad encryption/decryption failure
Date: Mon, 13 Apr 2026 18:01:03 +0200 [thread overview]
Message-ID: <20260413155730.715530249@linuxfoundation.org> (raw)
In-Reply-To: <20260413155728.181580293@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit f93af41b9f5f798823d0d0fb8765c2a936d76270 upstream.
Add error checking for failure of crypto_skcipher_en/decrypt() to various
rxkad function as the crypto functions can fail with ENOMEM at least.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-17-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/rxkad.c | 57 ++++++++++++++++++++++++++++++++++++------------------
1 file changed, 38 insertions(+), 19 deletions(-)
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -189,6 +189,7 @@ static int rxkad_prime_packet_security(s
struct rxrpc_crypt iv;
__be32 *tmpbuf;
size_t tmpsize = 4 * sizeof(__be32);
+ int ret;
_enter("");
@@ -217,13 +218,13 @@ static int rxkad_prime_packet_security(s
skcipher_request_set_sync_tfm(req, ci);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
- crypto_skcipher_encrypt(req);
+ ret = crypto_skcipher_encrypt(req);
skcipher_request_free(req);
memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
kfree(tmpbuf);
- _leave(" = 0");
- return 0;
+ _leave(" = %d", ret);
+ return ret;
}
/*
@@ -257,6 +258,7 @@ static int rxkad_secure_packet_auth(cons
struct scatterlist sg;
size_t pad;
u16 check;
+ int ret;
_enter("");
@@ -279,11 +281,11 @@ static int rxkad_secure_packet_auth(cons
skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
- crypto_skcipher_encrypt(req);
+ ret = crypto_skcipher_encrypt(req);
skcipher_request_zero(req);
- _leave(" = 0");
- return 0;
+ _leave(" = %d", ret);
+ return ret;
}
/*
@@ -342,7 +344,7 @@ static int rxkad_secure_packet(struct rx
union {
__be32 buf[2];
} crypto __aligned(8);
- u32 x, y;
+ u32 x, y = 0;
int ret;
_enter("{%d{%x}},{#%u},%u,",
@@ -373,8 +375,10 @@ static int rxkad_secure_packet(struct rx
skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
- crypto_skcipher_encrypt(req);
+ ret = crypto_skcipher_encrypt(req);
skcipher_request_zero(req);
+ if (ret < 0)
+ goto out;
y = ntohl(crypto.buf[1]);
y = (y >> 16) & 0xffff;
@@ -397,6 +401,7 @@ static int rxkad_secure_packet(struct rx
break;
}
+out:
skcipher_request_free(req);
_leave(" = %d [set %x]", ret, y);
return ret;
@@ -437,8 +442,10 @@ static int rxkad_verify_packet_1(struct
skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
- crypto_skcipher_decrypt(req);
+ ret = crypto_skcipher_decrypt(req);
skcipher_request_zero(req);
+ if (ret < 0)
+ return ret;
/* Extract the decrypted packet length */
if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
@@ -515,10 +522,14 @@ static int rxkad_verify_packet_2(struct
skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
- crypto_skcipher_decrypt(req);
+ ret = crypto_skcipher_decrypt(req);
skcipher_request_zero(req);
if (sg != _sg)
kfree(sg);
+ if (ret < 0) {
+ WARN_ON_ONCE(ret != -ENOMEM);
+ return ret;
+ }
/* Extract the decrypted packet length */
if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
@@ -586,8 +597,10 @@ static int rxkad_verify_packet(struct rx
skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
- crypto_skcipher_encrypt(req);
+ ret = crypto_skcipher_encrypt(req);
skcipher_request_zero(req);
+ if (ret < 0)
+ goto out;
y = ntohl(crypto.buf[1]);
cksum = (y >> 16) & 0xffff;
@@ -989,21 +1002,23 @@ static int rxkad_decrypt_ticket(struct r
/*
* decrypt the response packet
*/
-static void rxkad_decrypt_response(struct rxrpc_connection *conn,
- struct rxkad_response *resp,
- const struct rxrpc_crypt *session_key)
+static int rxkad_decrypt_response(struct rxrpc_connection *conn,
+ struct rxkad_response *resp,
+ const struct rxrpc_crypt *session_key)
{
struct skcipher_request *req = rxkad_ci_req;
struct scatterlist sg[1];
struct rxrpc_crypt iv;
+ int ret;
_enter(",,%08x%08x",
ntohl(session_key->n[0]), ntohl(session_key->n[1]));
mutex_lock(&rxkad_ci_mutex);
- if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
- sizeof(*session_key)) < 0)
- BUG();
+ ret = crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
+ sizeof(*session_key));
+ if (ret < 0)
+ goto unlock;
memcpy(&iv, session_key, sizeof(iv));
@@ -1012,12 +1027,14 @@ static void rxkad_decrypt_response(struc
skcipher_request_set_sync_tfm(req, rxkad_ci);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
- crypto_skcipher_decrypt(req);
+ ret = crypto_skcipher_decrypt(req);
skcipher_request_zero(req);
+unlock:
mutex_unlock(&rxkad_ci_mutex);
_leave("");
+ return ret;
}
/*
@@ -1110,7 +1127,9 @@ static int rxkad_verify_response(struct
/* use the session key from inside the ticket to decrypt the
* response */
- rxkad_decrypt_response(conn, response, &session_key);
+ ret = rxkad_decrypt_response(conn, response, &session_key);
+ if (ret < 0)
+ goto temporary_error_free_ticket;
if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
ntohl(response->encrypted.cid) != conn->proto.cid ||
next prev parent reply other threads:[~2026-04-13 16:13 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 15:59 [PATCH 6.12 00/70] 6.12.82-rc1 review Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.12 01/70] lib/crypto: chacha: Zeroize permuted_state before it leaves scope Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.12 02/70] usb: typec: ucsi: skip connector validation before init Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.12 03/70] wifi: rt2x00usb: fix devres lifetime Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.12 04/70] xfrm_user: fix info leak in build_report() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 05/70] net: rfkill: prevent unlimited numbers of rfkill events from being created Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 06/70] mptcp: fix slab-use-after-free in __inet_lookup_established Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 07/70] seg6: separate dst_cache for input and output paths in seg6 lwtunnel Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 08/70] Input: uinput - fix circular locking dependency with ff-core Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 09/70] Input: uinput - take event lock when submitting FF request "event" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 10/70] MIPS: Always record SEGBITS in cpu_data.vmbits Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 11/70] MIPS: mm: Suppress TLB uniquification on EHINV hardware Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 12/70] MIPS: mm: Rewrite TLB uniquification for the hidden bit feature Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 13/70] ASoC: simple-card-utils: Dont use __free(device_node) at graph_util_parse_dai() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 14/70] btrfs: make wait_on_extent_buffer_writeback() static inline Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 15/70] btrfs: remove unused define WAIT_PAGE_LOCK for extent io Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 16/70] btrfs: split waiting from read_extent_buffer_pages(), drop parameter wait Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 17/70] btrfs: remove unused flag EXTENT_BUFFER_READAHEAD Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 18/70] btrfs: remove unused flag EXTENT_BUFFER_CORRUPT Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 19/70] btrfs: remove pointless out labels from extent-tree.c Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 20/70] btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 21/70] blktrace: fix __this_cpu_read/write in preemptible context Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 22/70] nfc: nci: complete pending data exchange on device close Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 23/70] arm64: dts: renesas: white-hawk-cpu-common: Add pin control for DSI-eDP IRQ Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 24/70] misc: fastrpc: check qcom_scm_assign_mem() return in rpmsg_probe Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 25/70] sched_ext: Fix stale direct dispatch state in ddsp_dsq_id Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 26/70] Revert "mptcp: add needs_id for netlink appending addr" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 27/70] net: annotate data-races around sk->sk_{data_ready,write_space} Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 28/70] mptcp: fix soft lockup in mptcp_recvmsg() Greg Kroah-Hartman
2026-04-14 1:52 ` Li Xiasong
2026-04-14 12:08 ` Sasha Levin
2026-04-13 16:00 ` [PATCH 6.12 29/70] LoongArch: Remove unnecessary checks for ORC unwinder Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 30/70] LoongArch: Handle percpu handler address " Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 31/70] netfilter: nft_ct: fix use-after-free in timeout object destroy Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 32/70] workqueue: Add pool_workqueue to pending_pwqs list when unplugging multiple inactive works Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 33/70] xfrm: clear trailing padding in build_polexpire() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 34/70] tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 35/70] wifi: brcmsmac: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 36/70] platform/x86/intel-uncore-freq: Handle autonomous UFS status bit Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 37/70] Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 38/70] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 39/70] arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 40/70] arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 41/70] nfc: pn533: allocate rx skb before consuming bytes Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 42/70] batman-adv: reject oversized global TT response buffers Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 43/70] X.509: Fix out-of-bounds access when parsing extensions Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 44/70] EDAC/mc: Fix error path ordering in edac_mc_alloc() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 45/70] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 46/70] net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 47/70] batman-adv: hold claim backbone gateways by reference Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 48/70] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 49/70] drm/i915/psr: Do not use pipe_src as borders for SU area Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 50/70] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 51/70] pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 52/70] mmc: vub300: fix NULL-deref on disconnect Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 53/70] net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 54/70] net: stmmac: fix integer underflow in chain mode Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 55/70] mm: filemap: fix nr_pages calculation overflow in filemap_map_pages() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 56/70] idpf: improve locking around idpf_vc_xn_push_free() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 57/70] idpf: set the payload size before calling the async handler Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 58/70] net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 59/70] net: lan966x: fix page pool leak in error paths Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 60/70] net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 61/70] rxrpc: Fix anonymous key handling Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 62/70] rxrpc: Fix call removal to use RCU safe deletion Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 63/70] rxrpc: Fix key reference count leak from call->key Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.12 64/70] rxrpc: Only put the call ref if one was acquired Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.12 65/70] rxrpc: reject undecryptable rxkad response tickets Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.12 66/70] rxrpc: fix reference count leak in rxrpc_server_keyring() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.12 67/70] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) Greg Kroah-Hartman
2026-04-13 16:01 ` Greg Kroah-Hartman [this message]
2026-04-13 16:01 ` [PATCH 6.12 69/70] net: skb: fix cross-cache free of KFENCE-allocated skb head Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.12 70/70] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 Greg Kroah-Hartman
2026-04-13 17:42 ` [PATCH 6.12 00/70] 6.12.82-rc1 review Brett A C Sheffield
2026-04-13 19:02 ` Florian Fainelli
2026-04-14 0:29 ` Barry K. Nathan
2026-04-14 7:54 ` Jon Hunter
2026-04-14 8:11 ` Pavel Machek
2026-04-14 11:37 ` Ron Economos
2026-04-14 12:32 ` Francesco Dolcini
2026-04-14 17:08 ` Peter Schneider
2026-04-14 17:43 ` Shuah Khan
2026-04-14 18:01 ` Miguel Ojeda
2026-04-15 1:34 ` Harshit Mogalapalli
2026-04-15 3:49 ` Shung-Hsi Yu
2026-04-15 10:13 ` Mark Brown
2026-04-15 18:45 ` Dileep malepu
2026-04-16 18:55 ` Eddie Chapman
2026-04-17 6:25 ` Greg Kroah-Hartman
2026-04-17 15:34 ` Eddie Chapman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413155730.715530249@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=horms@kernel.org \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.