From: Simon Horman <horms@kernel.org>
To: dhowells@redhat.com
Cc: Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, marc.dionne@auristor.com,
kuba@kernel.org, davem@davemloft.net, edumazet@google.com,
pabeni@redhat.com, linux-afs@lists.infradead.org,
linux-kernel@vger.kernel.org, jaltman@auristor.com,
stable@kernel.org
Subject: Re: [PATCH net v2 07/10] rxrpc: Fix oob challenge leak in cleanup after notification failure
Date: Sat, 20 Jun 2026 10:17:39 +0100 [thread overview]
Message-ID: <20260620091739.969563-1-horms@kernel.org> (raw)
In-Reply-To: <20260618134802.2477777-8-dhowells@redhat.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
rxrpc: Fix oob challenge leak in cleanup after notification failure
Fix rxrpc_notify_socket_oob() to return an indication of failure in the
event that it failed to queue a packet and fix rxrpc_post_challenge() to
clean up the connection ref in such an event.
Link: https://sashiko.dev/#/patchset/20260616155749.2125907-1-dhowells%40redhat.com
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index c96ca615b787c..611c790bc6d0c 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
> @@ -436,7 +436,7 @@ static bool rxrpc_post_challenge(struct rxrpc_connection *conn,
> struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
> struct rxrpc_call *call = NULL;
> struct rxrpc_sock *rx;
> - bool respond = false;
> + bool respond = false, queued = false;
[Severity: Critical]
This is a pre-existing issue, but can the lockless read of
conn->channels[i].call in net/rxrpc/conn_event.c lead to a NULL pointer
dereference?
Looking at rxrpc_post_challenge(), the code does:
if (conn->channels[i].call) {
call = conn->channels[i].call;
rx = rcu_dereference(call->socket);
Without READ_ONCE(), the compiler could issue two separate loads. If a
concurrent thread clears the channel's call pointer after the if-check but
before the assignment, call becomes NULL.
Does this cause the subsequent rcu_dereference(call->socket) to panic by
dereferencing NULL->socket?
[Severity: High]
This isn't a bug introduced by this patch, but does taking a connection
reference here in rxrpc_post_challenge() lead to a leak if the packet is
later discarded due to connection abort or teardown?
If rxrpc_process_event() in net/rxrpc/conn_event.c encounters
conn->state == RXRPC_CONN_ABORTED, it returns -ECONNABORTED early:
if (conn->state == RXRPC_CONN_ABORTED)
return -ECONNABORTED;
This bypasses the cleanup, and the skb is consumed by
rxrpc_do_process_connection() without dropping the sp->chall.conn reference.
Similarly, during teardown, rxrpc_purge_queue() in net/rxrpc/skbuff.c
consumes skbs via:
while ((skb = skb_dequeue((list))) != NULL) {
...
consume_skb(skb);
}
Since it doesn't inspect the cb scratch space, doesn't this permanently leak
the connection references stored in sp->chall.conn?
[ ... ]
> if (call)
> - rxrpc_notify_socket_oob(call, skb);
> + queued = rxrpc_notify_socket_oob(call, skb);
[Severity: High]
This is a pre-existing issue, but does failing to set skb->mark to
RXRPC_OOB_CHALLENGE here in rxrpc_post_challenge() break OOB challenge
processing?
The skb->mark remains RXRPC_SKB_MARK_PACKET as set during ingress.
When the application attempts to respond via rxrpc_respond_to_oob() or read
via rxrpc_recvmsg_oob(), won't the operation fail with -EPROTO because it
expects skb->mark == RXRPC_OOB_CHALLENGE?
Additionally, when the OOB message is freed via rxrpc_kernel_free_oob(),
doesn't the switch statement on oob->mark fail to match, bypassing
rxrpc_put_connection() and leaking the connection reference stored in
sp->chall.conn?
> rcu_read_unlock();
> + if (call && !queued) {
> + rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
> + sp->chall.conn = NULL;
> + return false;
> + }
>
> if (!call)
> rxrpc_post_packet_to_conn(conn, skb);
> diff --git a/net/rxrpc/oob.c b/net/rxrpc/oob.c
> index 3318c8bd82ad5..c80ee2487d094 100644
> --- a/net/rxrpc/oob.c
> +++ b/net/rxrpc/oob.c
[ ... ]
> @@ -49,6 +50,7 @@ void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)
> skb->skb_mstamp_ns = rx->oob_id_counter++;
> rxrpc_get_skb(skb, rxrpc_skb_get_post_oob);
> skb_queue_tail(&rx->recvmsg_oobq, skb);
> + queued = true;
[Severity: High]
This isn't a bug introduced by this patch, but does unbounded queuing of
challenge packets onto recvmsg_oobq risk a kernel OOM?
In net/rxrpc/oob.c, rxrpc_notify_socket_oob() uses skb_queue_tail() without
checking memory limits (like sk_rmem_alloc vs sk_rcvbuf) or restricting the
total number of challenges.
Since rxrpc_encap_rcv() intercepts these packets before standard UDP memory
accounting occurs, could a remote attacker flood the host with valid
CHALLENGE packets?
If the application is slow to process them or ignores them, will these
accumulate infinitely in recvmsg_oobq and cause a Denial of Service?
next prev parent reply other threads:[~2026-06-20 9:17 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 13:47 [PATCH net v2 00/10] rxrpc: Miscellaneous fixes David Howells
2026-06-18 13:47 ` [PATCH net v2 01/10] rxrpc: input: reject ACKALL outside transmit phase David Howells
2026-06-19 21:32 ` Jeffrey E Altman
2026-06-18 13:47 ` [PATCH net v2 02/10] rxrpc: Fix leak of connection from OOB challenge David Howells
2026-06-18 13:47 ` [PATCH net v2 03/10] rxrpc: Fix double unlock in rxrpc_recvmsg() David Howells
2026-06-18 13:47 ` [PATCH net v2 04/10] afs: Fix further netns teardown to cancel the preallocation charger David Howells
2026-06-18 13:47 ` [PATCH net v2 05/10] afs: Fix uncancelled rxrpc OOB message handler David Howells
2026-06-20 9:13 ` Simon Horman
2026-06-18 13:47 ` [PATCH net v2 06/10] rxrpc: Fix the reception of a reply packet before data transmission David Howells
2026-06-20 9:17 ` Simon Horman
2026-06-18 13:47 ` [PATCH net v2 07/10] rxrpc: Fix oob challenge leak in cleanup after notification failure David Howells
2026-06-20 9:17 ` Simon Horman [this message]
2026-06-18 13:47 ` [PATCH net v2 08/10] rxrpc: Fix potential infinite loop in rxrpc_recvmsg() David Howells
2026-06-18 13:48 ` [PATCH net v2 09/10] rxrpc: Fix socket notification race David Howells
2026-06-18 13:48 ` [PATCH net v2 10/10] rxrpc: Fix leak of released call in recvmsg(MSG_PEEK) David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260620091739.969563-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.