* [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling
@ 2026-07-10 19:22 David Howells
2026-07-10 19:22 ` [PATCH net v2 01/16] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
` (15 more replies)
0 siblings, 16 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel
Here's a fix for AF_RXRPC's CHALLENGE packet handling, addressing an issue
raised by Sashiko[1], plus some miscellaneous fixes found in the process of
fixing this, plus a number of things raised by Sashiko[2][3].
Firstly, the miscellaneous patches:
(1) Fix a NULL deref in afs_deliver_cb_init_call_back_state3().
(2) Fix rxrpc_sendmsg so that it doesn't return an error if it queued the
last packet of a call. After that point, the error will be returned
by recvmsg() and returned it twice in two different places may
complicate userspace cleaning up its own structures.
(3) Fix a UAF in afs_make_call() whereby it looks at the call after the
first send (of the request) completes to see if it should make a
second send (e.g. for FS.StoreData content) - but the call may have
been freed if the first send wasn't marked MSG_MORE.
(4) Fix a couple of afs request delivery functions to pass back -EAGAIN if
insufficient data is yet received.
(5) Fix afs_fs_fetch_data() to set call->async on calls marked as being
asynchronous.
(6) Fix error handling in rxrpc_send_data() for if ->secure_packet()
returns an error.
(7) Fix the update of call->pending in rxrpc_send_data() in paths when the
call lock has been dropped.
(8) Fix the generation of notifications from rxrpc after call completion.
(9) Simplify afs_call refcounting to avoid trying to take refs when async
call notifications come in, and worse trying to get rid of them again
safely if the notifier work item is already queued. This is not
technically a bug fix, but the cleanup made patch 11 easier to handle.
(10) Make afs_put_call() use an enum value to indicate when it happens
rather than recording the function return address as the return
address isn't sufficiently unique if functions get inlined or
tail-called by the compiler. This is not a bug fix, but it made it
easier to debug the problem that patch 11 fixes.
(11) Fix another UAF in afs_make_call() whereby the function tries to abort
a call if the send fails, but the call may get torn down by async
notification before we get there.
And then there are the patches to fix CHALLENGE packet overqueuing and
simplify RESPONSE packet generation by pre-creating the RxGK application
data up front and passing it in a user key (thereby allowing userspace to
partake). This is split into five patches:
(12) Add a refcount to the user key payload.
(13) Make the AFS filesystem generate per-server appdata keys.
(14) Pass the appdata from AFS (or userspace) to rxrpc.
(15) Change over to using the appdata key to supply the appdata.
(16) Remove all the OOB stuff.
[!] Note that this entails a significant change in the UAPI for AF_RXRPC,
with the CMSG types and sockopt to support the OOB queuing being removed
and replaced with a new single CMSG type that conveys the user key ID. I
don't think it likely anyone is using this outside of my kafs-utils
package.
This also involves a change to the user-defined key type, making the
payload refcounted so that it can be accessed and the length read, then a
buffer allocated that will hold it and other data, and then the content
copied. The problem is that the user is perfectly at liberty to change the
content of a user-defined key (which will RCU-replace the content of the
key), so the length might change when we drop the RCU read lock in order to
allocate. This could be got around by locking the key->rwsem sharedly, but
that might be able to deadlock part of the rxrpc protocol engine if memory
reclaim occurs.
David
The patches can be found here also:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes
Changes
=======
ver #2)
- Split the CHALLENGE/RESPONSE fix into smaller patches.
- Fixed more Sashiko-reported bugs[2][3]:
- Added some more patches to fix some more bugs.
- Get rid of the AFS_SERVER_FL_APPDATA flag and check the pointer to the
appdata instead.
- Rename the appdata key pointer in the AFS_SERVER to reflect this one is
only for the YFS-RxGK security class.
- Use barriers when reading or writing the server appdata key pointer.
- Ignore the appdata for RxNULL, RxKAD and OpenAFS's RxGK for now.
- Check that sendmsg() with RXRPC_RESPONSE_APPDATA is passed a user key.
- Check that the appdata key's payload isn't NULL, for instance if it
gets revoked.
- Add some error path key_put()s in rxrpc_do_sendmsg().
[1] https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
[2] https://sashiko.dev/#/patchset/20260702144919.172295-1-dhowells%40redhat.com
[3] https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260702144919.172295-1-dhowells%40redhat.com
David Howells (16):
afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3()
rxrpc: Fix sendmsg to not return an error if last packet queued
afs: Fix UAF when sending a message
afs: Fix two delivery functions to pass back -EAGAIN
afs: Fix afs_fs_fetch_data() to set call->async
rxrpc: Fix packet encryption error handling
rxrpc: Fix update of call->tx_pending without holding lock
rxrpc: Fix generation of notifications after call completion
afs: Simplify call refcounting
afs: Make afs_put_call() take trace argument
afs: Fix UAF in afs_make_call()
keys: Add refcounting to user-defined key type payload
afs: Create a server appdata key
rxrpc: Pass appdata key to rxrpc_call and thence to rxrpc_bundle
rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE
generation
rxrpc: Remove OOB challenge/response code
fs/afs/cm_security.c | 311 +++++++++++++---------------
fs/afs/cmservice.c | 50 ++---
fs/afs/file.c | 12 +-
fs/afs/fs_operation.c | 2 +-
fs/afs/fs_probe.c | 5 +
fs/afs/fsclient.c | 7 +-
fs/afs/internal.h | 63 +++---
fs/afs/main.c | 1 -
fs/afs/rxrpc.c | 137 +++++--------
fs/afs/server.c | 2 +-
fs/afs/vl_probe.c | 2 +-
fs/afs/vlclient.c | 8 +-
include/keys/user-type.h | 2 +
include/net/af_rxrpc.h | 21 +-
include/trace/events/afs.h | 46 +++--
include/trace/events/rxrpc.h | 4 +-
include/uapi/linux/rxrpc.h | 6 +-
net/dns_resolver/dns_key.c | 1 +
net/rxrpc/Makefile | 1 -
net/rxrpc/af_rxrpc.c | 49 +----
net/rxrpc/ar-internal.h | 23 +--
net/rxrpc/call_object.c | 2 +
net/rxrpc/call_state.c | 57 +++++-
net/rxrpc/conn_client.c | 2 +
net/rxrpc/conn_event.c | 68 +-----
net/rxrpc/key.c | 37 ++++
net/rxrpc/oob.c | 387 -----------------------------------
net/rxrpc/recvmsg.c | 126 ++----------
net/rxrpc/rxgk.c | 128 +++---------
net/rxrpc/rxkad.c | 27 ---
net/rxrpc/sendmsg.c | 107 +++++++---
net/rxrpc/server_key.c | 40 ----
security/keys/user_defined.c | 23 ++-
33 files changed, 546 insertions(+), 1211 deletions(-)
delete mode 100644 net/rxrpc/oob.c
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net v2 01/16] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3()
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 02/16] rxrpc: Fix sendmsg to not return an error if last packet queued David Howells
` (14 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, stable
Fix afs_deliver_cb_init_call_back_state3() to avoid a potential NULL deref
should call->server be NULL (ie. afs_rx_new_call() failed to find a
matching server record) when it checks the server's UUID.
Fixes: 40e8b52fe8c8 ("afs: Use the per-peer app data provided by rxrpc")
Link: https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
fs/afs/cmservice.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
index 5540ae1cad59..d579a665e3da 100644
--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -364,7 +364,8 @@ static int afs_deliver_cb_init_call_back_state3(struct afs_call *call)
if (!afs_check_call_state(call, AFS_CALL_SV_REPLYING))
return afs_io_error(call, afs_io_error_cm_reply);
- if (memcmp(call->request, &call->server->_uuid, sizeof(call->server->_uuid)) != 0) {
+ if (call->server &&
+ memcmp(call->request, &call->server->_uuid, sizeof(call->server->_uuid)) != 0) {
pr_notice("Callback UUID does not match fileserver UUID\n");
trace_afs_cm_no_server_u(call, call->request);
return 0;
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 02/16] rxrpc: Fix sendmsg to not return an error if last packet queued
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
2026-07-10 19:22 ` [PATCH net v2 01/16] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 03/16] afs: Fix UAF when sending a message David Howells
` (13 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman
Fix AF_RXRPC sendmsg() so that it doesn't return an error if it has
successfully queued the last packet of a call, but the call has seen to
have completed after it did that. Rather, leave it to recvmsg() to report
the completion (which it will do anyway).
The problem with trying to report the error twice is that the caller may
try to clean up the dead call twice.
Fixes: d41b3f5b9688 ("rxrpc: Wrap accesses to get call state to put the barrier in one place")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
---
net/rxrpc/sendmsg.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index ed2c9a51005a..4c754f78ece9 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -453,9 +453,6 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
success:
ret = copied;
- if (rxrpc_call_is_complete(call) &&
- call->error < 0)
- ret = call->error;
out:
call->tx_pending = txb;
_leave(" = %d", ret);
@@ -467,8 +464,14 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
return call->error;
maybe_error:
- if (copied)
+ if (copied) {
+ if (rxrpc_call_is_complete(call) &&
+ call->error < 0) {
+ ret = call->error;
+ goto out;
+ }
goto success;
+ }
goto out;
efault:
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 03/16] afs: Fix UAF when sending a message
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
2026-07-10 19:22 ` [PATCH net v2 01/16] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
2026-07-10 19:22 ` [PATCH net v2 02/16] rxrpc: Fix sendmsg to not return an error if last packet queued David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 04/16] afs: Fix two delivery functions to pass back -EAGAIN David Howells
` (12 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, stable
In afs_make_call(), there's a race with async call reception and
destruction. If a call is dispatched that doesn't have call->write_iter
set (used to specify the data content for FS.StoreData), then the first
rxrpc_kernel_send_data() will not set MSG_MORE in the msghdr.
Once rxrpc_send_data() queues the last request packet, the response could
come in at any time and cause the call to be completed and put. However,
afs_make_call() will look at the call again to see it ->write_iter should
be handled - something it's only allowed to do if it has its own ref on the
call. Whilst this is the case for synchronous calls, it isn't true for
async calls such as FS.FetchData.
generic/650 plays games with randomly taking CPUs offline, and can
interject a significant delay such that the call is deallocated before
afs_make_call() gets to check call->write_iter - and a UAF ensues (caught
by KASAN).
BUG: KASAN: slab-use-after-free in afs_make_call+0x1c90/0x2210 [kafs]
Read of size 8 at addr ffff888035e050e8 by task fsstress/1409
Fix this by caching the call->write_iter and call->debug_id so that neither
variable needs to be accessed after the first send.
Fixes: eddf51f2bb2c ("afs: Make {Y,}FS.FetchData an asynchronous operation")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
fs/afs/rxrpc.c | 12 ++++++++----
include/trace/events/afs.h | 6 +++---
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index d82916657a3d..06c711c75f55 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -347,7 +347,9 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
struct rxrpc_call *rxcall;
struct msghdr msg;
struct kvec iov[1];
+ unsigned int debug_id = call->debug_id;
size_t len;
+ bool write_iter = call->write_iter;
s64 tx_total_len;
int ret;
@@ -410,7 +412,7 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iov, 1, call->request_size);
msg.msg_control = NULL;
msg.msg_controllen = 0;
- msg.msg_flags = MSG_WAITALL | (call->write_iter ? MSG_MORE : 0);
+ msg.msg_flags = MSG_WAITALL | (write_iter ? MSG_MORE : 0);
ret = rxrpc_kernel_send_data(call->net->socket, rxcall,
&msg, call->request_size,
@@ -418,7 +420,9 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
if (ret < 0)
goto error_do_abort;
- if (call->write_iter) {
+ /* We lost our ref on call if MSG_MORE was not set and ret >= 0. */
+
+ if (write_iter) {
msg.msg_iter = *call->write_iter;
msg.msg_flags &= ~MSG_MORE;
trace_afs_send_data(call, &msg);
@@ -427,9 +431,9 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
call->rxcall, &msg,
iov_iter_count(&msg.msg_iter),
afs_notify_end_request_tx);
- *call->write_iter = msg.msg_iter;
+ /* We lost our ref on call if ret >= 0. */
- trace_afs_sent_data(call, &msg, ret);
+ trace_afs_sent_data(debug_id, &msg, ret);
if (ret < 0)
goto error_do_abort;
}
diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
index 1b3c48b5591d..cf7218efb861 100644
--- a/include/trace/events/afs.h
+++ b/include/trace/events/afs.h
@@ -937,9 +937,9 @@ TRACE_EVENT(afs_send_data,
);
TRACE_EVENT(afs_sent_data,
- TP_PROTO(struct afs_call *call, struct msghdr *msg, int ret),
+ TP_PROTO(unsigned int call_debug_id, struct msghdr *msg, int ret),
- TP_ARGS(call, msg, ret),
+ TP_ARGS(call_debug_id, msg, ret),
TP_STRUCT__entry(
__field(unsigned int, call)
@@ -949,7 +949,7 @@ TRACE_EVENT(afs_sent_data,
),
TP_fast_assign(
- __entry->call = call->debug_id;
+ __entry->call = call_debug_id;
__entry->ret = ret;
__entry->offset = msg->msg_iter.xarray_start + msg->msg_iter.iov_offset;
__entry->count = iov_iter_count(&msg->msg_iter);
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 04/16] afs: Fix two delivery functions to pass back -EAGAIN
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (2 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 03/16] afs: Fix UAF when sending a message David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 05/16] afs: Fix afs_fs_fetch_data() to set call->async David Howells
` (11 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
stable
Fix afs_deliver_cb_init_call_back_state3() and afs_deliver_cb_probe_uuid()
to pass back -EAGAIN when returned afs_extract_data() as that indicates
that more data is needed.
Fixes: d001648ec7cf ("rxrpc: Don't expose skbs to in-kernel users [ver #2]")
Fixes: 9396d496d745 ("afs: support the CB.ProbeUuid RPC op")
Closes: https://sashiko.dev/#/patchset/20260702144919.172295-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
fs/afs/cmservice.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
index d579a665e3da..3c12a0ecee8e 100644
--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -332,11 +332,8 @@ static int afs_deliver_cb_init_call_back_state3(struct afs_call *call)
case 1:
_debug("extract UUID");
ret = afs_extract_data(call, false);
- switch (ret) {
- case 0: break;
- case -EAGAIN: return 0;
- default: return ret;
- }
+ if (ret < 0)
+ return ret;
_debug("unmarshall UUID");
call->request = kmalloc_obj(struct afs_uuid);
@@ -450,11 +447,8 @@ static int afs_deliver_cb_probe_uuid(struct afs_call *call)
case 1:
_debug("extract UUID");
ret = afs_extract_data(call, false);
- switch (ret) {
- case 0: break;
- case -EAGAIN: return 0;
- default: return ret;
- }
+ if (ret < 0)
+ return ret;
_debug("unmarshall UUID");
call->request = kmalloc_obj(struct afs_uuid);
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 05/16] afs: Fix afs_fs_fetch_data() to set call->async
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (3 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 04/16] afs: Fix two delivery functions to pass back -EAGAIN David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 06/16] rxrpc: Fix packet encryption error handling David Howells
` (10 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, stable
Fix afs_fs_fetch_data() to set call->async on an async operation as does
afs_fs_fetch_data64().
Fixes: eddf51f2bb2c ("afs: Make {Y,}FS.FetchData an asynchronous operation")
Link: https://sashiko.dev/#/patchset/20260702144919.172295-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
fs/afs/fsclient.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c
index a2ffd60889f8..626e1d37b915 100644
--- a/fs/afs/fsclient.c
+++ b/fs/afs/fsclient.c
@@ -477,6 +477,9 @@ void afs_fs_fetch_data(struct afs_operation *op)
if (!call)
return afs_op_nomem(op);
+ if (op->flags & AFS_OPERATION_ASYNC)
+ call->async = true;
+
/* marshall the parameters */
bp = call->request;
bp[0] = htonl(FSFETCHDATA);
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 06/16] rxrpc: Fix packet encryption error handling
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (4 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 05/16] afs: Fix afs_fs_fetch_data() to set call->async David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 07/16] rxrpc: Fix update of call->tx_pending without holding lock David Howells
` (9 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
stable
In rxrpc_send_data(), if ->secure_packet() returns an error, the code
currently just jumps to out: and returns the error to the app on the
assumption that any error returned by this is automatically fatal for the
call, and may even have corrupted the transmission queue - but leaving it
to userspace to deal with. Nothing stops the application from retrying the
sendmsg(), which will try to encrypt the buffer again, and might succeed
with a corrupt buffer.
Fix rxrpc_send_data() in the following ways:
(1) If -ENOMEM is returned, assume we never got as far as the encryption
and that the operation is retryable. In which case, jump to
maybe_error.
(2) If any other error occurs, set the TX_ERROR flag on the call and
return that error directly; on all subsequent attempts to add data to
the call, return -EIO. The app must then abort the call to get rid of
it (this allows the app to choose the abort code to use).
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260702144919.172295-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
include/trace/events/rxrpc.h | 1 +
net/rxrpc/ar-internal.h | 1 +
net/rxrpc/sendmsg.c | 25 ++++++++++++++++++++-----
3 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
index 704a10de6670..8f3e3967885a 100644
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -148,6 +148,7 @@
EM(rxrpc_eproto_wrong_security, "wrong-sec") \
EM(rxrpc_recvmsg_excess_data, "recvmsg-excess") \
EM(rxrpc_recvmsg_short_data, "recvmsg-short") \
+ EM(rxrpc_sendmsg_tx_error, "tx-error") \
E_(rxrpc_sendmsg_late_send, "sendmsg-late")
#define rxrpc_call_poke_traces \
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index ce946b0a03e2..b6e7e8c5e96f 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -642,6 +642,7 @@ enum rxrpc_call_flag {
RXRPC_CALL_TX_LAST, /* Last packet in Tx buffer (at rxtx_top) */
RXRPC_CALL_TX_ALL_ACKED, /* Last packet has been hard-acked */
RXRPC_CALL_TX_NO_MORE, /* No more data to transmit (MSG_MORE deasserted) */
+ RXRPC_CALL_TX_ERROR, /* Terminal error; call needs abort */
RXRPC_CALL_SEND_PING, /* A ping will need to be sent */
RXRPC_CALL_RETRANS_TIMEOUT, /* Retransmission due to timeout occurred */
RXRPC_CALL_BEGAN_RX_TIMER, /* We began the expect_rx_by timer */
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 4c754f78ece9..d5060fd9631a 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -330,12 +330,18 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
bool more = msg->msg_flags & MSG_MORE;
int ret, copied = 0;
- if (test_bit(RXRPC_CALL_TX_NO_MORE, &call->flags)) {
+ if (unlikely(test_bit(RXRPC_CALL_TX_NO_MORE, &call->flags))) {
trace_rxrpc_abort(call->debug_id, rxrpc_sendmsg_late_send,
call->cid, call->call_id, call->rx_consumed,
0, -EPROTO);
return -EPROTO;
}
+ if (unlikely(test_bit(RXRPC_CALL_TX_ERROR, &call->flags))) {
+ trace_rxrpc_abort(call->debug_id, rxrpc_sendmsg_tx_error,
+ call->cid, call->call_id, call->rx_consumed,
+ 0, -EIO);
+ return -EIO;
+ }
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
@@ -440,12 +446,21 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
/* add the packet to the send queue if it's now full */
if (!txb->space ||
(msg_data_left(msg) == 0 && !more)) {
- if (msg_data_left(msg) == 0 && !more)
- txb->flags |= RXRPC_LAST_PACKET;
-
+ /* Do any required crypto. If this fails, it could
+ * have corrupted the txbuf content with a partial
+ * encrypt. Assume that ENOMEM is retryable, but
+ * everything else is terminal.
+ */
ret = call->security->secure_packet(call, txb);
- if (ret < 0)
+ if (ret < 0) {
+ if (ret == -ENOMEM)
+ goto maybe_error;
+ set_bit(RXRPC_CALL_TX_ERROR, &call->flags);
goto out;
+ }
+
+ if (msg_data_left(msg) == 0 && !more)
+ txb->flags |= RXRPC_LAST_PACKET;
rxrpc_queue_packet(rx, call, txb, notify_end_tx);
txb = NULL;
}
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 07/16] rxrpc: Fix update of call->tx_pending without holding lock
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (5 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 06/16] rxrpc: Fix packet encryption error handling David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 08/16] rxrpc: Fix generation of notifications after call completion David Howells
` (8 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
stable
Currently, rxrpc_send_data() updates call->tx_pending just before it
returns - but it won't be holding the call->lock when it does this if a
wait was interrupted by a signal. This would allow a parallel sendmsg() to
race.
Further, both the callers of rxrpc_send_data() call it with the lock held,
and then it returns an indication through the parameter list to say whether
it has dropped the lock or not - after which the callers both just drop the
lock if it's still held.
Fix this by:
(1) Moving the release of call->lock down into rxrpc_send_data() and get
rid of the indicator parameter. This makes it easier to see where the
lock is held.
(2) Make the wait_for_space path move the value in txb back into
call->tx_pending before dropping the lock prior to the wait.
(3) After waiting, if the attempt to reacquire the mutex is interrupted,
just return directly there rather than going to out_unlock
Fixes: b0f571ecd794 ("rxrpc: Fix locking in rxrpc's sendmsg")
Closes: https://sashiko.dev/#/patchset/20260702144919.172295-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
net/rxrpc/sendmsg.c | 52 +++++++++++++++++++++++++--------------------
1 file changed, 29 insertions(+), 23 deletions(-)
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index d5060fd9631a..71343998b87d 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -320,8 +320,8 @@ static int rxrpc_alloc_txqueue(struct sock *sk, struct rxrpc_call *call)
static int rxrpc_send_data(struct rxrpc_sock *rx,
struct rxrpc_call *call,
struct msghdr *msg, size_t len,
- rxrpc_notify_end_tx_t notify_end_tx,
- bool *_dropped_lock)
+ rxrpc_notify_end_tx_t notify_end_tx)
+ __releases(&call->user_mutex)
{
struct rxrpc_txbuf *txb;
struct sock *sk = &rx->sk;
@@ -334,25 +334,27 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
trace_rxrpc_abort(call->debug_id, rxrpc_sendmsg_late_send,
call->cid, call->call_id, call->rx_consumed,
0, -EPROTO);
- return -EPROTO;
+ ret = -EPROTO;
+ goto out_unlock;
}
if (unlikely(test_bit(RXRPC_CALL_TX_ERROR, &call->flags))) {
trace_rxrpc_abort(call->debug_id, rxrpc_sendmsg_tx_error,
call->cid, call->call_id, call->rx_consumed,
0, -EIO);
- return -EIO;
+ ret = -EIO;
+ goto out_unlock;
}
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
ret = rxrpc_wait_to_be_connected(call, &timeo);
if (ret < 0)
- return ret;
+ goto out_unlock;
if (call->conn->state == RXRPC_CONN_CLIENT_UNSECURED) {
ret = rxrpc_init_client_conn_security(call->conn);
if (ret < 0)
- return ret;
+ goto out_unlock;
}
/* this should be in poll */
@@ -456,7 +458,7 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
if (ret == -ENOMEM)
goto maybe_error;
set_bit(RXRPC_CALL_TX_ERROR, &call->flags);
- goto out;
+ goto out_txb;
}
if (msg_data_left(msg) == 0 && !more)
@@ -468,51 +470,58 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
success:
ret = copied;
-out:
+out_txb:
call->tx_pending = txb;
+out_unlock:
+ mutex_unlock(&call->user_mutex);
_leave(" = %d", ret);
return ret;
call_terminated:
rxrpc_put_txbuf(txb, rxrpc_txbuf_put_send_aborted);
- _leave(" = %d", call->error);
- return call->error;
+ call->tx_pending = NULL;
+ ret = call->error;
+ goto out_unlock;
maybe_error:
if (copied) {
if (rxrpc_call_is_complete(call) &&
call->error < 0) {
ret = call->error;
- goto out;
+ goto out_unlock;
}
goto success;
}
- goto out;
+ goto out_txb;
efault:
ret = -EFAULT;
- goto out;
+ goto out_txb;
wait_for_space:
ret = -EAGAIN;
if (msg->msg_flags & MSG_DONTWAIT)
goto maybe_error;
+ call->tx_pending = txb;
+ txb = NULL;
mutex_unlock(&call->user_mutex);
- *_dropped_lock = true;
+
ret = rxrpc_wait_for_tx_window(rx, call, &timeo,
msg->msg_flags & MSG_WAITALL);
if (ret < 0)
- goto maybe_error;
+ goto out_nolock;
if (call->interruptibility == RXRPC_INTERRUPTIBLE) {
if (mutex_lock_interruptible(&call->user_mutex) < 0) {
ret = sock_intr_errno(timeo);
- goto maybe_error;
+ goto out_nolock;
}
} else {
mutex_lock(&call->user_mutex);
}
- *_dropped_lock = false;
goto reload;
+out_nolock:
+ _leave(" = %d [intr]", ret);
+ return copied ?: ret;
}
/*
@@ -787,8 +796,8 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
ret = 0;
break;
case RXRPC_CMD_SEND_DATA:
- ret = rxrpc_send_data(rx, call, msg, len, NULL, &dropped_lock);
- break;
+ ret = rxrpc_send_data(rx, call, msg, len, NULL);
+ goto error_put;
default:
ret = -EINVAL;
break;
@@ -826,7 +835,6 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call,
struct msghdr *msg, size_t len,
rxrpc_notify_end_tx_t notify_end_tx)
{
- bool dropped_lock = false;
int ret;
_enter("{%d},", call->debug_id);
@@ -837,12 +845,10 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call,
mutex_lock(&call->user_mutex);
ret = rxrpc_send_data(rxrpc_sk(sock->sk), call, msg, len,
- notify_end_tx, &dropped_lock);
+ notify_end_tx);
if (ret == -ESHUTDOWN)
ret = call->error;
- if (!dropped_lock)
- mutex_unlock(&call->user_mutex);
_leave(" = %d", ret);
return ret;
}
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 08/16] rxrpc: Fix generation of notifications after call completion
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (6 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 07/16] rxrpc: Fix update of call->tx_pending without holding lock David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 09/16] afs: Simplify call refcounting David Howells
` (7 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
stable
AF_RXRPC may generate a notification to the application after a call has
completed because it generates one notification when
rxrpc_input_split_jumbo() queues the final packet and completes the call
and then generates another when rxrpc_input_split_jumbo() does the
aggregated data receive notification at the end of the function.
This might cause the AFS filesystem to malfunction because it tries to
queue the afs_call for processing an extra time. Most of the time this
happens quickly enough that the second queue_work skips, but sometimes this
means that the call work may happen a second time with implications for
afs_call lifetime management.
Fix this by:
(1) Create a lighter version of rxrpc_notify_socket() that's just used to
requeue a call for rxrpc_recvmsg() without creating another
notification.
(2) Move rxrpc_notify_socket() to call_state.c and rename it to
__rxrpc_notify_socket().
(3) Create a wrapper called rxrpc_notify_socket() that skips the
notification if a call is completed.
(4) Make rxrpc_set_call_completion() call __rxrpc_notify_socket() to avoid
the skip-if-completed check.
Fixes: 2d1faf7a0ca3 ("rxrpc: Simplify skbuff accounting in receive path")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
include/trace/events/rxrpc.h | 1 +
net/rxrpc/call_state.c | 57 +++++++++++++++++++++++++++++++++++-
net/rxrpc/recvmsg.c | 42 +++++++++-----------------
3 files changed, 71 insertions(+), 29 deletions(-)
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
index 8f3e3967885a..d7c7b04d69fc 100644
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -343,6 +343,7 @@
EM(rxrpc_call_see_distribute_error, "SEE dist-err") \
EM(rxrpc_call_see_input, "SEE input ") \
EM(rxrpc_call_see_notify_released, "SEE nfy-rlsd") \
+ EM(rxrpc_call_see_notify_skipped, "SEE nfy-skip") \
EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \
EM(rxrpc_call_see_recvmsg_requeue, "SEE recv-rqu") \
EM(rxrpc_call_see_recvmsg_requeue_first, "SEE recv-rqF") \
diff --git a/net/rxrpc/call_state.c b/net/rxrpc/call_state.c
index 6afb54373ebb..6e402312e145 100644
--- a/net/rxrpc/call_state.c
+++ b/net/rxrpc/call_state.c
@@ -7,6 +7,61 @@
#include "ar-internal.h"
+/*
+ * Post a call for attention by the socket or kernel service. Further
+ * notifications are suppressed by putting recvmsg_link on a dummy queue.
+ */
+static void __rxrpc_notify_socket(struct rxrpc_call *call)
+{
+ struct rxrpc_sock *rx;
+ struct sock *sk;
+
+ if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) {
+ rxrpc_see_call(call, rxrpc_call_see_notify_released);
+ return;
+ }
+
+ rcu_read_lock();
+
+ rx = rcu_dereference(call->socket);
+ sk = &rx->sk;
+ if (rx && sk->sk_state < RXRPC_CLOSE) {
+ if (call->notify_rx) {
+ spin_lock_irq(&call->notify_lock);
+ call->notify_rx(sk, call, call->user_call_ID);
+ spin_unlock_irq(&call->notify_lock);
+ } else {
+ spin_lock_irq(&rx->recvmsg_lock);
+ if (list_empty(&call->recvmsg_link)) {
+ rxrpc_get_call(call, rxrpc_call_get_notify_socket);
+ list_add_tail(&call->recvmsg_link, &rx->recvmsg_q);
+ }
+ spin_unlock_irq(&rx->recvmsg_lock);
+
+ if (!sock_flag(sk, SOCK_DEAD)) {
+ _debug("call %ps", sk->sk_data_ready);
+ sk->sk_data_ready(sk);
+ }
+ }
+ }
+
+ rcu_read_unlock();
+}
+
+/*
+ * Post a call for attention by the socket or kernel service. Further
+ * notifications are suppressed by putting recvmsg_link on a dummy queue.
+ */
+void rxrpc_notify_socket(struct rxrpc_call *call)
+{
+ if (rxrpc_call_is_complete(call)) {
+ rxrpc_see_call(call, rxrpc_call_see_notify_skipped);
+ return;
+ }
+
+ __rxrpc_notify_socket(call);
+}
+
/*
* Transition a call to the complete state.
*/
@@ -25,7 +80,7 @@ bool rxrpc_set_call_completion(struct rxrpc_call *call,
rxrpc_set_call_state(call, RXRPC_CALL_COMPLETE);
trace_rxrpc_call_complete(call);
wake_up(&call->waitq);
- rxrpc_notify_socket(call);
+ __rxrpc_notify_socket(call);
return true;
}
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index efcba4b2e74f..28b2148b5693 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -17,13 +17,12 @@
#include "ar-internal.h"
/*
- * Post a call for attention by the socket or kernel service. Further
- * notifications are suppressed by putting recvmsg_link on a dummy queue.
+ * Requeue a call for recvmsg() to pick up.
*/
-void rxrpc_notify_socket(struct rxrpc_call *call)
+static void rxrpc_requeue_call(struct socket *sock, struct rxrpc_call *call)
{
- struct rxrpc_sock *rx;
- struct sock *sk;
+ struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
+ struct sock *sk = &rx->sk;
_enter("%d", call->debug_id);
@@ -32,31 +31,18 @@ void rxrpc_notify_socket(struct rxrpc_call *call)
return;
}
- rcu_read_lock();
-
- rx = rcu_dereference(call->socket);
- sk = &rx->sk;
- if (rx && sk->sk_state < RXRPC_CLOSE) {
- if (call->notify_rx) {
- spin_lock_irq(&call->notify_lock);
- call->notify_rx(sk, call, call->user_call_ID);
- spin_unlock_irq(&call->notify_lock);
- } else {
- spin_lock_irq(&rx->recvmsg_lock);
- if (list_empty(&call->recvmsg_link)) {
- rxrpc_get_call(call, rxrpc_call_get_notify_socket);
- list_add_tail(&call->recvmsg_link, &rx->recvmsg_q);
- }
- spin_unlock_irq(&rx->recvmsg_lock);
+ spin_lock_irq(&rx->recvmsg_lock);
+ if (list_empty(&call->recvmsg_link)) {
+ rxrpc_get_call(call, rxrpc_call_get_notify_socket);
+ list_add_tail(&call->recvmsg_link, &rx->recvmsg_q);
+ }
+ spin_unlock_irq(&rx->recvmsg_lock);
- if (!sock_flag(sk, SOCK_DEAD)) {
- _debug("call %ps", sk->sk_data_ready);
- sk->sk_data_ready(sk);
- }
- }
+ if (!sock_flag(sk, SOCK_DEAD)) {
+ _debug("call %ps", sk->sk_data_ready);
+ sk->sk_data_ready(sk);
}
- rcu_read_unlock();
_leave("");
}
@@ -561,7 +547,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
if (!(flags & MSG_PEEK) &&
!skb_queue_empty(&call->recvmsg_queue))
- rxrpc_notify_socket(call);
+ rxrpc_requeue_call(sock, call);
goto not_yet_complete;
call_failed:
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 09/16] afs: Simplify call refcounting
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (7 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 08/16] rxrpc: Fix generation of notifications after call completion David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 10/16] afs: Make afs_put_call() take trace argument David Howells
` (6 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman
Simplify afs_call refcounting so that a queued work item doesn't hold a ref
on the call. Rather, for async calls, put the retaining ref when the call
completes. For synchronous calls, the caller of afs_make_call() holds its
own ref. This means that queuing a call's async work doesn't require a ref
to be taken first on a call - and then there's no need to try and revert
the ref taken from the context of the rxrpc I/O thread if the call is
already queued.
Further, the AFS cache manager server RPC handler functions (SRXAFSCB_*)
are then called directly from afs_deliver_to_call() rather then being
dispatched to a different workqueue. With that, call->work is changed to
a function pointer.
Also, there is no longer a need to keep an extra ref on an async call and
call->drop_ref can be removed.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
---
fs/afs/cmservice.c | 33 ++++++------------
fs/afs/file.c | 10 +++---
fs/afs/internal.h | 18 ++--------
fs/afs/rxrpc.c | 69 +++++++++++---------------------------
include/trace/events/afs.h | 1 +
5 files changed, 39 insertions(+), 92 deletions(-)
diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
index 3c12a0ecee8e..f92bddd4f1e9 100644
--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -23,11 +23,11 @@ static int afs_deliver_cb_callback(struct afs_call *);
static int afs_deliver_cb_probe_uuid(struct afs_call *);
static int afs_deliver_cb_tell_me_about_yourself(struct afs_call *);
static void afs_cm_destructor(struct afs_call *);
-static void SRXAFSCB_CallBack(struct work_struct *);
-static void SRXAFSCB_InitCallBackState(struct work_struct *);
-static void SRXAFSCB_Probe(struct work_struct *);
-static void SRXAFSCB_ProbeUuid(struct work_struct *);
-static void SRXAFSCB_TellMeAboutYourself(struct work_struct *);
+static void SRXAFSCB_CallBack(struct afs_call *call);
+static void SRXAFSCB_InitCallBackState(struct afs_call *call);
+static void SRXAFSCB_Probe(struct afs_call *call);
+static void SRXAFSCB_ProbeUuid(struct afs_call *call);
+static void SRXAFSCB_TellMeAboutYourself(struct afs_call *call);
static int afs_deliver_yfs_cb_callback(struct afs_call *);
@@ -161,10 +161,8 @@ static void afs_abort_service_call(struct afs_call *call, u32 abort_code, int er
/*
* The server supplied a list of callbacks that it wanted to break.
*/
-static void SRXAFSCB_CallBack(struct work_struct *work)
+static void SRXAFSCB_CallBack(struct afs_call *call)
{
- struct afs_call *call = container_of(work, struct afs_call, work);
-
_enter("");
/* We need to break the callbacks before sending the reply as the
@@ -180,7 +178,6 @@ static void SRXAFSCB_CallBack(struct work_struct *work)
}
afs_send_empty_reply(call);
- afs_put_call(call);
_leave("");
}
@@ -284,16 +281,13 @@ static int afs_deliver_cb_callback(struct afs_call *call)
/*
* allow the fileserver to request callback state (re-)initialisation
*/
-static void SRXAFSCB_InitCallBackState(struct work_struct *work)
+static void SRXAFSCB_InitCallBackState(struct afs_call *call)
{
- struct afs_call *call = container_of(work, struct afs_call, work);
-
_enter("{%p}", call->server);
if (call->server)
afs_init_callback_state(call->server);
afs_send_empty_reply(call);
- afs_put_call(call);
_leave("");
}
@@ -374,13 +368,10 @@ static int afs_deliver_cb_init_call_back_state3(struct afs_call *call)
/*
* allow the fileserver to see if the cache manager is still alive
*/
-static void SRXAFSCB_Probe(struct work_struct *work)
+static void SRXAFSCB_Probe(struct afs_call *call)
{
- struct afs_call *call = container_of(work, struct afs_call, work);
-
_enter("");
afs_send_empty_reply(call);
- afs_put_call(call);
_leave("");
}
@@ -407,9 +398,8 @@ static int afs_deliver_cb_probe(struct afs_call *call)
* Allow the fileserver to quickly find out if the cache manager has been
* rebooted.
*/
-static void SRXAFSCB_ProbeUuid(struct work_struct *work)
+static void SRXAFSCB_ProbeUuid(struct afs_call *call)
{
- struct afs_call *call = container_of(work, struct afs_call, work);
struct afs_uuid *r = call->request;
_enter("");
@@ -419,7 +409,6 @@ static void SRXAFSCB_ProbeUuid(struct work_struct *work)
else
afs_abort_service_call(call, 1, 1, afs_abort_probeuuid_negative);
- afs_put_call(call);
_leave("");
}
@@ -481,9 +470,8 @@ static int afs_deliver_cb_probe_uuid(struct afs_call *call)
/*
* allow the fileserver to ask about the cache manager's capabilities
*/
-static void SRXAFSCB_TellMeAboutYourself(struct work_struct *work)
+static void SRXAFSCB_TellMeAboutYourself(struct afs_call *call)
{
- struct afs_call *call = container_of(work, struct afs_call, work);
int loop;
struct {
@@ -515,7 +503,6 @@ static void SRXAFSCB_TellMeAboutYourself(struct work_struct *work)
reply.cap.capcount = htonl(1);
reply.cap.caps[0] = htonl(AFS_CAP_ERROR_TRANSLATION);
afs_send_simple_reply(call, &reply, sizeof(reply));
- afs_put_call(call);
_leave("");
}
diff --git a/fs/afs/file.c b/fs/afs/file.c
index 0467742bfeee..35d68f7f498d 100644
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -316,15 +316,17 @@ void afs_fetch_data_async_rx(struct work_struct *work)
struct afs_call *call = container_of(work, struct afs_call, async_work);
afs_read_receive(call);
- afs_put_call(call);
+
+ if (call->state == AFS_CALL_COMPLETE) {
+ cancel_work(&call->async_work);
+ afs_put_call(call);
+ }
}
void afs_fetch_data_immediate_cancel(struct afs_call *call)
{
if (call->async) {
- afs_get_call(call, afs_call_trace_wake);
- if (!queue_work(afs_async_calls, &call->async_work))
- afs_deferred_put_call(call);
+ queue_work(afs_async_calls, &call->async_work);
flush_work(&call->async_work);
}
}
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 0b72a8566299..cd00956bc4cf 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -129,7 +129,7 @@ struct afs_call {
const struct afs_call_type *type; /* type of call */
wait_queue_head_t waitq; /* processes awaiting completion */
struct work_struct async_work; /* async I/O processor */
- struct work_struct work; /* actual work processor */
+ void (*work)(struct afs_call *call); /* Worker function */
struct work_struct free_work; /* Deferred free processor */
struct rxrpc_call *rxcall; /* RxRPC call handle */
struct rxrpc_peer *peer; /* Remote endpoint */
@@ -169,7 +169,6 @@ struct afs_call {
unsigned reply_max; /* maximum size of reply */
unsigned count2; /* count used in unmarshalling */
unsigned char unmarshall; /* unmarshalling phase */
- bool drop_ref; /* T if need to drop ref for incoming call */
bool need_attention; /* T if RxRPC poked us */
bool async; /* T if asynchronous */
bool upgrade; /* T to request service upgrade */
@@ -208,7 +207,7 @@ struct afs_call_type {
void (*async_rx)(struct work_struct *work);
/* Work function */
- void (*work)(struct work_struct *work);
+ void (*work)(struct afs_call *call);
/* Call done function (gets called immediately on success or failure) */
void (*done)(struct afs_call *call);
@@ -1382,7 +1381,6 @@ extern int __net_init afs_open_socket(struct afs_net *);
extern void __net_exit afs_close_socket(struct afs_net *);
extern void afs_charge_preallocation(struct work_struct *);
extern void afs_put_call(struct afs_call *);
-void afs_deferred_put_call(struct afs_call *call);
void afs_make_call(struct afs_call *call, gfp_t gfp);
void afs_deliver_to_call(struct afs_call *call);
void afs_wait_for_call_to_complete(struct afs_call *call);
@@ -1495,7 +1493,6 @@ static inline void afs_set_call_complete(struct afs_call *call,
int error, u32 remote_abort)
{
enum afs_call_state state;
- bool ok = false;
spin_lock_bh(&call->state_lock);
state = call->state;
@@ -1505,19 +1502,8 @@ static inline void afs_set_call_complete(struct afs_call *call,
call->state = AFS_CALL_COMPLETE;
trace_afs_call_state(call, state, AFS_CALL_COMPLETE,
error, remote_abort);
- ok = true;
}
spin_unlock_bh(&call->state_lock);
- if (ok) {
- trace_afs_call_done(call);
-
- /* Asynchronous calls have two refs to release - one from the alloc and
- * one queued with the work item - and we can't just deallocate the
- * call because the work item may be queued again.
- */
- if (call->drop_ref)
- afs_put_call(call);
- }
}
/*
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index 06c711c75f55..a404b6f0cc7c 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -177,7 +177,6 @@ static struct afs_call *afs_alloc_call(struct afs_net *net,
call->debug_id = atomic_inc_return(&rxrpc_debug_id);
refcount_set(&call->ref, 1);
INIT_WORK(&call->async_work, type->async_rx ?: afs_process_async_call);
- INIT_WORK(&call->work, call->type->work);
INIT_WORK(&call->free_work, afs_deferred_free_worker);
init_waitqueue_head(&call->waitq);
spin_lock_init(&call->state_lock);
@@ -244,37 +243,6 @@ static void afs_deferred_free_worker(struct work_struct *work)
afs_free_call(call);
}
-/*
- * Dispose of a reference on a call, deferring the cleanup to a workqueue
- * to avoid lock recursion.
- */
-void afs_deferred_put_call(struct afs_call *call)
-{
- struct afs_net *net = call->net;
- unsigned int debug_id = call->debug_id;
- bool zero;
- int r, o;
-
- zero = __refcount_dec_and_test(&call->ref, &r);
- o = atomic_read(&net->nr_outstanding_calls);
- trace_afs_call(debug_id, afs_call_trace_put, r - 1, o,
- __builtin_return_address(0));
- if (zero)
- schedule_work(&call->free_work);
-}
-
-/*
- * Queue the call for actual work.
- */
-static void afs_queue_call_work(struct afs_call *call)
-{
- if (call->type->work) {
- afs_get_call(call, afs_call_trace_work);
- if (!queue_work(afs_wq, &call->work))
- afs_put_call(call);
- }
-}
-
/*
* allocate a call with flat request and reply buffers
*/
@@ -375,10 +343,8 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
/* If the call is going to be asynchronous, we need an extra ref for
* the call to hold itself so the caller need not hang on to its ref.
*/
- if (call->async) {
+ if (call->async)
afs_get_call(call, afs_call_trace_get);
- call->drop_ref = true;
- }
/* create a call */
rxcall = rxrpc_kernel_begin_call(call->net->socket, call->peer, call->key,
@@ -479,8 +445,7 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
if (call->rxcall)
rxrpc_kernel_shutdown_call(call->net->socket, call->rxcall);
if (call->async) {
- if (cancel_work_sync(&call->async_work))
- afs_put_call(call);
+ cancel_work_sync(&call->async_work);
afs_set_call_complete(call, ret, 0);
}
@@ -566,7 +531,8 @@ void afs_deliver_to_call(struct afs_call *call)
switch (ret) {
case 0:
call->responded = true;
- afs_queue_call_work(call);
+ if (call->work)
+ call->work(call);
if (state == AFS_CALL_CL_PROC_REPLY) {
if (call->op)
set_bit(AFS_SERVER_FL_MAY_HAVE_CB,
@@ -616,6 +582,7 @@ void afs_deliver_to_call(struct afs_call *call)
}
done:
+ trace_afs_call_done(call);
if (call->type->done)
call->type->done(call);
out:
@@ -704,19 +671,16 @@ static void afs_wake_up_async_call(struct sock *sk, struct rxrpc_call *rxcall,
unsigned long call_user_ID)
{
struct afs_call *call = (struct afs_call *)call_user_ID;
- int r;
trace_afs_notify_call(rxcall, call);
call->need_attention = true;
- if (__refcount_inc_not_zero(&call->ref, &r)) {
- trace_afs_call(call->debug_id, afs_call_trace_wake, r + 1,
- atomic_read(&call->net->nr_outstanding_calls),
- __builtin_return_address(0));
+ trace_afs_call(call->debug_id, afs_call_trace_wake,
+ refcount_read(&call->ref),
+ atomic_read(&call->net->nr_outstanding_calls),
+ __builtin_return_address(0));
- if (!queue_work(afs_async_calls, &call->async_work))
- afs_deferred_put_call(call);
- }
+ queue_work(afs_async_calls, &call->async_work);
}
/*
@@ -729,12 +693,20 @@ static void afs_process_async_call(struct work_struct *work)
_enter("");
+ trace_afs_call(call->debug_id, afs_call_trace_async_process,
+ refcount_read(&call->ref),
+ atomic_read(&call->net->nr_outstanding_calls),
+ __builtin_return_address(0));
+
if (call->state < AFS_CALL_COMPLETE && call->need_attention) {
call->need_attention = false;
afs_deliver_to_call(call);
}
- afs_put_call(call);
+ if (call->state == AFS_CALL_COMPLETE) {
+ cancel_work(&call->async_work);
+ afs_put_call(call);
+ }
_leave("");
}
@@ -760,7 +732,6 @@ void afs_charge_preallocation(struct work_struct *work)
if (!call)
break;
- call->drop_ref = true;
call->async = true;
call->state = AFS_CALL_SV_AWAIT_OP_ID;
init_waitqueue_head(&call->waitq);
@@ -836,7 +807,7 @@ static int afs_deliver_cm_op_id(struct afs_call *call)
&call->enctype);
trace_afs_cb_call(call);
- call->work.func = call->type->work;
+ call->work = call->type->work;
/* pass responsibility for the remainder of this message off to the
* cache manager op */
diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
index cf7218efb861..4f18a2a5b9f6 100644
--- a/include/trace/events/afs.h
+++ b/include/trace/events/afs.h
@@ -123,6 +123,7 @@ enum yfs_cm_operation {
EM(afs_call_trace_alloc, "ALLOC") \
EM(afs_call_trace_async_abort, "ASYAB") \
EM(afs_call_trace_async_kill, "ASYKL") \
+ EM(afs_call_trace_async_process, "ASYPR") \
EM(afs_call_trace_free, "FREE ") \
EM(afs_call_trace_get, "GET ") \
EM(afs_call_trace_put, "PUT ") \
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 10/16] afs: Make afs_put_call() take trace argument
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (8 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 09/16] afs: Simplify call refcounting David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 11/16] afs: Fix UAF in afs_make_call() David Howells
` (5 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman
Make afs_put_call() take trace argument to display in the afs_call trace
line and stop showing the function return address (which isn't unique due
to inlining and tail-calling).
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
---
fs/afs/file.c | 4 ++--
fs/afs/fs_operation.c | 2 +-
fs/afs/fsclient.c | 4 ++--
fs/afs/internal.h | 8 +++-----
fs/afs/rxrpc.c | 39 ++++++++++++++------------------------
fs/afs/vl_probe.c | 2 +-
fs/afs/vlclient.c | 8 ++++----
include/trace/events/afs.h | 38 +++++++++++++++++++++----------------
8 files changed, 49 insertions(+), 56 deletions(-)
diff --git a/fs/afs/file.c b/fs/afs/file.c
index 35d68f7f498d..625dc67f79f3 100644
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -298,7 +298,7 @@ static void afs_read_receive(struct afs_call *call)
op->call_responded = call->responded;
op->call = NULL;
call->op = NULL;
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_read_op);
/* If the call failed, then we need to crank the server rotation
* handle and try the next.
@@ -319,7 +319,7 @@ void afs_fetch_data_async_rx(struct work_struct *work)
if (call->state == AFS_CALL_COMPLETE) {
cancel_work(&call->async_work);
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_read_complete);
}
}
diff --git a/fs/afs/fs_operation.c b/fs/afs/fs_operation.c
index c0dbbc6d3716..9ea9db256a41 100644
--- a/fs/afs/fs_operation.c
+++ b/fs/afs/fs_operation.c
@@ -296,7 +296,7 @@ void afs_wait_for_operation(struct afs_operation *op)
op->call_abort_code = op->call->abort_code;
op->call_error = op->call->error;
op->call_responded = op->call->responded;
- afs_put_call(op->call);
+ afs_put_call(op->call, afs_call_trace_put_wait_op);
}
}
diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c
index 626e1d37b915..9acad5017fba 100644
--- a/fs/afs/fsclient.c
+++ b/fs/afs/fsclient.c
@@ -1662,7 +1662,7 @@ int afs_fs_give_up_all_callbacks(struct afs_net *net, struct afs_server *server,
ret = call->error;
if (call->responded)
set_bit(AFS_SERVER_FL_RESPONDING, &server->flags);
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_giveupcallbacks);
return ret;
}
@@ -1778,7 +1778,7 @@ bool afs_fs_get_capabilities(struct afs_net *net, struct afs_server *server,
trace_afs_make_fs_call(call, NULL);
afs_make_call(call, GFP_NOFS);
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_get_capabilities);
return true;
}
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index cd00956bc4cf..7b68cf141bf9 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -1380,7 +1380,7 @@ extern struct workqueue_struct *afs_async_calls;
extern int __net_init afs_open_socket(struct afs_net *);
extern void __net_exit afs_close_socket(struct afs_net *);
extern void afs_charge_preallocation(struct work_struct *);
-extern void afs_put_call(struct afs_call *);
+void afs_put_call(struct afs_call *call, enum afs_call_trace trace);
void afs_make_call(struct afs_call *call, gfp_t gfp);
void afs_deliver_to_call(struct afs_call *call);
void afs_wait_for_call_to_complete(struct afs_call *call);
@@ -1401,8 +1401,7 @@ static inline struct afs_call *afs_get_call(struct afs_call *call,
__refcount_inc(&call->ref, &r);
trace_afs_call(call->debug_id, why, r + 1,
- atomic_read(&call->net->nr_outstanding_calls),
- __builtin_return_address(0));
+ atomic_read(&call->net->nr_outstanding_calls));
return call;
}
@@ -1411,8 +1410,7 @@ static inline void afs_see_call(struct afs_call *call, enum afs_call_trace why)
int r = refcount_read(&call->ref);
trace_afs_call(call->debug_id, why, r,
- atomic_read(&call->net->nr_outstanding_calls),
- __builtin_return_address(0));
+ atomic_read(&call->net->nr_outstanding_calls));
}
static inline void afs_make_op_call(struct afs_operation *op, struct afs_call *call,
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index a404b6f0cc7c..a1b9ced4e0f4 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -138,7 +138,7 @@ void afs_close_socket(struct afs_net *net)
cancel_work_sync(&net->charge_preallocation_work);
if (net->spare_incoming_call) {
- afs_put_call(net->spare_incoming_call);
+ afs_put_call(net->spare_incoming_call, afs_call_trace_put_spare_svc);
net->spare_incoming_call = NULL;
}
@@ -183,14 +183,14 @@ static struct afs_call *afs_alloc_call(struct afs_net *net,
call->iter = &call->def_iter;
o = atomic_inc_return(&net->nr_outstanding_calls);
- trace_afs_call(call->debug_id, afs_call_trace_alloc, 1, o,
- __builtin_return_address(0));
+ trace_afs_call(call->debug_id, afs_call_trace_alloc, 1, o);
return call;
}
static void afs_free_call(struct afs_call *call)
{
struct afs_net *net = call->net;
+ unsigned int debug_id = call->debug_id;
int o;
ASSERT(!work_pending(&call->async_work));
@@ -207,13 +207,10 @@ static void afs_free_call(struct afs_call *call)
afs_unuse_server_notime(call->net, call->server, afs_server_trace_unuse_call);
kfree(call->request);
-
- o = atomic_read(&net->nr_outstanding_calls);
- trace_afs_call(call->debug_id, afs_call_trace_free, 0, o,
- __builtin_return_address(0));
kfree(call);
o = atomic_dec_return(&net->nr_outstanding_calls);
+ trace_afs_call(debug_id, afs_call_trace_free, 0, o);
if (o == 0)
wake_up_var(&net->nr_outstanding_calls);
}
@@ -221,7 +218,7 @@ static void afs_free_call(struct afs_call *call)
/*
* Dispose of a reference on a call.
*/
-void afs_put_call(struct afs_call *call)
+void afs_put_call(struct afs_call *call, enum afs_call_trace trace)
{
struct afs_net *net = call->net;
unsigned int debug_id = call->debug_id;
@@ -230,8 +227,7 @@ void afs_put_call(struct afs_call *call)
zero = __refcount_dec_and_test(&call->ref, &r);
o = atomic_read(&net->nr_outstanding_calls);
- trace_afs_call(debug_id, afs_call_trace_put, r - 1, o,
- __builtin_return_address(0));
+ trace_afs_call(debug_id, trace, r - 1, o);
if (zero)
afs_free_call(call);
}
@@ -276,7 +272,7 @@ struct afs_call *afs_alloc_flat_call(struct afs_net *net,
return call;
nomem_free:
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_oom);
nomem_call:
return NULL;
}
@@ -344,7 +340,7 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
* the call to hold itself so the caller need not hang on to its ref.
*/
if (call->async)
- afs_get_call(call, afs_call_trace_get);
+ afs_get_call(call, afs_call_trace_get_make_async_call);
/* create a call */
rxcall = rxrpc_kernel_begin_call(call->net->socket, call->peer, call->key,
@@ -418,7 +414,7 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
RX_USER_ABORT, ret,
afs_abort_send_data_error);
if (call->async) {
- afs_see_call(call, afs_call_trace_async_abort);
+ afs_see_call(call, afs_call_trace_see_async_abort);
return;
}
@@ -434,7 +430,7 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
trace_afs_call_done(call);
error_kill_call:
if (call->async)
- afs_see_call(call, afs_call_trace_async_kill);
+ afs_see_call(call, afs_call_trace_see_async_kill);
if (call->type->immediate_cancel)
call->type->immediate_cancel(call);
@@ -675,11 +671,7 @@ static void afs_wake_up_async_call(struct sock *sk, struct rxrpc_call *rxcall,
trace_afs_notify_call(rxcall, call);
call->need_attention = true;
- trace_afs_call(call->debug_id, afs_call_trace_wake,
- refcount_read(&call->ref),
- atomic_read(&call->net->nr_outstanding_calls),
- __builtin_return_address(0));
-
+ afs_see_call(call, afs_call_trace_see_async_wake);
queue_work(afs_async_calls, &call->async_work);
}
@@ -693,10 +685,7 @@ static void afs_process_async_call(struct work_struct *work)
_enter("");
- trace_afs_call(call->debug_id, afs_call_trace_async_process,
- refcount_read(&call->ref),
- atomic_read(&call->net->nr_outstanding_calls),
- __builtin_return_address(0));
+ afs_see_call(call, afs_call_trace_see_async_process);
if (call->state < AFS_CALL_COMPLETE && call->need_attention) {
call->need_attention = false;
@@ -705,7 +694,7 @@ static void afs_process_async_call(struct work_struct *work)
if (call->state == AFS_CALL_COMPLETE) {
cancel_work(&call->async_work);
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_async_complete);
}
_leave("");
}
@@ -758,7 +747,7 @@ static void afs_rx_discard_new_call(struct rxrpc_call *rxcall,
struct afs_call *call = (struct afs_call *)user_call_ID;
call->rxcall = NULL;
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_discard_prealloc);
}
/*
diff --git a/fs/afs/vl_probe.c b/fs/afs/vl_probe.c
index 3d2e0c925460..1d70887c9f31 100644
--- a/fs/afs/vl_probe.c
+++ b/fs/afs/vl_probe.c
@@ -186,7 +186,7 @@ static bool afs_do_probe_vlserver(struct afs_net *net,
server_index);
if (!IS_ERR(call)) {
afs_prioritise_error(_e, call->error, call->abort_code);
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_vl_get_caps);
in_progress = true;
} else {
afs_prioritise_error(_e, PTR_ERR(call), 0);
diff --git a/fs/afs/vlclient.c b/fs/afs/vlclient.c
index a40b43464cfa..8a4c8c9a1e39 100644
--- a/fs/afs/vlclient.c
+++ b/fs/afs/vlclient.c
@@ -153,7 +153,7 @@ struct afs_vldb_entry *afs_vl_get_entry_by_name_u(struct afs_vl_cursor *vc,
vc->call_abort_code = call->abort_code;
vc->call_error = call->error;
vc->call_responded = call->responded;
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_vl_call);
if (vc->call_error) {
kfree(entry);
return ERR_PTR(vc->call_error);
@@ -303,7 +303,7 @@ struct afs_addr_list *afs_vl_get_addrs_u(struct afs_vl_cursor *vc,
vc->call_error = call->error;
vc->call_responded = call->responded;
alist = call->ret_alist;
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_vl_call);
if (vc->call_error) {
afs_put_addrlist(alist, afs_alist_trace_put_getaddru);
return ERR_PTR(vc->call_error);
@@ -666,7 +666,7 @@ struct afs_addr_list *afs_yfsvl_get_endpoints(struct afs_vl_cursor *vc,
vc->call_error = call->error;
vc->call_responded = call->responded;
alist = call->ret_alist;
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_vl_call);
if (vc->call_error) {
afs_put_addrlist(alist, afs_alist_trace_put_getaddru);
return ERR_PTR(vc->call_error);
@@ -784,7 +784,7 @@ char *afs_yfsvl_get_cell_name(struct afs_vl_cursor *vc)
vc->call_error = call->error;
vc->call_responded = call->responded;
cellname = call->ret_str;
- afs_put_call(call);
+ afs_put_call(call, afs_call_trace_put_vl_call);
if (vc->call_error) {
kfree(cellname);
return ERR_PTR(vc->call_error);
diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
index 4f18a2a5b9f6..df397c11df85 100644
--- a/include/trace/events/afs.h
+++ b/include/trace/events/afs.h
@@ -120,15 +120,24 @@ enum yfs_cm_operation {
* Declare tracing information enums and their string mappings for display.
*/
#define afs_call_traces \
- EM(afs_call_trace_alloc, "ALLOC") \
- EM(afs_call_trace_async_abort, "ASYAB") \
- EM(afs_call_trace_async_kill, "ASYKL") \
- EM(afs_call_trace_async_process, "ASYPR") \
- EM(afs_call_trace_free, "FREE ") \
- EM(afs_call_trace_get, "GET ") \
- EM(afs_call_trace_put, "PUT ") \
- EM(afs_call_trace_wake, "WAKE ") \
- E_(afs_call_trace_work, "QUEUE")
+ EM(afs_call_trace_alloc, "ALLOC ") \
+ EM(afs_call_trace_free, "FREE ") \
+ EM(afs_call_trace_get_make_async_call, "GET a-make ") \
+ EM(afs_call_trace_put_async_complete, "PUT a-cmpl ") \
+ EM(afs_call_trace_put_discard_prealloc, "PUT dis-pre") \
+ EM(afs_call_trace_put_get_capabilities, "PUT get-cap") \
+ EM(afs_call_trace_put_giveupcallbacks, "PUT gvup-cb") \
+ EM(afs_call_trace_put_oom, "PUT oom ") \
+ EM(afs_call_trace_put_read_complete, "PUT rd-cpl ") \
+ EM(afs_call_trace_put_read_op, "PUT rd-op ") \
+ EM(afs_call_trace_put_spare_svc, "PUT spare-s") \
+ EM(afs_call_trace_put_vl_call, "PUT vl-call") \
+ EM(afs_call_trace_put_vl_get_caps, "PUT vl-gcap") \
+ EM(afs_call_trace_put_wait_op, "PUT wt-op ") \
+ EM(afs_call_trace_see_async_abort, "SEE a-abort") \
+ EM(afs_call_trace_see_async_kill, "SEE a-kill ") \
+ EM(afs_call_trace_see_async_process, "SEE a-proc ") \
+ E_(afs_call_trace_see_async_wake, "SEE a-wake ")
#define afs_server_traces \
EM(afs_server_trace_callback, "CALLBACK ") \
@@ -694,16 +703,15 @@ TRACE_EVENT(afs_cb_call,
TRACE_EVENT(afs_call,
TP_PROTO(unsigned int call_debug_id, enum afs_call_trace op,
- int ref, int outstanding, const void *where),
+ int ref, int outstanding),
- TP_ARGS(call_debug_id, op, ref, outstanding, where),
+ TP_ARGS(call_debug_id, op, ref, outstanding),
TP_STRUCT__entry(
__field(unsigned int, call)
__field(int, op)
__field(int, ref)
__field(int, outstanding)
- __field(const void *, where)
),
TP_fast_assign(
@@ -711,15 +719,13 @@ TRACE_EVENT(afs_call,
__entry->op = op;
__entry->ref = ref;
__entry->outstanding = outstanding;
- __entry->where = where;
),
- TP_printk("c=%08x %s r=%d o=%d sp=%pSR",
+ TP_printk("c=%08x %s r=%d o=%d",
__entry->call,
__print_symbolic(__entry->op, afs_call_traces),
__entry->ref,
- __entry->outstanding,
- __entry->where)
+ __entry->outstanding)
);
TRACE_EVENT(afs_make_fs_call,
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 11/16] afs: Fix UAF in afs_make_call()
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (9 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 10/16] afs: Make afs_put_call() take trace argument David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 12/16] keys: Add refcounting to user-defined key type payload David Howells
` (4 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, stable
There's a potential UAF in afs_make_call() in the event that an
asynchronous call is being sent, but the call fails in some way (e.g. it
gets aborted from the server). The problem is that afs_make_call() tries
to abort a call if the rxrpc send fails, but the asynchronous notification
from rxrpc may have caused the afs_call to be torn down.
Fix this making afs_make_op_call() give the op->call its own ref rather
than transferring the caller's ref to it and then dropping the ref when
afs_make_call() returns.
This also means that the afs_make_call() func never loses its ref on the
call now.
Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
Link: https://sashiko.dev/#/patchset/20260702144919.172295-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
---
fs/afs/internal.h | 3 ++-
fs/afs/rxrpc.c | 3 ---
include/trace/events/afs.h | 2 ++
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 7b68cf141bf9..47e2cae979b6 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -1418,7 +1418,7 @@ static inline void afs_make_op_call(struct afs_operation *op, struct afs_call *c
{
struct afs_addr_list *alist = op->estate->addresses;
- op->call = call;
+ op->call = afs_get_call(call, afs_call_trace_get_op_call);
op->type = call->type;
call->op = op;
call->key = op->key;
@@ -1426,6 +1426,7 @@ static inline void afs_make_op_call(struct afs_operation *op, struct afs_call *c
call->peer = rxrpc_kernel_get_peer(alist->addrs[op->addr_index].peer);
call->service_id = op->server->service_id;
afs_make_call(call, gfp);
+ afs_put_call(call, afs_call_trace_put_made_call);
}
static inline void afs_extract_begin(struct afs_call *call, void *buf, size_t size)
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index a1b9ced4e0f4..6dc6fd853832 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -382,8 +382,6 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
if (ret < 0)
goto error_do_abort;
- /* We lost our ref on call if MSG_MORE was not set and ret >= 0. */
-
if (write_iter) {
msg.msg_iter = *call->write_iter;
msg.msg_flags &= ~MSG_MORE;
@@ -393,7 +391,6 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
call->rxcall, &msg,
iov_iter_count(&msg.msg_iter),
afs_notify_end_request_tx);
- /* We lost our ref on call if ret >= 0. */
trace_afs_sent_data(debug_id, &msg, ret);
if (ret < 0)
diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
index df397c11df85..a1963e21f034 100644
--- a/include/trace/events/afs.h
+++ b/include/trace/events/afs.h
@@ -122,8 +122,10 @@ enum yfs_cm_operation {
#define afs_call_traces \
EM(afs_call_trace_alloc, "ALLOC ") \
EM(afs_call_trace_free, "FREE ") \
+ EM(afs_call_trace_get_op_call, "GET op ") \
EM(afs_call_trace_get_make_async_call, "GET a-make ") \
EM(afs_call_trace_put_async_complete, "PUT a-cmpl ") \
+ EM(afs_call_trace_put_made_call, "PUT made ") \
EM(afs_call_trace_put_discard_prealloc, "PUT dis-pre") \
EM(afs_call_trace_put_get_capabilities, "PUT get-cap") \
EM(afs_call_trace_put_giveupcallbacks, "PUT gvup-cb") \
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 12/16] keys: Add refcounting to user-defined key type payload
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (10 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 11/16] afs: Fix UAF in afs_make_call() David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 13/16] afs: Create a server appdata key David Howells
` (3 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, Jarkko Sakkinen, keyrings, stable
Add refcounting to user-defined key type payload so that a kernel service
wanting to use such a key can hold onto the payload without the RCU read
lock held in order that it can do an allocation without having to be
concerned with the key getting updated.
This is the first part of the fix for the AF_RXRPC challenge response
generation code.
Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE")
Link: https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: linux-afs@lists.infradead.org
cc: keyrings@vger.kernel.org
cc: stable@kernel.org
---
include/keys/user-type.h | 2 ++
net/dns_resolver/dns_key.c | 1 +
security/keys/user_defined.c | 23 ++++++++++++++++-------
3 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/include/keys/user-type.h b/include/keys/user-type.h
index 386c31432789..7002a993a472 100644
--- a/include/keys/user-type.h
+++ b/include/keys/user-type.h
@@ -26,6 +26,7 @@
*/
struct user_key_payload {
struct rcu_head rcu; /* RCU destructor */
+ refcount_t ref;
unsigned short datalen; /* length of this data */
char data[] __aligned(__alignof__(u64)); /* actual data */
};
@@ -37,6 +38,7 @@ struct key_preparsed_payload;
extern int user_preparse(struct key_preparsed_payload *prep);
extern void user_free_preparse(struct key_preparsed_payload *prep);
+void put_user_key_payload(struct user_key_payload *payload);
extern int user_update(struct key *key, struct key_preparsed_payload *prep);
extern void user_revoke(struct key *key);
extern void user_destroy(struct key *key);
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index c3c8c3240ef9..aa3c058f4095 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -208,6 +208,7 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
kleave(" = -ENOMEM");
return -ENOMEM;
}
+ refcount_set(&upayload->ref, 1);
upayload->datalen = result_len;
memcpy(upayload->data, data, result_len);
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 6f88b507f927..90c1bd5d7dfe 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -67,6 +67,7 @@ int user_preparse(struct key_preparsed_payload *prep)
upayload = kmalloc_flex(*upayload, data, datalen);
if (!upayload)
return -ENOMEM;
+ refcount_set(&upayload->ref, 1);
/* attach the data */
prep->quotalen = datalen;
@@ -88,12 +89,22 @@ EXPORT_SYMBOL_GPL(user_free_preparse);
static void user_free_payload_rcu(struct rcu_head *head)
{
- struct user_key_payload *payload;
+ struct user_key_payload *payload =
+ container_of(head, struct user_key_payload, rcu);
- payload = container_of(head, struct user_key_payload, rcu);
kfree_sensitive(payload);
}
+/*
+ * Free a user defined key payload.
+ */
+void put_user_key_payload(struct user_key_payload *payload)
+{
+ if (payload && refcount_dec_and_test(&payload->ref))
+ call_rcu(&payload->rcu, user_free_payload_rcu);
+}
+EXPORT_SYMBOL_GPL(put_user_key_payload);
+
/*
* update a user defined key
* - the key's semaphore is write-locked
@@ -115,8 +126,7 @@ int user_update(struct key *key, struct key_preparsed_payload *prep)
rcu_assign_keypointer(key, prep->payload.data[0]);
prep->payload.data[0] = NULL;
- if (zap)
- call_rcu(&zap->rcu, user_free_payload_rcu);
+ put_user_key_payload(zap);
return ret;
}
EXPORT_SYMBOL_GPL(user_update);
@@ -134,7 +144,7 @@ void user_revoke(struct key *key)
if (upayload) {
rcu_assign_keypointer(key, NULL);
- call_rcu(&upayload->rcu, user_free_payload_rcu);
+ put_user_key_payload(upayload);
}
}
@@ -147,9 +157,8 @@ void user_destroy(struct key *key)
{
struct user_key_payload *upayload = key->payload.data[0];
- kfree_sensitive(upayload);
+ put_user_key_payload(upayload);
}
-
EXPORT_SYMBOL_GPL(user_destroy);
/*
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 13/16] afs: Create a server appdata key
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (11 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 12/16] keys: Add refcounting to user-defined key type payload David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 14/16] rxrpc: Pass appdata key to rxrpc_call and thence to rxrpc_bundle David Howells
` (2 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, Jarkko Sakkinen, keyrings, stable
Currently, when a CHALLENGE packet comes in, it's queued in an OOB queue on
the AF_RXRPC socket that generated one of the calls on that connection for
the application (which might be in userspace) to service. The application
then picks up the CHALLENGE and requests a RESPONSE packet be generated,
allowing the app to include app-specific data in it if appropriate. There
is, however, no actual limit on the capacity of the CHALLENGE queue, and
this could be abused remotely - and also getting the OOB mechanism right
has proven tricky.
Further, by analogy with other AFS codebases, it's not actually necessary
to generate the application data in response to the CHALLENGE. The reason
I did this was to set the encryption on the app-data to be the same as that
specified in the CHALLENGE as the server must be able to handle that.
However, it's sufficient to use the encoding type set in the token that is
going to be sent to the server; presumably the kerberos server knows that
the fileserver can handle that type - otherwise why tell the client to use
it?
This is a part of the fix. With this, the AFS filesystem creates an
appdata key for each fileserver it talks to with RxGK and attaches it to
the afs_server record.
Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE")
Link: https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: linux-afs@lists.infradead.org
cc: keyrings@vger.kernel.org
cc: stable@kernel.org
---
fs/afs/cm_security.c | 232 +++++++++++++++++++++++++++++++++++++++++
fs/afs/fs_probe.c | 5 +
fs/afs/internal.h | 2 +
fs/afs/server.c | 1 +
include/net/af_rxrpc.h | 2 +
net/rxrpc/key.c | 37 +++++++
6 files changed, 279 insertions(+)
diff --git a/fs/afs/cm_security.c b/fs/afs/cm_security.c
index 103168c70dd4..36907a04efd0 100644
--- a/fs/afs/cm_security.c
+++ b/fs/afs/cm_security.c
@@ -6,7 +6,9 @@
*/
#include <linux/slab.h>
+#include <linux/key-type.h>
#include <crypto/krb5.h>
+#include <keys/user-type.h>
#include "internal.h"
#include "afs_cm.h"
#include "afs_fs.h"
@@ -23,6 +25,236 @@ static int afs_create_yfs_cm_token(struct sk_buff *challenge,
struct afs_server *server);
#endif
+#ifdef CONFIG_RXGK
+/*
+ * As the YFS RxGK appdata to be passed in the YFS.FS-service RESPONSE packet,
+ * create a GSS token to use as a ticket to the specified fileserver.
+ */
+static int afs_create_yfs_rxgk_cm_appdata(struct afs_server *server, u32 enctype)
+{
+ const struct krb5_enctype *conn_krb5, *token_krb5;
+ const struct krb5_buffer *token_key;
+ struct crypto_aead *aead;
+ struct scatterlist sg;
+ struct afs_net *net = server->cell->net;
+ const struct key *cm_key = net->fs_cm_token_key;
+ struct key *appdata_key = NULL;
+ size_t keysize, uuidsize, authsize, toksize, encsize, contsize;
+ size_t adatasize, offset;
+ __be32 caps[1] = {
+ [0] = htonl(AFS_CAP_ERROR_TRANSLATION),
+ };
+ __be32 *xdr;
+ void *appdata, *K0, *encbase;
+ int ret;
+
+ if (!cm_key)
+ return -ENOKEY;
+
+ /* Assume that the fileserver is happy to use the same encoding type as
+ * we were told to use by the token obtained by the user.
+ */
+ conn_krb5 = crypto_krb5_find_enctype(enctype);
+ if (!conn_krb5)
+ return -ENOPKG;
+ token_krb5 = cm_key->payload.data[0];
+ token_key = (const struct krb5_buffer *)&cm_key->payload.data[2];
+
+ /* struct rxgk_key {
+ * afs_uint32 enctype;
+ * opaque key<>;
+ * };
+ */
+ keysize = 4 + xdr_len_object(conn_krb5->key_len);
+
+ /* struct RXGK_AuthName {
+ * afs_int32 kind;
+ * opaque data<AUTHDATAMAX>;
+ * opaque display<AUTHPRINTABLEMAX>;
+ * };
+ */
+ uuidsize = sizeof(server->uuid);
+ authsize = 4 + xdr_len_object(uuidsize) + xdr_len_object(0);
+
+ /* struct RXGK_Token {
+ * rxgk_key K0;
+ * RXGK_Level level;
+ * rxgkTime starttime;
+ * afs_int32 lifetime;
+ * afs_int32 bytelife;
+ * rxgkTime expirationtime;
+ * struct RXGK_AuthName identities<>;
+ * };
+ */
+ toksize = keysize + 8 + 4 + 4 + 8 + xdr_len_object(authsize);
+
+ offset = 0;
+ encsize = crypto_krb5_how_much_buffer(token_krb5, KRB5_ENCRYPT_MODE, toksize, &offset);
+
+ /* struct RXGK_TokenContainer {
+ * afs_int32 kvno;
+ * afs_int32 enctype;
+ * opaque encrypted_token<>;
+ * };
+ */
+ contsize = 4 + 4 + xdr_len_object(encsize);
+
+ /* struct YFSAppData {
+ * opr_uuid initiatorUuid;
+ * opr_uuid acceptorUuid;
+ * Capabilities caps;
+ * afs_int32 enctype;
+ * opaque callbackKey<>;
+ * opaque callbackToken<>;
+ * };
+ */
+ adatasize = 16 + 16 +
+ xdr_len_object(sizeof(caps)) +
+ 4 +
+ xdr_len_object(conn_krb5->key_len) +
+ xdr_len_object(contsize);
+
+ ret = -ENOMEM;
+ appdata = kzalloc(adatasize, GFP_KERNEL);
+ if (!appdata)
+ goto out;
+ xdr = appdata;
+
+ memcpy(xdr, &net->uuid, 16); /* appdata.initiatorUuid */
+ xdr += 16 / 4;
+ memcpy(xdr, &server->uuid, 16); /* appdata.acceptorUuid */
+ xdr += 16 / 4;
+ *xdr++ = htonl(ARRAY_SIZE(caps)); /* appdata.caps.len */
+ memcpy(xdr, &caps, sizeof(caps)); /* appdata.caps */
+ xdr += ARRAY_SIZE(caps);
+ *xdr++ = htonl(conn_krb5->etype); /* appdata.enctype */
+
+ *xdr++ = htonl(conn_krb5->key_len); /* appdata.callbackKey.len */
+ K0 = xdr;
+ get_random_bytes(K0, conn_krb5->key_len); /* appdata.callbackKey.data */
+ xdr += xdr_round_up(conn_krb5->key_len) / 4;
+
+ *xdr++ = htonl(contsize); /* appdata.callbackToken.len */
+ *xdr++ = htonl(1); /* cont.kvno */
+ *xdr++ = htonl(token_krb5->etype); /* cont.enctype */
+ *xdr++ = htonl(encsize); /* cont.encrypted_token.len */
+
+ encbase = xdr;
+ xdr += offset / 4;
+ *xdr++ = htonl(conn_krb5->etype); /* token.K0.enctype */
+ *xdr++ = htonl(conn_krb5->key_len); /* token.K0.key.len */
+ memcpy(xdr, K0, conn_krb5->key_len); /* token.K0.key.data */
+ xdr += xdr_round_up(conn_krb5->key_len) / 4;
+
+ *xdr++ = htonl(RXRPC_SECURITY_ENCRYPT); /* token.level */
+ *xdr++ = htonl(0); /* token.starttime */
+ *xdr++ = htonl(0); /* " */
+ *xdr++ = htonl(0); /* token.lifetime */
+ *xdr++ = htonl(0); /* token.bytelife */
+ *xdr++ = htonl(0); /* token.expirationtime */
+ *xdr++ = htonl(0); /* " */
+ *xdr++ = htonl(1); /* token.identities.count */
+ *xdr++ = htonl(0); /* token.identities[0].kind */
+ *xdr++ = htonl(uuidsize); /* token.identities[0].data.len */
+ memcpy(xdr, &server->uuid, uuidsize);
+ xdr += xdr_round_up(uuidsize) / 4;
+ *xdr++ = htonl(0); /* token.identities[0].display.len */
+
+ xdr = encbase + xdr_round_up(encsize);
+
+ if ((unsigned long)xdr - (unsigned long)appdata != adatasize)
+ pr_err("Appdata size incorrect %lx != %zx\n",
+ (unsigned long)xdr - (unsigned long)appdata, adatasize);
+
+ aead = crypto_krb5_prepare_encryption(token_krb5, token_key, RXGK_SERVER_ENC_TOKEN,
+ GFP_KERNEL);
+ if (IS_ERR(aead)) {
+ ret = PTR_ERR(aead);
+ goto out_token;
+ }
+
+ sg_init_one(&sg, encbase, encsize);
+ ret = crypto_krb5_encrypt(token_krb5, aead, &sg, 1, encsize, offset, toksize, false);
+ if (ret < 0)
+ goto out_aead;
+
+ appdata_key = key_alloc(&key_type_user, "rxrpc: afs rxgk appdata",
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
+ KEY_POS_VIEW | KEY_POS_SEARCH | KEY_USR_VIEW,
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ if (IS_ERR(appdata_key)) {
+ ret = PTR_ERR(appdata_key);
+ goto out_aead;
+ }
+
+ ret = key_instantiate_and_link(appdata_key, appdata, adatasize, NULL, NULL);
+ if (ret < 0) {
+ key_put(appdata_key);
+ goto out_aead;
+ }
+
+ /* Store the appdata before the key pointer */
+ smp_store_release(&server->yfs_rxgk_appdata, appdata_key);
+
+out_aead:
+ crypto_free_aead(aead);
+out_token:
+ kfree(appdata);
+out:
+ return ret;
+}
+#endif /* CONFIG_RXGK */
+
+/*
+ * Create the application data to go in a RESPONSE packet a server's CHALLENGE
+ * from the parameters contained in a key. The key specifies the security
+ * index and other appropriate parameters such as the encoding type for RxGK.
+ */
+int afs_create_server_appdata(struct afs_server *server, struct key *key)
+{
+ u32 krb5_enctype;
+ int ret;
+ u8 security_index;
+
+ if (!key)
+ return 0;
+
+ rxrpc_kernel_query_key(key, &security_index, &krb5_enctype);
+
+ _enter("%u,%u", security_index, krb5_enctype);
+
+ switch (security_index) {
+#ifdef CONFIG_RXGK
+ case RXRPC_SECURITY_YFS_RXGK:
+ /* Read the key pointer before the appdata */
+ if (smp_load_acquire(&server->yfs_rxgk_appdata))
+ return 0;
+ break;
+#endif
+ default:
+ return 0;
+ }
+
+ ret = 0;
+ mutex_lock(&server->cm_token_lock);
+
+ switch (security_index) {
+#ifdef CONFIG_RXGK
+ case RXRPC_SECURITY_YFS_RXGK:
+ /* Read the key pointer before the appdata */
+ if (smp_load_acquire(&server->yfs_rxgk_appdata))
+ break;
+ ret = afs_create_yfs_rxgk_cm_appdata(server, krb5_enctype);
+ break;
+#endif
+ default:
+ break;
+ }
+
+ mutex_unlock(&server->cm_token_lock);
+ return ret;
+}
+
/*
* Respond to an RxGK challenge, adding appdata.
*/
diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c
index a91ad1938d07..e26f7f1e30a2 100644
--- a/fs/afs/fs_probe.c
+++ b/fs/afs/fs_probe.c
@@ -241,9 +241,14 @@ int afs_fs_probe_fileserver(struct afs_net *net, struct afs_server *server,
struct afs_endpoint_state *estate, *old;
struct afs_addr_list *old_alist = NULL, *alist;
unsigned long unprobed;
+ int ret;
_enter("%pU", &server->uuid);
+ ret = afs_create_server_appdata(server, key);
+ if (ret < 0)
+ return ret;
+
estate = kzalloc_obj(*estate);
if (!estate)
return -ENOMEM;
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 47e2cae979b6..738d529ec97b 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -547,6 +547,7 @@ struct afs_server {
struct timer_list timer; /* Management timer */
struct mutex cm_token_lock; /* Lock governing creation of appdata */
struct krb5_buffer cm_rxgk_appdata; /* Appdata to be included in RESPONSE packet */
+ struct key *yfs_rxgk_appdata; /* Appdata to be included in RESPONSE packet */
time64_t unuse_time; /* Time at which last unused */
unsigned long flags;
#define AFS_SERVER_FL_RESPONDING 0 /* The server is responding */
@@ -1089,6 +1090,7 @@ extern bool afs_cm_incoming_call(struct afs_call *);
/*
* cm_security.c
*/
+int afs_create_server_appdata(struct afs_server *server, struct key *key);
void afs_process_oob_queue(struct work_struct *work);
#ifdef CONFIG_RXGK
int afs_create_token_key(struct afs_net *net, struct socket *socket);
diff --git a/fs/afs/server.c b/fs/afs/server.c
index 0fe162ea2a36..b08d9080b0c5 100644
--- a/fs/afs/server.c
+++ b/fs/afs/server.c
@@ -399,6 +399,7 @@ static void afs_server_rcu(struct rcu_head *rcu)
afs_estate_trace_put_server);
afs_put_cell(server->cell, afs_cell_trace_put_server);
kfree(server->cm_rxgk_appdata.data);
+ key_put(server->yfs_rxgk_appdata);
kfree(server);
}
diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h
index 0fb4c41c9bbf..c4b68049c06f 100644
--- a/include/net/af_rxrpc.h
+++ b/include/net/af_rxrpc.h
@@ -109,6 +109,8 @@ int rxkad_kernel_respond_to_challenge(struct sk_buff *challenge);
u32 rxgk_kernel_query_challenge(struct sk_buff *challenge);
int rxgk_kernel_respond_to_challenge(struct sk_buff *challenge,
struct krb5_buffer *appdata);
+void rxrpc_kernel_query_key(const struct key *key, u8 *_security_index,
+ u32 *_krb5_enctype);
u8 rxrpc_kernel_query_call_security(struct rxrpc_call *call,
u16 *_service_id, u32 *_enctype);
diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index a0aa78d89289..16bab72e6f07 100644
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -893,3 +893,40 @@ static long rxrpc_read(const struct key *key,
_leave(" = %zu", size);
return size;
}
+
+/**
+ * rxrpc_kernel_query_key - Query parameters from an rxrpc key
+ * @key: The key to query
+ * @_security_index: Where to return the security index
+ * @_krb5_enctype: Where to return the krb5 encryption type if applicable
+ *
+ * Query an rxrpc authentication key, extracting the security index from the
+ * first token therein.
+ */
+void rxrpc_kernel_query_key(const struct key *key, u8 *_security_index,
+ u32 *_krb5_enctype)
+{
+ const struct rxrpc_key_token *token;
+
+ token = key->payload.data[0];
+ if (!token) {
+ *_security_index = 0;
+ *_krb5_enctype = 0;
+ return;
+ }
+
+ *_security_index = token->security_index;
+ switch (token->security_index) {
+ case RXRPC_SECURITY_RXKAD:
+ *_krb5_enctype = 0;
+ break;
+ case RXRPC_SECURITY_YFS_RXGK:
+ *_krb5_enctype = token->rxgk->enctype;
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ *_krb5_enctype = 0;
+ break;
+ }
+}
+EXPORT_SYMBOL(rxrpc_kernel_query_key);
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 14/16] rxrpc: Pass appdata key to rxrpc_call and thence to rxrpc_bundle
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (12 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 13/16] afs: Create a server appdata key David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 15/16] rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE generation David Howells
2026-07-10 19:22 ` [PATCH net v2 16/16] rxrpc: Remove OOB challenge/response code David Howells
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, Jarkko Sakkinen, keyrings, stable
Currently, when a CHALLENGE packet comes in, it's queued in an OOB queue on
the AF_RXRPC socket that generated one of the calls on that connection for
the application (which might be in userspace) to service. The application
then picks up the CHALLENGE and requests a RESPONSE packet be generated,
allowing the app to include app-specific data in it if appropriate. There
is, however, no actual limit on the capacity of the CHALLENGE queue, and
this could be abused remotely - and also getting the OOB mechanism right
has proven tricky.
Further, by analogy with other AFS codebases, it's not actually necessary
to generate the application data in response to the CHALLENGE. The reason
I did this was to set the encryption on the app-data to be the same as that
specified in the CHALLENGE as the server must be able to handle that.
However, it's sufficient to use the encoding type set in the token that is
going to be sent to the server; presumably the kerberos server knows that
the fileserver can handle that type - otherwise why tell the client to use
it?
This is a part of the fix. With this, the appdata key created by the AFS
filesystem or passed in via sendmsg CMSG to a user AF_RXRPC socket is added
to an rxrpc_call struct and will then be added to an rxrpc_bundle struct.
Note that afs_make_op_call() has to be moved so that it can call
afs_use_server(). afs_operation-based calls did not heretofore 'use' the
server and server will be 'un-used' by afs_free_call().
Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE")
Link: https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: linux-afs@lists.infradead.org
cc: keyrings@vger.kernel.org
cc: stable@kernel.org
---
fs/afs/internal.h | 33 +++++++++++++++++----------------
fs/afs/rxrpc.c | 21 ++++++++++++++++++++-
include/net/af_rxrpc.h | 1 +
include/trace/events/afs.h | 1 +
include/uapi/linux/rxrpc.h | 1 +
net/rxrpc/af_rxrpc.c | 3 +++
net/rxrpc/ar-internal.h | 3 +++
net/rxrpc/call_object.c | 2 ++
net/rxrpc/conn_client.c | 2 ++
net/rxrpc/sendmsg.c | 25 ++++++++++++++++++++++++-
10 files changed, 74 insertions(+), 18 deletions(-)
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 738d529ec97b..228c7012013d 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -1415,22 +1415,6 @@ static inline void afs_see_call(struct afs_call *call, enum afs_call_trace why)
atomic_read(&call->net->nr_outstanding_calls));
}
-static inline void afs_make_op_call(struct afs_operation *op, struct afs_call *call,
- gfp_t gfp)
-{
- struct afs_addr_list *alist = op->estate->addresses;
-
- op->call = afs_get_call(call, afs_call_trace_get_op_call);
- op->type = call->type;
- call->op = op;
- call->key = op->key;
- call->intr = !(op->flags & AFS_OPERATION_UNINTR);
- call->peer = rxrpc_kernel_get_peer(alist->addrs[op->addr_index].peer);
- call->service_id = op->server->service_id;
- afs_make_call(call, gfp);
- afs_put_call(call, afs_call_trace_put_made_call);
-}
-
static inline void afs_extract_begin(struct afs_call *call, void *buf, size_t size)
{
call->iov_len = size;
@@ -1750,6 +1734,23 @@ static inline struct inode *AFS_VNODE_TO_I(struct afs_vnode *vnode)
return &vnode->netfs.inode;
}
+static inline void afs_make_op_call(struct afs_operation *op, struct afs_call *call,
+ gfp_t gfp)
+{
+ struct afs_addr_list *alist = op->estate->addresses;
+
+ op->call = afs_get_call(call, afs_call_trace_get_op_call);
+ op->type = call->type;
+ call->op = op;
+ call->server = afs_use_server(op->server, false, afs_server_trace_use_call);
+ call->key = op->key;
+ call->intr = !(op->flags & AFS_OPERATION_UNINTR);
+ call->peer = rxrpc_kernel_get_peer(alist->addrs[op->addr_index].peer);
+ call->service_id = op->server->service_id;
+ afs_make_call(call, gfp);
+ afs_put_call(call, afs_call_trace_put_made_call);
+}
+
/*
* Note that a dentry got changed. We need to set d_fsdata to the data version
* number derived from the result of the operation. It doesn't matter if
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index 6dc6fd853832..1a110448dbdb 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -312,6 +312,7 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
struct msghdr msg;
struct kvec iov[1];
unsigned int debug_id = call->debug_id;
+ struct key *app_data = NULL;
size_t len;
bool write_iter = call->write_iter;
s64 tx_total_len;
@@ -342,8 +343,26 @@ void afs_make_call(struct afs_call *call, gfp_t gfp)
if (call->async)
afs_get_call(call, afs_call_trace_get_make_async_call);
+ if (call->key && call->server) {
+ u32 krb5_enctype = 0;
+ u8 security_index = 0;
+
+ rxrpc_kernel_query_key(call->key, &security_index, &krb5_enctype);
+ switch (security_index) {
+#ifdef CONFIG_RXGK
+ case RXRPC_SECURITY_YFS_RXGK:
+ /* Read the key pointer before the appdata */
+ app_data = smp_load_acquire(&call->server->yfs_rxgk_appdata);
+ break;
+#endif
+ default:
+ break;
+ }
+ }
+
/* create a call */
- rxcall = rxrpc_kernel_begin_call(call->net->socket, call->peer, call->key,
+ rxcall = rxrpc_kernel_begin_call(call->net->socket, call->peer,
+ call->key, app_data,
(unsigned long)call,
tx_total_len,
call->max_lifespan,
diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h
index c4b68049c06f..19c61a2f5af3 100644
--- a/include/net/af_rxrpc.h
+++ b/include/net/af_rxrpc.h
@@ -55,6 +55,7 @@ void rxrpc_kernel_set_notifications(struct socket *sock,
struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
struct rxrpc_peer *peer,
struct key *key,
+ struct key *app_data,
unsigned long user_call_ID,
s64 tx_total_len,
u32 hard_timeout,
diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
index a1963e21f034..a4f57414d527 100644
--- a/include/trace/events/afs.h
+++ b/include/trace/events/afs.h
@@ -160,6 +160,7 @@ enum yfs_cm_operation {
EM(afs_server_trace_unuse_slist_isort, "UNU isort") \
EM(afs_server_trace_update, "UPDATE ") \
EM(afs_server_trace_use_by_uuid, "USE uuid ") \
+ EM(afs_server_trace_use_call, "USE call ") \
EM(afs_server_trace_use_cm_call, "USE cm-cl") \
EM(afs_server_trace_use_get_caps, "USE gcaps") \
EM(afs_server_trace_use_give_up_cb, "USE gvupc") \
diff --git a/include/uapi/linux/rxrpc.h b/include/uapi/linux/rxrpc.h
index d9735abd4c79..bcdfdf9c67a1 100644
--- a/include/uapi/linux/rxrpc.h
+++ b/include/uapi/linux/rxrpc.h
@@ -63,6 +63,7 @@ enum rxrpc_cmsg_type {
RXRPC_RESPOND = 17, /* Cs-: Respond to a challenge */
RXRPC_RESPONDED = 18, /* S-r: Data received in RESPONSE */
RXRPC_RESP_RXGK_APPDATA = 19, /* Cs-: RESPONSE: RxGK app data to include */
+ RXRPC_RESPONSE_APPDATA = 20, /* Cs-: User key holding app data for RESPONSE */
RXRPC__SUPPORTED
};
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 9ab0f22c881e..a19c0fd3c51a 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -318,6 +318,7 @@ EXPORT_SYMBOL(rxrpc_kernel_put_peer);
* @sock: The socket on which to make the call
* @peer: The peer to contact
* @key: The security context to use (defaults to socket setting)
+ * @app_data: The security response application data (or NULL)
* @user_call_ID: The ID to use
* @tx_total_len: Total length of data to transmit during the call (or -1)
* @hard_timeout: The maximum lifespan of the call in sec
@@ -340,6 +341,7 @@ EXPORT_SYMBOL(rxrpc_kernel_put_peer);
struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
struct rxrpc_peer *peer,
struct key *key,
+ struct key *app_data,
unsigned long user_call_ID,
s64 tx_total_len,
u32 hard_timeout,
@@ -368,6 +370,7 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
key = NULL; /* a no-security key */
memset(&p, 0, sizeof(p));
+ p.app_data = app_data;
p.user_call_ID = user_call_ID;
p.tx_total_len = tx_total_len;
p.interruptibility = interruptibility;
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index b6e7e8c5e96f..20c10428a50e 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -516,6 +516,7 @@ struct rxrpc_bundle {
struct rxrpc_local *local; /* Representation of local endpoint */
struct rxrpc_peer *peer; /* Remote endpoint */
struct key *key; /* Security details */
+ struct key *app_data; /* Security response app data */
struct list_head proc_link; /* Link in net->bundle_proc_list */
const struct rxrpc_security *security; /* applied security module */
refcount_t ref;
@@ -720,6 +721,7 @@ struct rxrpc_call {
struct rxrpc_sock __rcu *socket; /* socket responsible */
struct rxrpc_net *rxnet; /* Network namespace to which call belongs */
struct key *key; /* Security details */
+ struct key *app_data; /* Security response app data */
const struct rxrpc_security *security; /* applied security module */
struct mutex user_mutex; /* User access mutex */
struct sockaddr_rxrpc dest_srx; /* Destination address */
@@ -914,6 +916,7 @@ enum rxrpc_command {
};
struct rxrpc_call_params {
+ struct key *app_data; /* Security response app data */
s64 tx_total_len; /* Total Tx data length (if send data) */
unsigned long user_call_ID; /* User's call ID */
struct {
diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
index 817ed9acb91e..9f6130d90c4c 100644
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -211,6 +211,7 @@ static struct rxrpc_call *rxrpc_alloc_client_call(struct rxrpc_sock *rx,
call->interruptibility = p->interruptibility;
call->tx_total_len = p->tx_total_len;
call->key = key_get(cp->key);
+ call->app_data = key_get(p->app_data);
call->peer = rxrpc_get_peer(cp->peer, rxrpc_peer_get_call);
call->local = rxrpc_get_local(cp->local, rxrpc_local_get_call);
call->security_level = cp->security_level;
@@ -697,6 +698,7 @@ static void rxrpc_destroy_call(struct work_struct *work)
rxrpc_put_peer(call->peer, rxrpc_peer_put_call);
rxrpc_put_local(call->local, rxrpc_local_put_call);
key_put(call->key);
+ key_put(call->app_data);
call_rcu(&call->rcu, rxrpc_rcu_free_call);
}
diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
index 48519f0de185..5cbfa7b223e0 100644
--- a/net/rxrpc/conn_client.c
+++ b/net/rxrpc/conn_client.c
@@ -81,6 +81,7 @@ static struct rxrpc_bundle *rxrpc_alloc_bundle(struct rxrpc_call *call,
bundle->local = call->local;
bundle->peer = rxrpc_get_peer(call->peer, rxrpc_peer_get_bundle);
bundle->key = key_get(call->key);
+ bundle->app_data = key_get(call->app_data);
bundle->security = call->security;
bundle->exclusive = test_bit(RXRPC_CALL_EXCLUSIVE, &call->flags);
bundle->upgrade = test_bit(RXRPC_CALL_UPGRADE, &call->flags);
@@ -118,6 +119,7 @@ static void rxrpc_free_bundle(struct rxrpc_bundle *bundle)
write_unlock(&bundle->local->rxnet->conn_lock);
rxrpc_put_peer(bundle->peer, rxrpc_peer_put_bundle);
key_put(bundle->key);
+ key_put(bundle->app_data);
kfree(bundle);
}
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 71343998b87d..cdf35440317d 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -12,6 +12,7 @@
#include <linux/skbuff.h>
#include <linux/export.h>
#include <linux/sched/signal.h>
+#include <keys/user-type.h>
#include <net/sock.h>
#include <net/af_rxrpc.h>
@@ -530,6 +531,8 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
static int rxrpc_sendmsg_cmsg(struct msghdr *msg, struct rxrpc_send_params *p)
{
struct cmsghdr *cmsg;
+ key_serial_t key_id;
+ key_ref_t key;
bool got_user_ID = false;
int len;
@@ -614,6 +617,22 @@ static int rxrpc_sendmsg_cmsg(struct msghdr *msg, struct rxrpc_send_params *p)
return -ERANGE;
break;
+ case RXRPC_RESPONSE_APPDATA:
+ if (len != sizeof(key_serial_t))
+ return -EINVAL;
+ if (p->call.app_data)
+ return -EINVAL;
+ key_id = *(key_serial_t *)CMSG_DATA(cmsg);
+ key = lookup_user_key(key_id, 0, KEY_NEED_SEARCH);
+ if (IS_ERR(key))
+ return PTR_ERR(key);
+ if (key_ref_to_ptr(key)->type == &key_type_user) {
+ key_ref_put(key);
+ return -EINVAL;
+ }
+ p->call.app_data = key_ref_to_ptr(key);
+ break;
+
default:
return -EINVAL;
}
@@ -722,8 +741,10 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
goto error_release_sock;
call = rxrpc_new_client_call_for_sendmsg(rx, msg, &p);
/* The socket is now unlocked... */
- if (IS_ERR(call))
+ if (IS_ERR(call)) {
+ key_put(p.call.app_data);
return PTR_ERR(call);
+ }
/* ... and we have the call lock. */
p.call.nr_timeouts = 0;
ret = 0;
@@ -808,11 +829,13 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
mutex_unlock(&call->user_mutex);
error_put:
rxrpc_put_call(call, rxrpc_call_put_sendmsg);
+ key_put(p.call.app_data);
_leave(" = %d", ret);
return ret;
error_release_sock:
release_sock(&rx->sk);
+ key_put(p.call.app_data);
return ret;
}
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 15/16] rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE generation
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (13 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 14/16] rxrpc: Pass appdata key to rxrpc_call and thence to rxrpc_bundle David Howells
@ 2026-07-10 19:22 ` David Howells
2026-07-10 19:22 ` [PATCH net v2 16/16] rxrpc: Remove OOB challenge/response code David Howells
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, Jarkko Sakkinen, keyrings, stable
Currently, when a CHALLENGE packet comes in, it's queued in an OOB queue on
the AF_RXRPC socket that generated one of the calls on that connection for
the application (which might be in userspace) to service. The application
then picks up the CHALLENGE and requests a RESPONSE packet be generated,
allowing the app to include app-specific data in it if appropriate. There
is, however, no actual limit on the capacity of the CHALLENGE queue, and
this could be abused remotely - and also getting the OOB mechanism right
has proven tricky.
Further, by analogy with other AFS codebases, it's not actually necessary
to generate the application data in response to the CHALLENGE. The reason
I did this was to set the encryption on the app-data to be the same as that
specified in the CHALLENGE as the server must be able to handle that.
However, it's sufficient to use the encoding type set in the token that is
going to be sent to the server; presumably the kerberos server knows that
the fileserver can handle that type - otherwise why tell the client to use
it?
This is the main part of the fix. It switches the code over from using the
OOB communication mechanism to get the appdata on the fly from the
application (either the AFS filesystem or userspace) to using the appdata
key preemptively provided by the application.
The following changes are made:
(1) Revert to making the connection event processor work item parse the
CHALLENGE and generate the RESPONSE directly.
(2) Add another (optional) parameter that is passed in when an rxrpc
client call is created and ends up attached to the connection bundle
and is a user-type key containing the application data.
(3) RESPONSE generation looks at the bundle and if the app-data is there,
it will include it (if the security class is YFS-RxGK; RxKAD ignores
it).
The AFS filesystem driver creates an app-data key when it probes a
fileserver and attaches it to the afs_server struct. This is picked up
when a call is made to that server and thence passed to rxrpc.
Direct userspace users of AF_RXRPC can partake by creating a user-type key
containing the app-data they want to use and passing its serial ID in a
CMSG of type RXRPC_RESPONSE_APPDATA in the initial sendmsg() of a call.
Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE")
Link: https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: linux-afs@lists.infradead.org
cc: keyrings@vger.kernel.org
cc: stable@kernel.org
---
net/rxrpc/af_rxrpc.c | 5 +---
net/rxrpc/conn_event.c | 68 ++----------------------------------------
net/rxrpc/recvmsg.c | 2 +-
net/rxrpc/rxgk.c | 57 +++++++++++++++++++++--------------
4 files changed, 39 insertions(+), 93 deletions(-)
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index a19c0fd3c51a..9eb6ca3c5ebf 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -598,10 +598,7 @@ static int rxrpc_sendmsg(struct socket *sock, struct msghdr *m, size_t len)
fallthrough;
case RXRPC_SERVER_BOUND:
case RXRPC_SERVER_LISTENING:
- if (m->msg_flags & MSG_OOB)
- ret = rxrpc_sendmsg_oob(rx, m, len);
- else
- ret = rxrpc_do_sendmsg(rx, m, len);
+ ret = rxrpc_do_sendmsg(rx, m, len);
/* The socket has been unlocked */
goto out;
default:
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 611c790bc6d0..9146b9d4c2ac 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -279,10 +279,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
switch (sp->hdr.type) {
case RXRPC_PACKET_TYPE_CHALLENGE:
- ret = conn->security->respond_to_challenge(conn, skb);
- sp->chall.conn = NULL;
- rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
- return ret;
+ return conn->security->respond_to_challenge(conn, skb);
case RXRPC_PACKET_TYPE_RESPONSE:
spin_lock_irq(&conn->state_lock);
@@ -425,66 +422,6 @@ static void rxrpc_post_packet_to_conn(struct rxrpc_connection *conn,
rxrpc_queue_conn(conn, rxrpc_conn_queue_rx_work);
}
-/*
- * Post a CHALLENGE packet to the socket of one of a connection's calls so that
- * it can get application data to include in the packet, possibly querying
- * userspace.
- */
-static bool rxrpc_post_challenge(struct rxrpc_connection *conn,
- struct sk_buff *skb)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxrpc_call *call = NULL;
- struct rxrpc_sock *rx;
- bool respond = false, queued = false;
-
- sp->chall.conn =
- rxrpc_get_connection(conn, rxrpc_conn_get_challenge_input);
-
- if (!conn->security->challenge_to_recvmsg) {
- rxrpc_post_packet_to_conn(conn, skb);
- return true;
- }
-
- rcu_read_lock();
-
- for (int i = 0; i < ARRAY_SIZE(conn->channels); i++) {
- if (conn->channels[i].call) {
- call = conn->channels[i].call;
- rx = rcu_dereference(call->socket);
- if (!rx) {
- call = NULL;
- continue;
- }
-
- respond = true;
- if (test_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags))
- break;
- call = NULL;
- }
- }
-
- if (!respond) {
- rcu_read_unlock();
- rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
- sp->chall.conn = NULL;
- return false;
- }
-
- if (call)
- queued = rxrpc_notify_socket_oob(call, skb);
- rcu_read_unlock();
- if (call && !queued) {
- rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
- sp->chall.conn = NULL;
- return false;
- }
-
- if (!call)
- rxrpc_post_packet_to_conn(conn, skb);
- return true;
-}
-
/*
* Input a connection-level packet.
*/
@@ -513,7 +450,8 @@ bool rxrpc_input_conn_packet(struct rxrpc_connection *conn, struct sk_buff *skb)
}
if (!conn->security->validate_challenge(conn, skb))
return false;
- return rxrpc_post_challenge(conn, skb);
+ rxrpc_post_packet_to_conn(conn, skb);
+ return true;
case RXRPC_PACKET_TYPE_RESPONSE:
if (rxrpc_is_conn_aborted(conn)) {
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index 28b2148b5693..33577522ec02 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -405,7 +405,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
trace_rxrpc_recvmsg(0, rxrpc_recvmsg_enter, 0);
- if (flags & (MSG_OOB | MSG_TRUNC))
+ if (flags & MSG_TRUNC)
return -EOPNOTSUPP;
timeo = sock_rcvtimeo(&rx->sk, flags & MSG_DONTWAIT);
diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c
index 77a67ace1d24..f3e085b64502 100644
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -11,6 +11,7 @@
#include <linux/skbuff.h>
#include <linux/slab.h>
#include <linux/key-type.h>
+#include <keys/user-type.h>
#include "ar-internal.h"
#include "rxgk_common.h"
@@ -837,7 +838,7 @@ static noinline ssize_t rxgk_insert_response_header(struct rxrpc_connection *con
*/
static ssize_t rxgk_construct_authenticator(struct rxrpc_connection *conn,
struct sk_buff *challenge,
- const struct krb5_buffer *appdata,
+ const struct user_key_payload *appdata,
struct sk_buff *response,
size_t offset)
{
@@ -859,20 +860,20 @@ static ssize_t rxgk_construct_authenticator(struct rxrpc_connection *conn,
if (ret < 0)
return -EPROTO;
- a.appdata_len = htonl(appdata->len);
+ a.appdata_len = htonl(appdata->datalen);
ret = skb_store_bits(response, offset, &a, sizeof(a));
if (ret < 0)
return ret;
offset += sizeof(a);
- if (appdata->len) {
- ret = skb_store_bits(response, offset, appdata->data, appdata->len);
+ if (appdata->datalen) {
+ ret = skb_store_bits(response, offset, appdata->data, appdata->datalen);
if (ret < 0)
return ret;
- offset += appdata->len;
+ offset += appdata->datalen;
- ret = rxgk_pad_out(response, appdata->len, offset);
+ ret = rxgk_pad_out(response, appdata->datalen, offset);
if (ret < 0)
return ret;
offset += ret;
@@ -890,7 +891,7 @@ static ssize_t rxgk_construct_authenticator(struct rxrpc_connection *conn,
ret = skb_store_bits(response, offset, &b, sizeof(b));
if (ret < 0)
return ret;
- return sizeof(a) + xdr_round_up(appdata->len) + sizeof(b);
+ return sizeof(a) + xdr_round_up(appdata->datalen) + sizeof(b);
}
static ssize_t rxgk_encrypt_authenticator(struct rxrpc_connection *conn,
@@ -923,7 +924,7 @@ static ssize_t rxgk_encrypt_authenticator(struct rxrpc_connection *conn,
*/
static int rxgk_construct_response(struct rxrpc_connection *conn,
struct sk_buff *challenge,
- struct krb5_buffer *appdata)
+ const struct user_key_payload *appdata)
{
struct rxrpc_skb_priv *csp, *rsp;
struct rxgk_context *gk;
@@ -936,7 +937,7 @@ static int rxgk_construct_response(struct rxrpc_connection *conn,
if (IS_ERR(gk))
return PTR_ERR(gk);
- auth_len = 20 + (4 + appdata->len) + 12 + (1 + 4) * 4;
+ auth_len = 20 + (4 + appdata->datalen) + 12 + (1 + 4) * 4;
authx_len = crypto_krb5_how_much_buffer(gk->krb5, KRB5_ENCRYPT_MODE,
auth_len, &auth_offset);
len = sizeof(struct rxrpc_wire_header) +
@@ -1011,24 +1012,36 @@ static int rxgk_construct_response(struct rxrpc_connection *conn,
* Respond to a challenge packet.
*/
static int rxgk_respond_to_challenge(struct rxrpc_connection *conn,
- struct sk_buff *challenge,
- struct krb5_buffer *appdata)
+ struct sk_buff *challenge)
{
- _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
+ struct user_key_payload dummy = {}, *appdata = &dummy;
+ int ret;
+
+ _enter("{%d,%u,%x,%x}",
+ conn->debug_id, conn->service_id,
+ key_serial(conn->key), key_serial(conn->bundle->app_data));
if (key_validate(conn->key) < 0)
return rxrpc_abort_conn(conn, NULL, RXGK_EXPIRED, -EPROTO,
rxgk_abort_chall_key_expired);
- return rxgk_construct_response(conn, challenge, appdata);
-}
+ if (conn->bundle->app_data) {
+ rcu_read_lock();
+ appdata = (struct user_key_payload *)
+ user_key_payload_rcu(conn->bundle->app_data);
+ if (appdata && !refcount_inc_not_zero(&appdata->ref))
+ appdata = NULL;
+ rcu_read_unlock();
+ if (!appdata)
+ return rxrpc_abort_conn(conn, NULL, RXGK_EXPIRED, -EKEYREVOKED,
+ rxgk_abort_chall_key_expired);
+ }
-static int rxgk_respond_to_challenge_no_appdata(struct rxrpc_connection *conn,
- struct sk_buff *challenge)
-{
- struct krb5_buffer appdata = {};
+ ret = rxgk_construct_response(conn, challenge, appdata);
- return rxgk_respond_to_challenge(conn, challenge, &appdata);
+ if (appdata != &dummy)
+ put_user_key_payload(appdata);
+ return ret;
}
/**
@@ -1044,9 +1057,7 @@ static int rxgk_respond_to_challenge_no_appdata(struct rxrpc_connection *conn,
int rxgk_kernel_respond_to_challenge(struct sk_buff *challenge,
struct krb5_buffer *appdata)
{
- struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
-
- return rxgk_respond_to_challenge(csp->chall.conn, challenge, appdata);
+ return -EINVAL;
}
EXPORT_SYMBOL(rxgk_kernel_respond_to_challenge);
@@ -1348,7 +1359,7 @@ const struct rxrpc_security rxgk_yfs = {
.validate_challenge = rxgk_validate_challenge,
.challenge_to_recvmsg = rxgk_challenge_to_recvmsg,
.sendmsg_respond_to_challenge = rxgk_sendmsg_respond_to_challenge,
- .respond_to_challenge = rxgk_respond_to_challenge_no_appdata,
+ .respond_to_challenge = rxgk_respond_to_challenge,
.verify_response = rxgk_verify_response,
.clear = rxgk_clear,
.default_decode_ticket = rxgk_yfs_decode_ticket,
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net v2 16/16] rxrpc: Remove OOB challenge/response code
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
` (14 preceding siblings ...)
2026-07-10 19:22 ` [PATCH net v2 15/16] rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE generation David Howells
@ 2026-07-10 19:22 ` David Howells
15 siblings, 0 replies; 17+ messages in thread
From: David Howells @ 2026-07-10 19:22 UTC (permalink / raw)
To: netdev
Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel,
Jeffrey Altman, Jarkko Sakkinen, keyrings, stable
Currently, when a CHALLENGE packet comes in, it's queued in an OOB queue on
the AF_RXRPC socket that generated one of the calls on that connection for
the application (which might be in userspace) to service. The application
then picks up the CHALLENGE and requests a RESPONSE packet be generated,
allowing the app to include app-specific data in it if appropriate. There
is, however, no actual limit on the capacity of the CHALLENGE queue, and
this could be abused remotely - and also getting the OOB mechanism right
has proven tricky.
Further, by analogy with other AFS codebases, it's not actually necessary
to generate the application data in response to the CHALLENGE. The reason
I did this was to set the encryption on the app-data to be the same as that
specified in the CHALLENGE as the server must be able to handle that.
However, it's sufficient to use the encoding type set in the token that is
going to be sent to the server; presumably the kerberos server knows that
the fileserver can handle that type - otherwise why tell the client to use
it?
This is the final part of the fix. It removes all the OOB communication
stuff along with the UAPI elements related to them.
Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE")
Link: https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: linux-afs@lists.infradead.org
cc: keyrings@vger.kernel.org
cc: stable@kernel.org
---
fs/afs/cm_security.c | 259 -----------------------
fs/afs/internal.h | 3 -
fs/afs/main.c | 1 -
fs/afs/rxrpc.c | 19 --
fs/afs/server.c | 1 -
include/net/af_rxrpc.h | 18 --
include/trace/events/rxrpc.h | 2 -
include/uapi/linux/rxrpc.h | 5 -
net/rxrpc/Makefile | 1 -
net/rxrpc/af_rxrpc.c | 41 +---
net/rxrpc/ar-internal.h | 19 --
net/rxrpc/oob.c | 387 -----------------------------------
net/rxrpc/recvmsg.c | 82 +-------
net/rxrpc/rxgk.c | 73 -------
net/rxrpc/rxkad.c | 27 ---
net/rxrpc/server_key.c | 40 ----
16 files changed, 5 insertions(+), 973 deletions(-)
delete mode 100644 net/rxrpc/oob.c
diff --git a/fs/afs/cm_security.c b/fs/afs/cm_security.c
index 36907a04efd0..f0fec3a76522 100644
--- a/fs/afs/cm_security.c
+++ b/fs/afs/cm_security.c
@@ -20,11 +20,6 @@
#define xdr_round_up(x) (round_up((x), sizeof(__be32)))
#define xdr_len_object(x) (4 + round_up((x), sizeof(__be32)))
-#ifdef CONFIG_RXGK
-static int afs_create_yfs_cm_token(struct sk_buff *challenge,
- struct afs_server *server);
-#endif
-
#ifdef CONFIG_RXGK
/*
* As the YFS RxGK appdata to be passed in the YFS.FS-service RESPONSE packet,
@@ -255,95 +250,6 @@ int afs_create_server_appdata(struct afs_server *server, struct key *key)
return ret;
}
-/*
- * Respond to an RxGK challenge, adding appdata.
- */
-static int afs_respond_to_challenge(struct sk_buff *challenge)
-{
-#ifdef CONFIG_RXGK
- struct krb5_buffer appdata = {};
- struct afs_server *server;
-#endif
- struct rxrpc_peer *peer;
- unsigned long peer_data;
- u16 service_id;
- u8 security_index;
-
- rxrpc_kernel_query_challenge(challenge, &peer, &peer_data,
- &service_id, &security_index);
-
- _enter("%u,%u", service_id, security_index);
-
- switch (service_id) {
- /* We don't send CM_SERVICE RPCs, so don't expect a challenge
- * therefrom.
- */
- case FS_SERVICE:
- case VL_SERVICE:
- case YFS_FS_SERVICE:
- case YFS_VL_SERVICE:
- break;
- default:
- pr_warn("Can't respond to unknown challenge %u:%u",
- service_id, security_index);
- return rxrpc_kernel_reject_challenge(challenge, RX_USER_ABORT, -EPROTO,
- afs_abort_unsupported_sec_class);
- }
-
- switch (security_index) {
-#ifdef CONFIG_RXKAD
- case RXRPC_SECURITY_RXKAD:
- return rxkad_kernel_respond_to_challenge(challenge);
-#endif
-
-#ifdef CONFIG_RXGK
- case RXRPC_SECURITY_RXGK:
- return rxgk_kernel_respond_to_challenge(challenge, &appdata);
-
- case RXRPC_SECURITY_YFS_RXGK:
- switch (service_id) {
- case FS_SERVICE:
- case YFS_FS_SERVICE:
- server = (struct afs_server *)peer_data;
- if (!server->cm_rxgk_appdata.data) {
- mutex_lock(&server->cm_token_lock);
- if (!server->cm_rxgk_appdata.data)
- afs_create_yfs_cm_token(challenge, server);
- mutex_unlock(&server->cm_token_lock);
- }
- if (server->cm_rxgk_appdata.data)
- appdata = server->cm_rxgk_appdata;
- break;
- }
- return rxgk_kernel_respond_to_challenge(challenge, &appdata);
-#endif
-
- default:
- return rxrpc_kernel_reject_challenge(challenge, RX_USER_ABORT, -EPROTO,
- afs_abort_unsupported_sec_class);
- }
-}
-
-/*
- * Process the OOB message queue, processing challenge packets.
- */
-void afs_process_oob_queue(struct work_struct *work)
-{
- struct afs_net *net = container_of(work, struct afs_net, rx_oob_work);
- struct sk_buff *oob;
- enum rxrpc_oob_type type;
-
- while (READ_ONCE(net->live) &&
- (oob = rxrpc_kernel_dequeue_oob(net->socket, &type))) {
- switch (type) {
- case RXRPC_OOB_CHALLENGE:
- afs_respond_to_challenge(oob);
- break;
- }
- rxrpc_kernel_free_oob(oob);
- }
-}
-
#ifdef CONFIG_RXGK
/*
* Create a securities keyring for the cache manager and attach a key to it for
@@ -405,169 +311,4 @@ int afs_create_token_key(struct afs_net *net, struct socket *socket)
key_put(ring);
return ret;
}
-
-/*
- * Create an YFS RxGK GSS token to use as a ticket to the specified fileserver.
- */
-static int afs_create_yfs_cm_token(struct sk_buff *challenge,
- struct afs_server *server)
-{
- const struct krb5_enctype *conn_krb5, *token_krb5;
- const struct krb5_buffer *token_key;
- struct crypto_aead *aead;
- struct scatterlist sg;
- struct afs_net *net = server->cell->net;
- const struct key *key = net->fs_cm_token_key;
- size_t keysize, uuidsize, authsize, toksize, encsize, contsize, adatasize, offset;
- __be32 caps[1] = {
- [0] = htonl(AFS_CAP_ERROR_TRANSLATION),
- };
- __be32 *xdr;
- void *appdata, *K0, *encbase;
- u32 enctype;
- int ret;
-
- if (!key)
- return -ENOKEY;
-
- /* Assume that the fileserver is happy to use the same encoding type as
- * we were told to use by the token obtained by the user.
- */
- enctype = rxgk_kernel_query_challenge(challenge);
-
- conn_krb5 = crypto_krb5_find_enctype(enctype);
- if (!conn_krb5)
- return -ENOPKG;
- token_krb5 = key->payload.data[0];
- token_key = (const struct krb5_buffer *)&key->payload.data[2];
-
- /* struct rxgk_key {
- * afs_uint32 enctype;
- * opaque key<>;
- * };
- */
- keysize = 4 + xdr_len_object(conn_krb5->key_len);
-
- /* struct RXGK_AuthName {
- * afs_int32 kind;
- * opaque data<AUTHDATAMAX>;
- * opaque display<AUTHPRINTABLEMAX>;
- * };
- */
- uuidsize = sizeof(server->uuid);
- authsize = 4 + xdr_len_object(uuidsize) + xdr_len_object(0);
-
- /* struct RXGK_Token {
- * rxgk_key K0;
- * RXGK_Level level;
- * rxgkTime starttime;
- * afs_int32 lifetime;
- * afs_int32 bytelife;
- * rxgkTime expirationtime;
- * struct RXGK_AuthName identities<>;
- * };
- */
- toksize = keysize + 8 + 4 + 4 + 8 + xdr_len_object(authsize);
-
- offset = 0;
- encsize = crypto_krb5_how_much_buffer(token_krb5, KRB5_ENCRYPT_MODE, toksize, &offset);
-
- /* struct RXGK_TokenContainer {
- * afs_int32 kvno;
- * afs_int32 enctype;
- * opaque encrypted_token<>;
- * };
- */
- contsize = 4 + 4 + xdr_len_object(encsize);
-
- /* struct YFSAppData {
- * opr_uuid initiatorUuid;
- * opr_uuid acceptorUuid;
- * Capabilities caps;
- * afs_int32 enctype;
- * opaque callbackKey<>;
- * opaque callbackToken<>;
- * };
- */
- adatasize = 16 + 16 +
- xdr_len_object(sizeof(caps)) +
- 4 +
- xdr_len_object(conn_krb5->key_len) +
- xdr_len_object(contsize);
-
- ret = -ENOMEM;
- appdata = kzalloc(adatasize, GFP_KERNEL);
- if (!appdata)
- goto out;
- xdr = appdata;
-
- memcpy(xdr, &net->uuid, 16); /* appdata.initiatorUuid */
- xdr += 16 / 4;
- memcpy(xdr, &server->uuid, 16); /* appdata.acceptorUuid */
- xdr += 16 / 4;
- *xdr++ = htonl(ARRAY_SIZE(caps)); /* appdata.caps.len */
- memcpy(xdr, &caps, sizeof(caps)); /* appdata.caps */
- xdr += ARRAY_SIZE(caps);
- *xdr++ = htonl(conn_krb5->etype); /* appdata.enctype */
-
- *xdr++ = htonl(conn_krb5->key_len); /* appdata.callbackKey.len */
- K0 = xdr;
- get_random_bytes(K0, conn_krb5->key_len); /* appdata.callbackKey.data */
- xdr += xdr_round_up(conn_krb5->key_len) / 4;
-
- *xdr++ = htonl(contsize); /* appdata.callbackToken.len */
- *xdr++ = htonl(1); /* cont.kvno */
- *xdr++ = htonl(token_krb5->etype); /* cont.enctype */
- *xdr++ = htonl(encsize); /* cont.encrypted_token.len */
-
- encbase = xdr;
- xdr += offset / 4;
- *xdr++ = htonl(conn_krb5->etype); /* token.K0.enctype */
- *xdr++ = htonl(conn_krb5->key_len); /* token.K0.key.len */
- memcpy(xdr, K0, conn_krb5->key_len); /* token.K0.key.data */
- xdr += xdr_round_up(conn_krb5->key_len) / 4;
-
- *xdr++ = htonl(RXRPC_SECURITY_ENCRYPT); /* token.level */
- *xdr++ = htonl(0); /* token.starttime */
- *xdr++ = htonl(0); /* " */
- *xdr++ = htonl(0); /* token.lifetime */
- *xdr++ = htonl(0); /* token.bytelife */
- *xdr++ = htonl(0); /* token.expirationtime */
- *xdr++ = htonl(0); /* " */
- *xdr++ = htonl(1); /* token.identities.count */
- *xdr++ = htonl(0); /* token.identities[0].kind */
- *xdr++ = htonl(uuidsize); /* token.identities[0].data.len */
- memcpy(xdr, &server->uuid, uuidsize);
- xdr += xdr_round_up(uuidsize) / 4;
- *xdr++ = htonl(0); /* token.identities[0].display.len */
-
- xdr = encbase + xdr_round_up(encsize);
-
- if ((unsigned long)xdr - (unsigned long)appdata != adatasize)
- pr_err("Appdata size incorrect %lx != %zx\n",
- (unsigned long)xdr - (unsigned long)appdata, adatasize);
-
- aead = crypto_krb5_prepare_encryption(token_krb5, token_key, RXGK_SERVER_ENC_TOKEN,
- GFP_KERNEL);
- if (IS_ERR(aead)) {
- ret = PTR_ERR(aead);
- goto out_token;
- }
-
- sg_init_one(&sg, encbase, encsize);
- ret = crypto_krb5_encrypt(token_krb5, aead, &sg, 1, encsize, offset, toksize, false);
- if (ret < 0)
- goto out_aead;
-
- server->cm_rxgk_appdata.len = adatasize;
- server->cm_rxgk_appdata.data = appdata;
- appdata = NULL;
-
-out_aead:
- crypto_free_aead(aead);
-out_token:
- kfree(appdata);
-out:
- return ret;
-}
#endif /* CONFIG_RXGK */
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 228c7012013d..3d0193ea255b 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -282,7 +282,6 @@ struct afs_net {
struct socket *socket;
struct afs_call *spare_incoming_call;
struct work_struct charge_preallocation_work;
- struct work_struct rx_oob_work;
struct mutex socket_mutex;
atomic_t nr_outstanding_calls;
atomic_t nr_superblocks;
@@ -546,7 +545,6 @@ struct afs_server {
struct work_struct destroyer; /* Work item to try and destroy a server */
struct timer_list timer; /* Management timer */
struct mutex cm_token_lock; /* Lock governing creation of appdata */
- struct krb5_buffer cm_rxgk_appdata; /* Appdata to be included in RESPONSE packet */
struct key *yfs_rxgk_appdata; /* Appdata to be included in RESPONSE packet */
time64_t unuse_time; /* Time at which last unused */
unsigned long flags;
@@ -1091,7 +1089,6 @@ extern bool afs_cm_incoming_call(struct afs_call *);
* cm_security.c
*/
int afs_create_server_appdata(struct afs_server *server, struct key *key);
-void afs_process_oob_queue(struct work_struct *work);
#ifdef CONFIG_RXGK
int afs_create_token_key(struct afs_net *net, struct socket *socket);
#else
diff --git a/fs/afs/main.c b/fs/afs/main.c
index 7a883c59976f..6353feaa5fb4 100644
--- a/fs/afs/main.c
+++ b/fs/afs/main.c
@@ -73,7 +73,6 @@ static int __net_init afs_net_init(struct net *net_ns)
generate_random_uuid((unsigned char *)&net->uuid);
INIT_WORK(&net->charge_preallocation_work, afs_charge_preallocation);
- INIT_WORK(&net->rx_oob_work, afs_process_oob_queue);
mutex_init(&net->socket_mutex);
net->cells = RB_ROOT;
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index 1a110448dbdb..4f6d699b5d22 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -25,14 +25,12 @@ static void afs_process_async_call(struct work_struct *);
static void afs_rx_new_call(struct sock *, struct rxrpc_call *, unsigned long);
static void afs_rx_discard_new_call(struct rxrpc_call *, unsigned long);
static void afs_rx_attach(struct rxrpc_call *rxcall, unsigned long user_call_ID);
-static void afs_rx_notify_oob(struct sock *sk, struct sk_buff *oob);
static int afs_deliver_cm_op_id(struct afs_call *);
static const struct rxrpc_kernel_ops afs_rxrpc_callback_ops = {
.notify_new_call = afs_rx_new_call,
.discard_new_call = afs_rx_discard_new_call,
.user_attach_call = afs_rx_attach,
- .notify_oob = afs_rx_notify_oob,
};
/* asynchronous incoming call initial processing */
@@ -74,10 +72,6 @@ int afs_open_socket(struct afs_net *net)
if (ret < 0)
goto error_2;
- ret = rxrpc_sock_set_manage_response(socket->sk, true);
- if (ret < 0)
- goto error_2;
-
ret = afs_create_token_key(net, socket);
if (ret < 0)
pr_err("Couldn't create RxGK CM key: %d\n", ret);
@@ -128,7 +122,6 @@ void afs_close_socket(struct afs_net *net)
_enter("");
cancel_work_sync(&net->charge_preallocation_work);
- cancel_work_sync(&net->rx_oob_work);
/* Future work items should now see ->live is false. */
kernel_listen(net->socket, 0);
@@ -149,7 +142,6 @@ void afs_close_socket(struct afs_net *net)
kernel_sock_shutdown(net->socket, SHUT_RDWR);
flush_workqueue(afs_async_calls);
- cancel_work_sync(&net->rx_oob_work);
net->socket->sk->sk_user_data = NULL;
sock_release(net->socket);
key_put(net->fs_cm_token_key);
@@ -963,14 +955,3 @@ noinline int afs_protocol_error(struct afs_call *call,
call->unmarshalling_error = true;
return -EBADMSG;
}
-
-/*
- * Wake up OOB notification processing.
- */
-static void afs_rx_notify_oob(struct sock *sk, struct sk_buff *oob)
-{
- struct afs_net *net = sk->sk_user_data;
-
- if (READ_ONCE(net->live))
- queue_work(afs_wq, &net->rx_oob_work);
-}
diff --git a/fs/afs/server.c b/fs/afs/server.c
index b08d9080b0c5..4c3a7bd0f7d8 100644
--- a/fs/afs/server.c
+++ b/fs/afs/server.c
@@ -398,7 +398,6 @@ static void afs_server_rcu(struct rcu_head *rcu)
afs_put_endpoint_state(rcu_access_pointer(server->endpoint_state),
afs_estate_trace_put_server);
afs_put_cell(server->cell, afs_cell_trace_put_server);
- kfree(server->cm_rxgk_appdata.data);
key_put(server->yfs_rxgk_appdata);
kfree(server);
}
diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h
index 19c61a2f5af3..a9b8e1ba67ef 100644
--- a/include/net/af_rxrpc.h
+++ b/include/net/af_rxrpc.h
@@ -92,24 +92,6 @@ bool rxrpc_kernel_check_life(const struct socket *, const struct rxrpc_call *);
int rxrpc_sock_set_min_security_level(struct sock *sk, unsigned int val);
int rxrpc_sock_set_security_keyring(struct sock *, struct key *);
-int rxrpc_sock_set_manage_response(struct sock *sk, bool set);
-
-enum rxrpc_oob_type rxrpc_kernel_query_oob(struct sk_buff *oob,
- struct rxrpc_peer **_peer,
- unsigned long *_peer_appdata);
-struct sk_buff *rxrpc_kernel_dequeue_oob(struct socket *sock,
- enum rxrpc_oob_type *_type);
-void rxrpc_kernel_free_oob(struct sk_buff *oob);
-void rxrpc_kernel_query_challenge(struct sk_buff *challenge,
- struct rxrpc_peer **_peer,
- unsigned long *_peer_appdata,
- u16 *_service_id, u8 *_security_index);
-int rxrpc_kernel_reject_challenge(struct sk_buff *challenge, u32 abort_code,
- int error, enum rxrpc_abort_reason why);
-int rxkad_kernel_respond_to_challenge(struct sk_buff *challenge);
-u32 rxgk_kernel_query_challenge(struct sk_buff *challenge);
-int rxgk_kernel_respond_to_challenge(struct sk_buff *challenge,
- struct krb5_buffer *appdata);
void rxrpc_kernel_query_key(const struct key *key, u8 *_security_index,
u32 *_krb5_enctype);
u8 rxrpc_kernel_query_call_security(struct rxrpc_call *call,
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
index d7c7b04d69fc..45e4550a18ed 100644
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -263,7 +263,6 @@
EM(rxrpc_conn_free, "FREE ") \
EM(rxrpc_conn_get_activate_call, "GET act-call") \
EM(rxrpc_conn_get_call_input, "GET inp-call") \
- EM(rxrpc_conn_get_challenge_input, "GET inp-chal") \
EM(rxrpc_conn_get_conn_input, "GET inp-conn") \
EM(rxrpc_conn_get_idle, "GET idle ") \
EM(rxrpc_conn_get_poke_abort, "GET pk-abort") \
@@ -275,7 +274,6 @@
EM(rxrpc_conn_new_service, "NEW service ") \
EM(rxrpc_conn_put_call, "PUT call ") \
EM(rxrpc_conn_put_call_input, "PUT inp-call") \
- EM(rxrpc_conn_put_challenge_input, "PUT inp-chal") \
EM(rxrpc_conn_put_conn_input, "PUT inp-conn") \
EM(rxrpc_conn_put_discard_idle, "PUT disc-idl") \
EM(rxrpc_conn_put_local_dead, "PUT loc-dead") \
diff --git a/include/uapi/linux/rxrpc.h b/include/uapi/linux/rxrpc.h
index bcdfdf9c67a1..7d6a50151931 100644
--- a/include/uapi/linux/rxrpc.h
+++ b/include/uapi/linux/rxrpc.h
@@ -58,11 +58,6 @@ enum rxrpc_cmsg_type {
RXRPC_TX_LENGTH = 12, /* -s-: Total length of Tx data */
RXRPC_SET_CALL_TIMEOUT = 13, /* -s-: Set one or more call timeouts */
RXRPC_CHARGE_ACCEPT = 14, /* Ss-: Charge the accept pool with a user call ID */
- RXRPC_OOB_ID = 15, /* -sr: OOB message ID */
- RXRPC_CHALLENGED = 16, /* C-r: Info on a received CHALLENGE */
- RXRPC_RESPOND = 17, /* Cs-: Respond to a challenge */
- RXRPC_RESPONDED = 18, /* S-r: Data received in RESPONSE */
- RXRPC_RESP_RXGK_APPDATA = 19, /* Cs-: RESPONSE: RxGK app data to include */
RXRPC_RESPONSE_APPDATA = 20, /* Cs-: User key holding app data for RESPONSE */
RXRPC__SUPPORTED
};
diff --git a/net/rxrpc/Makefile b/net/rxrpc/Makefile
index f994f9f30a29..f7a5e0a592ee 100644
--- a/net/rxrpc/Makefile
+++ b/net/rxrpc/Makefile
@@ -24,7 +24,6 @@ rxrpc-y := \
local_object.o \
misc.o \
net_ns.o \
- oob.o \
output.o \
peer_event.o \
peer_object.o \
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 9eb6ca3c5ebf..9d5ce1c7ad0d 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -633,7 +633,7 @@ static int rxrpc_setsockopt(struct socket *sock, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
- unsigned int min_sec_level, val;
+ unsigned int min_sec_level;
u16 service_upgrade[2];
int ret;
@@ -710,23 +710,7 @@ static int rxrpc_setsockopt(struct socket *sock, int level, int optname,
case RXRPC_MANAGE_RESPONSE:
ret = -EINVAL;
- if (optlen != sizeof(unsigned int))
- goto error;
- ret = -EISCONN;
- if (rx->sk.sk_state != RXRPC_UNBOUND)
- goto error;
- ret = copy_safe_from_sockptr(&val, sizeof(val),
- optval, optlen);
- if (ret)
- goto error;
- ret = -EINVAL;
- if (val > 1)
- goto error;
- if (val)
- set_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags);
- else
- clear_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags);
- goto success;
+ goto error;
default:
break;
@@ -835,8 +819,6 @@ static int rxrpc_create(struct net *net, struct socket *sock, int protocol,
rx->calls = RB_ROOT;
spin_lock_init(&rx->incoming_lock);
- skb_queue_head_init(&rx->recvmsg_oobq);
- rx->pending_oobq = RB_ROOT;
INIT_LIST_HEAD(&rx->sock_calls);
INIT_LIST_HEAD(&rx->to_be_accepted);
INIT_LIST_HEAD(&rx->recvmsg_q);
@@ -884,23 +866,6 @@ static int rxrpc_shutdown(struct socket *sock, int flags)
return ret;
}
-/*
- * Purge the out-of-band queue.
- */
-static void rxrpc_purge_oob_queue(struct sock *sk)
-{
- struct rxrpc_sock *rx = rxrpc_sk(sk);
- struct sk_buff *skb;
-
- while ((skb = skb_dequeue(&rx->recvmsg_oobq)))
- rxrpc_kernel_free_oob(skb);
- while (!RB_EMPTY_ROOT(&rx->pending_oobq)) {
- skb = rb_entry(rx->pending_oobq.rb_node, struct sk_buff, rbnode);
- rb_erase(&skb->rbnode, &rx->pending_oobq);
- rxrpc_kernel_free_oob(skb);
- }
-}
-
/*
* RxRPC socket destructor
*/
@@ -908,7 +873,6 @@ static void rxrpc_sock_destructor(struct sock *sk)
{
_enter("%p", sk);
- rxrpc_purge_oob_queue(sk);
rxrpc_purge_queue(&sk->sk_receive_queue);
WARN_ON(refcount_read(&sk->sk_wmem_alloc));
@@ -961,7 +925,6 @@ static int rxrpc_release_sock(struct sock *sk)
rxrpc_discard_prealloc(rx);
rxrpc_release_calls_on_socket(rx);
flush_workqueue(rxrpc_workqueue);
- rxrpc_purge_oob_queue(sk);
rxrpc_purge_queue(&sk->sk_receive_queue);
rxrpc_unuse_local(rx->local, rxrpc_local_unuse_release_sock);
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 20c10428a50e..1c6f4a279034 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -171,9 +171,6 @@ struct rxrpc_sock {
const struct rxrpc_kernel_ops *app_ops; /* Table of kernel app notification funcs */
struct rxrpc_local *local; /* local endpoint */
struct rxrpc_backlog *backlog; /* Preallocation for services */
- struct sk_buff_head recvmsg_oobq; /* OOB messages for recvmsg to pick up */
- struct rb_root pending_oobq; /* OOB messages awaiting userspace to respond to */
- u64 oob_id_counter; /* OOB message ID counter */
spinlock_t incoming_lock; /* Incoming call vs service shutdown lock */
struct list_head sock_calls; /* List of calls owned by this socket */
struct list_head to_be_accepted; /* calls awaiting acceptance */
@@ -184,7 +181,6 @@ struct rxrpc_sock {
struct rb_root calls; /* User ID -> call mapping */
unsigned long flags;
#define RXRPC_SOCK_CONNECTED 0 /* connect_srx is set */
-#define RXRPC_SOCK_MANAGE_RESPONSE 1 /* User wants to manage RESPONSE packets */
rwlock_t call_lock; /* lock for calls */
u32 min_sec_level; /* minimum security level */
#define RXRPC_SECURITY_MAX RXRPC_SECURITY_ENCRYPT
@@ -241,7 +237,6 @@ struct rxrpc_skb_priv {
u8 reason; /* Reason for ack */
} ack;
struct {
- struct rxrpc_connection *conn; /* Connection referred to */
union {
u32 rxkad_nonce;
};
@@ -310,13 +305,6 @@ struct rxrpc_security {
bool (*validate_challenge)(struct rxrpc_connection *conn,
struct sk_buff *skb);
- /* Fill out the cmsg for recvmsg() to pass on a challenge to userspace.
- * The security class gets to add additional information.
- */
- int (*challenge_to_recvmsg)(struct rxrpc_connection *conn,
- struct sk_buff *challenge,
- struct msghdr *msg);
-
/* Parse sendmsg() control message and respond to challenge. */
int (*sendmsg_respond_to_challenge)(struct sk_buff *challenge,
struct msghdr *msg);
@@ -1379,13 +1367,6 @@ static inline struct rxrpc_net *rxrpc_net(struct net *net)
return net_generic(net, rxrpc_net_id);
}
-/*
- * oob.c
- */
-bool rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb);
-void rxrpc_add_pending_oob(struct rxrpc_sock *rx, struct sk_buff *skb);
-int rxrpc_sendmsg_oob(struct rxrpc_sock *rx, struct msghdr *msg, size_t len);
-
/*
* output.c
*/
diff --git a/net/rxrpc/oob.c b/net/rxrpc/oob.c
deleted file mode 100644
index c80ee2487d09..000000000000
--- a/net/rxrpc/oob.c
+++ /dev/null
@@ -1,387 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-or-later
-/* Out of band message handling (e.g. challenge-response)
- *
- * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved.
- * Written by David Howells (dhowells@redhat.com)
- */
-
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-
-#include <linux/net.h>
-#include <linux/gfp.h>
-#include <linux/skbuff.h>
-#include <linux/export.h>
-#include <linux/sched/signal.h>
-#include <net/sock.h>
-#include <net/af_rxrpc.h>
-#include "ar-internal.h"
-
-enum rxrpc_oob_command {
- RXRPC_OOB_CMD_UNSET,
- RXRPC_OOB_CMD_RESPOND,
-} __mode(byte);
-
-struct rxrpc_oob_params {
- u64 oob_id; /* ID number of message if reply */
- s32 abort_code;
- enum rxrpc_oob_command command;
- bool have_oob_id:1;
-};
-
-/*
- * Post an out-of-band message for attention by the socket or kernel service
- * associated with a reference call.
- */
-bool rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxrpc_sock *rx;
- struct sock *sk;
- bool queued = false;
-
- rcu_read_lock();
-
- rx = rcu_dereference(call->socket);
- if (rx) {
- sk = &rx->sk;
- spin_lock_irq(&rx->recvmsg_lock);
-
- if (sk->sk_state < RXRPC_CLOSE) {
- skb->skb_mstamp_ns = rx->oob_id_counter++;
- rxrpc_get_skb(skb, rxrpc_skb_get_post_oob);
- skb_queue_tail(&rx->recvmsg_oobq, skb);
- queued = true;
-
- trace_rxrpc_notify_socket(call->debug_id, sp->hdr.serial);
- if (rx->app_ops)
- rx->app_ops->notify_oob(sk, skb);
- }
-
- spin_unlock_irq(&rx->recvmsg_lock);
- if (queued && !rx->app_ops && !sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk);
- }
-
- rcu_read_unlock();
- return queued;
-}
-
-/*
- * Locate the OOB message to respond to by its ID.
- */
-static struct sk_buff *rxrpc_find_pending_oob(struct rxrpc_sock *rx, u64 oob_id)
-{
- struct rb_node *p;
- struct sk_buff *skb;
-
- p = rx->pending_oobq.rb_node;
- while (p) {
- skb = rb_entry(p, struct sk_buff, rbnode);
-
- if (oob_id < skb->skb_mstamp_ns)
- p = p->rb_left;
- else if (oob_id > skb->skb_mstamp_ns)
- p = p->rb_right;
- else
- return skb;
- }
-
- return NULL;
-}
-
-/*
- * Add an OOB message into the pending-response set. We always assign the next
- * value from a 64-bit counter to the oob_id, so just assume we're always going
- * to be on the right-hand edge of the tree and that the counter won't wrap.
- * The tree is also given a ref to the message.
- */
-void rxrpc_add_pending_oob(struct rxrpc_sock *rx, struct sk_buff *skb)
-{
- struct rb_node **pp = &rx->pending_oobq.rb_node, *p = NULL;
-
- while (*pp) {
- p = *pp;
- pp = &(*pp)->rb_right;
- }
-
- rb_link_node(&skb->rbnode, p, pp);
- rb_insert_color(&skb->rbnode, &rx->pending_oobq);
-}
-
-/*
- * Extract control messages from the sendmsg() control buffer.
- */
-static int rxrpc_sendmsg_oob_cmsg(struct msghdr *msg, struct rxrpc_oob_params *p)
-{
- struct cmsghdr *cmsg;
- int len;
-
- if (msg->msg_controllen == 0)
- return -EINVAL;
-
- for_each_cmsghdr(cmsg, msg) {
- if (!CMSG_OK(msg, cmsg))
- return -EINVAL;
-
- len = cmsg->cmsg_len - sizeof(struct cmsghdr);
- _debug("CMSG %d, %d, %d",
- cmsg->cmsg_level, cmsg->cmsg_type, len);
-
- if (cmsg->cmsg_level != SOL_RXRPC)
- continue;
-
- switch (cmsg->cmsg_type) {
- case RXRPC_OOB_ID:
- if (len != sizeof(p->oob_id) || p->have_oob_id)
- return -EINVAL;
- memcpy(&p->oob_id, CMSG_DATA(cmsg), sizeof(p->oob_id));
- p->have_oob_id = true;
- break;
- case RXRPC_RESPOND:
- if (p->command != RXRPC_OOB_CMD_UNSET)
- return -EINVAL;
- p->command = RXRPC_OOB_CMD_RESPOND;
- break;
- case RXRPC_ABORT:
- if (len != sizeof(p->abort_code) || p->abort_code)
- return -EINVAL;
- memcpy(&p->abort_code, CMSG_DATA(cmsg), sizeof(p->abort_code));
- if (p->abort_code == 0)
- return -EINVAL;
- break;
- case RXRPC_RESP_RXGK_APPDATA:
- if (p->command != RXRPC_OOB_CMD_RESPOND)
- return -EINVAL;
- break;
- default:
- return -EINVAL;
- }
- }
-
- switch (p->command) {
- case RXRPC_OOB_CMD_RESPOND:
- if (!p->have_oob_id)
- return -EBADSLT;
- break;
- default:
- return -EINVAL;
- }
-
- return 0;
-}
-
-/*
- * Allow userspace to respond to an OOB using sendmsg().
- */
-static int rxrpc_respond_to_oob(struct rxrpc_sock *rx,
- struct rxrpc_oob_params *p,
- struct msghdr *msg)
-{
- struct rxrpc_connection *conn;
- struct rxrpc_skb_priv *sp;
- struct sk_buff *skb;
- int ret;
-
- skb = rxrpc_find_pending_oob(rx, p->oob_id);
- if (skb)
- rb_erase(&skb->rbnode, &rx->pending_oobq);
- release_sock(&rx->sk);
- if (!skb)
- return -EBADSLT;
-
- sp = rxrpc_skb(skb);
-
- switch (p->command) {
- case RXRPC_OOB_CMD_RESPOND:
- ret = -EPROTO;
- if (skb->mark != RXRPC_OOB_CHALLENGE)
- break;
- conn = sp->chall.conn;
- ret = -EOPNOTSUPP;
- if (!conn->security->sendmsg_respond_to_challenge)
- break;
- if (p->abort_code) {
- rxrpc_abort_conn(conn, NULL, p->abort_code, -ECONNABORTED,
- rxrpc_abort_response_sendmsg);
- ret = 0;
- } else {
- ret = conn->security->sendmsg_respond_to_challenge(skb, msg);
- }
- break;
- default:
- ret = -EINVAL;
- break;
- }
-
- switch (skb->mark) {
- case RXRPC_OOB_CHALLENGE:
- rxrpc_put_connection(sp->chall.conn, rxrpc_conn_put_oob);
- break;
- }
- rxrpc_free_skb(skb, rxrpc_skb_put_oob);
- return ret;
-}
-
-/*
- * Send an out-of-band message or respond to a received out-of-band message.
- * - caller gives us the socket lock
- * - the socket may be either a client socket or a server socket
- */
-int rxrpc_sendmsg_oob(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
-{
- struct rxrpc_oob_params p = {};
- int ret;
-
- _enter("");
-
- ret = rxrpc_sendmsg_oob_cmsg(msg, &p);
- if (ret < 0)
- goto error_release_sock;
-
- if (p.have_oob_id)
- return rxrpc_respond_to_oob(rx, &p, msg);
-
- release_sock(&rx->sk);
-
- switch (p.command) {
- default:
- ret = -EINVAL;
- break;
- }
-
- _leave(" = %d", ret);
- return ret;
-
-error_release_sock:
- release_sock(&rx->sk);
- return ret;
-}
-
-/**
- * rxrpc_kernel_query_oob - Query the parameters of an out-of-band message
- * @oob: The message to query
- * @_peer: Where to return the peer record
- * @_peer_appdata: The application data attached to a peer record
- *
- * Extract useful parameters from an out-of-band message. The source peer
- * parameters are returned through the argument list and the message type is
- * returned.
- *
- * Return:
- * * %RXRPC_OOB_CHALLENGE - Challenge wanting a response.
- */
-enum rxrpc_oob_type rxrpc_kernel_query_oob(struct sk_buff *oob,
- struct rxrpc_peer **_peer,
- unsigned long *_peer_appdata)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(oob);
- enum rxrpc_oob_type type = oob->mark;
-
- switch (type) {
- case RXRPC_OOB_CHALLENGE:
- *_peer = sp->chall.conn->peer;
- *_peer_appdata = sp->chall.conn->peer->app_data;
- break;
- default:
- WARN_ON_ONCE(1);
- *_peer = NULL;
- *_peer_appdata = 0;
- break;
- }
-
- return type;
-}
-EXPORT_SYMBOL(rxrpc_kernel_query_oob);
-
-/**
- * rxrpc_kernel_dequeue_oob - Dequeue and return the front OOB message
- * @sock: The socket to query
- * @_type: Where to return the message type
- *
- * Dequeue the front OOB message, if there is one, and return it and
- * its type.
- *
- * Return: The sk_buff representing the OOB message or %NULL if the queue was
- * empty.
- */
-struct sk_buff *rxrpc_kernel_dequeue_oob(struct socket *sock,
- enum rxrpc_oob_type *_type)
-{
- struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
- struct sk_buff *oob;
-
- oob = skb_dequeue(&rx->recvmsg_oobq);
- if (oob)
- *_type = oob->mark;
- return oob;
-}
-EXPORT_SYMBOL(rxrpc_kernel_dequeue_oob);
-
-/**
- * rxrpc_kernel_free_oob - Free an out-of-band message
- * @oob: The OOB message to free
- *
- * Free an OOB message along with any resources it holds.
- */
-void rxrpc_kernel_free_oob(struct sk_buff *oob)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(oob);
-
- switch (oob->mark) {
- case RXRPC_OOB_CHALLENGE:
- rxrpc_put_connection(sp->chall.conn, rxrpc_conn_put_oob);
- break;
- }
-
- rxrpc_free_skb(oob, rxrpc_skb_put_purge_oob);
-}
-EXPORT_SYMBOL(rxrpc_kernel_free_oob);
-
-/**
- * rxrpc_kernel_query_challenge - Query the parameters of a challenge
- * @challenge: The challenge to query
- * @_peer: Where to return the peer record
- * @_peer_appdata: The application data attached to a peer record
- * @_service_id: Where to return the connection service ID
- * @_security_index: Where to return the connection security index
- *
- * Extract useful parameters from a CHALLENGE message.
- */
-void rxrpc_kernel_query_challenge(struct sk_buff *challenge,
- struct rxrpc_peer **_peer,
- unsigned long *_peer_appdata,
- u16 *_service_id, u8 *_security_index)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(challenge);
-
- *_peer = sp->chall.conn->peer;
- *_peer_appdata = sp->chall.conn->peer->app_data;
- *_service_id = sp->hdr.serviceId;
- *_security_index = sp->hdr.securityIndex;
-}
-EXPORT_SYMBOL(rxrpc_kernel_query_challenge);
-
-/**
- * rxrpc_kernel_reject_challenge - Allow a kernel service to reject a challenge
- * @challenge: The challenge to be rejected
- * @abort_code: The abort code to stick into the ABORT packet
- * @error: Local error value
- * @why: Indication as to why.
- *
- * Allow a kernel service to reject a challenge by aborting the connection if
- * it's still in an abortable state. The error is returned so this function
- * can be used with a return statement.
- *
- * Return: The %error parameter.
- */
-int rxrpc_kernel_reject_challenge(struct sk_buff *challenge, u32 abort_code,
- int error, enum rxrpc_abort_reason why)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(challenge);
-
- _enter("{%x},%d,%d,%u", sp->hdr.serial, abort_code, error, why);
-
- rxrpc_abort_conn(sp->chall.conn, NULL, abort_code, error, why);
- return error;
-}
-EXPORT_SYMBOL(rxrpc_kernel_reject_challenge);
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index 33577522ec02..5b8c7f573b7f 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -201,61 +201,6 @@ static int rxrpc_recvmsg_user_id(struct rxrpc_call *call, struct msghdr *msg,
}
}
-/*
- * Deal with a CHALLENGE packet.
- */
-static int rxrpc_recvmsg_challenge(struct socket *sock, struct msghdr *msg,
- struct sk_buff *challenge, unsigned int flags)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(challenge);
- struct rxrpc_connection *conn = sp->chall.conn;
-
- return conn->security->challenge_to_recvmsg(conn, challenge, msg);
-}
-
-/*
- * Process OOB packets. Called with the socket locked.
- */
-static int rxrpc_recvmsg_oob(struct socket *sock, struct msghdr *msg,
- unsigned int flags)
-{
- struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
- struct sk_buff *skb;
- bool need_response = false;
- int ret;
-
- skb = skb_peek(&rx->recvmsg_oobq);
- if (!skb)
- return -EAGAIN;
- rxrpc_see_skb(skb, rxrpc_skb_see_recvmsg);
-
- ret = put_cmsg(msg, SOL_RXRPC, RXRPC_OOB_ID, sizeof(u64),
- &skb->skb_mstamp_ns);
- if (ret < 0)
- return ret;
-
- switch ((enum rxrpc_oob_type)skb->mark) {
- case RXRPC_OOB_CHALLENGE:
- need_response = true;
- ret = rxrpc_recvmsg_challenge(sock, msg, skb, flags);
- break;
- default:
- WARN_ONCE(1, "recvmsg() can't process unknown OOB type %u\n",
- skb->mark);
- ret = -EIO;
- break;
- }
-
- if (!(flags & MSG_PEEK)) {
- skb_unlink(skb, &rx->recvmsg_oobq);
- if (need_response)
- rxrpc_add_pending_oob(rx, skb);
- else
- rxrpc_free_skb(skb, rxrpc_skb_put_oob);
- }
- return ret;
-}
-
/*
* Deliver messages to a call. This keeps processing packets until the buffer
* is filled and we find either more DATA (returns 0) or the end of the DATA
@@ -267,7 +212,6 @@ static int rxrpc_recvmsg_data(struct socket *sock, struct rxrpc_call *call,
size_t len, int flags, size_t *_offset)
{
struct rxrpc_skb_priv *sp;
- struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
struct sk_buff *skb;
rxrpc_seq_t seq = 0;
size_t remain;
@@ -362,13 +306,6 @@ static int rxrpc_recvmsg_data(struct socket *sock, struct rxrpc_call *call,
if (!(flags & MSG_PEEK))
rxrpc_rotate_rx_window(call);
-
- if (!rx->app_ops &&
- !skb_queue_empty_lockless(&rx->recvmsg_oobq)) {
- trace_rxrpc_recvdata(call, rxrpc_recvmsg_oobq, seq,
- rx_pkt_offset, rx_pkt_len, ret);
- break;
- }
}
out:
@@ -416,14 +353,12 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
/* Return immediately if a client socket has no outstanding calls */
if (RB_EMPTY_ROOT(&rx->calls) &&
list_empty(&rx->recvmsg_q) &&
- skb_queue_empty_lockless(&rx->recvmsg_oobq) &&
rx->sk.sk_state != RXRPC_SERVER_LISTENING) {
release_sock(&rx->sk);
return -EAGAIN;
}
- if (list_empty(&rx->recvmsg_q) &&
- skb_queue_empty_lockless(&rx->recvmsg_oobq)) {
+ if (list_empty(&rx->recvmsg_q)) {
ret = -EWOULDBLOCK;
if (timeo == 0) {
call = NULL;
@@ -439,8 +374,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
if (ret)
goto wait_error;
- if (list_empty(&rx->recvmsg_q) &&
- skb_queue_empty_lockless(&rx->recvmsg_oobq)) {
+ if (list_empty(&rx->recvmsg_q)) {
if (signal_pending(current))
goto wait_interrupted;
trace_rxrpc_recvmsg(0, rxrpc_recvmsg_wait, 0);
@@ -450,15 +384,6 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
goto try_again;
}
- /* Deal with OOB messages before we consider getting normal data. */
- if (!skb_queue_empty_lockless(&rx->recvmsg_oobq)) {
- ret = rxrpc_recvmsg_oob(sock, msg, flags);
- release_sock(&rx->sk);
- if (ret == -EAGAIN)
- goto try_again;
- goto error_trace;
- }
-
/* Find the next call and dequeue it if we're not just peeking. If we
* do dequeue it, that comes with a ref that we will need to release.
* We also want to weed out calls that got requeued whilst we were
@@ -469,8 +394,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
call = list_entry(l, struct rxrpc_call, recvmsg_link);
if (!rxrpc_call_is_complete(call) &&
- skb_queue_empty(&call->recvmsg_queue) &&
- skb_queue_empty(&rx->recvmsg_oobq)) {
+ skb_queue_empty(&call->recvmsg_queue)) {
list_del_init(&call->recvmsg_link);
spin_unlock_irq(&rx->recvmsg_lock);
release_sock(&rx->sk);
diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c
index f3e085b64502..b9efeec145dd 100644
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -735,37 +735,6 @@ static bool rxgk_validate_challenge(struct rxrpc_connection *conn,
return true;
}
-/**
- * rxgk_kernel_query_challenge - Query RxGK-specific challenge parameters
- * @challenge: The challenge packet to query
- *
- * Return: The Kerberos 5 encoding type for the challenged connection.
- */
-u32 rxgk_kernel_query_challenge(struct sk_buff *challenge)
-{
- struct rxrpc_skb_priv *sp = rxrpc_skb(challenge);
-
- return sp->chall.conn->rxgk.enctype;
-}
-EXPORT_SYMBOL(rxgk_kernel_query_challenge);
-
-/*
- * Fill out the control message to pass to userspace to inform about the
- * challenge.
- */
-static int rxgk_challenge_to_recvmsg(struct rxrpc_connection *conn,
- struct sk_buff *challenge,
- struct msghdr *msg)
-{
- struct rxgk_challenge chall;
-
- chall.base.service_id = conn->service_id;
- chall.base.security_index = conn->security_ix;
- chall.enctype = conn->rxgk.enctype;
-
- return put_cmsg(msg, SOL_RXRPC, RXRPC_CHALLENGED, sizeof(chall), &chall);
-}
-
/*
* Insert the requisite amount of XDR padding for the length given.
*/
@@ -1044,46 +1013,6 @@ static int rxgk_respond_to_challenge(struct rxrpc_connection *conn,
return ret;
}
-/**
- * rxgk_kernel_respond_to_challenge - Respond to a challenge with appdata
- * @challenge: The challenge to respond to
- * @appdata: The application data to include in the RESPONSE authenticator
- *
- * Allow a kernel application to respond to a CHALLENGE with application data
- * to be included in the RxGK RESPONSE Authenticator.
- *
- * Return: %0 if successful and a negative error code otherwise.
- */
-int rxgk_kernel_respond_to_challenge(struct sk_buff *challenge,
- struct krb5_buffer *appdata)
-{
- return -EINVAL;
-}
-EXPORT_SYMBOL(rxgk_kernel_respond_to_challenge);
-
-/*
- * Parse sendmsg() control message and respond to challenge. We need to see if
- * there's an appdata to fish out.
- */
-static int rxgk_sendmsg_respond_to_challenge(struct sk_buff *challenge,
- struct msghdr *msg)
-{
- struct krb5_buffer appdata = {};
- struct cmsghdr *cmsg;
-
- for_each_cmsghdr(cmsg, msg) {
- if (cmsg->cmsg_level != SOL_RXRPC ||
- cmsg->cmsg_type != RXRPC_RESP_RXGK_APPDATA)
- continue;
- if (appdata.data)
- return -EINVAL;
- appdata.data = CMSG_DATA(cmsg);
- appdata.len = cmsg->cmsg_len - sizeof(struct cmsghdr);
- }
-
- return rxgk_kernel_respond_to_challenge(challenge, &appdata);
-}
-
/*
* Verify the authenticator.
*
@@ -1357,8 +1286,6 @@ const struct rxrpc_security rxgk_yfs = {
.free_call_crypto = rxgk_free_call_crypto,
.issue_challenge = rxgk_issue_challenge,
.validate_challenge = rxgk_validate_challenge,
- .challenge_to_recvmsg = rxgk_challenge_to_recvmsg,
- .sendmsg_respond_to_challenge = rxgk_sendmsg_respond_to_challenge,
.respond_to_challenge = rxgk_respond_to_challenge,
.verify_response = rxgk_verify_response,
.clear = rxgk_clear,
diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
index ca9f0e82cb9a..e55bfca10e1a 100644
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -748,32 +748,6 @@ static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
return ret;
}
-/*
- * RxKAD does automatic response only as there's nothing to manage that isn't
- * already in the key.
- */
-static int rxkad_sendmsg_respond_to_challenge(struct sk_buff *challenge,
- struct msghdr *msg)
-{
- return -EINVAL;
-}
-
-/**
- * rxkad_kernel_respond_to_challenge - Respond to a challenge with appdata
- * @challenge: The challenge to respond to
- *
- * Allow a kernel application to respond to a CHALLENGE.
- *
- * Return: %0 if successful and a negative error code otherwise.
- */
-int rxkad_kernel_respond_to_challenge(struct sk_buff *challenge)
-{
- struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
-
- return rxkad_respond_to_challenge(csp->chall.conn, challenge);
-}
-EXPORT_SYMBOL(rxkad_kernel_respond_to_challenge);
-
/* Decrypt data in-place using DES-PCBC. @len must be a multiple of 8. */
VISIBLE_IF_KUNIT void des_pcbc_decrypt_inplace(const struct des_ctx *key,
__le64 iv, u8 *data, size_t len)
@@ -1134,7 +1108,6 @@ const struct rxrpc_security rxkad = {
.free_call_crypto = rxkad_free_call_crypto,
.issue_challenge = rxkad_issue_challenge,
.validate_challenge = rxkad_validate_challenge,
- .sendmsg_respond_to_challenge = rxkad_sendmsg_respond_to_challenge,
.respond_to_challenge = rxkad_respond_to_challenge,
.verify_response = rxkad_verify_response,
.clear = rxkad_clear,
diff --git a/net/rxrpc/server_key.c b/net/rxrpc/server_key.c
index 3efe104b1930..fc6f478e1762 100644
--- a/net/rxrpc/server_key.c
+++ b/net/rxrpc/server_key.c
@@ -173,43 +173,3 @@ int rxrpc_sock_set_security_keyring(struct sock *sk, struct key *keyring)
return ret;
}
EXPORT_SYMBOL(rxrpc_sock_set_security_keyring);
-
-/**
- * rxrpc_sock_set_manage_response - Set the manage-response flag for a kernel service
- * @sk: The socket to set the keyring on
- * @set: True to set, false to clear the flag
- *
- * Set the flag on an rxrpc socket to say that the caller wants to manage the
- * RESPONSE packet and the user-defined data it may contain. Setting this
- * means that recvmsg() will return messages with RXRPC_CHALLENGED in the
- * control message buffer containing information about the challenge.
- *
- * The user should respond to the challenge by passing RXRPC_RESPOND or
- * RXRPC_RESPOND_ABORT control messages with sendmsg() to the same call.
- * Supplementary control messages, such as RXRPC_RESP_RXGK_APPDATA, may be
- * included to indicate the parts the user wants to supply.
- *
- * The server will be passed the response data with a RXRPC_RESPONDED control
- * message when it gets the first data from each call.
- *
- * Note that this is only honoured by security classes that need auxiliary data
- * (e.g. RxGK). Those that don't offer the facility (e.g. RxKAD) respond
- * without consulting userspace.
- *
- * Return: The previous setting.
- */
-int rxrpc_sock_set_manage_response(struct sock *sk, bool set)
-{
- struct rxrpc_sock *rx = rxrpc_sk(sk);
- int ret;
-
- lock_sock(sk);
- ret = !!test_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags);
- if (set)
- set_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags);
- else
- clear_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags);
- release_sock(sk);
- return ret;
-}
-EXPORT_SYMBOL(rxrpc_sock_set_manage_response);
^ permalink raw reply related [flat|nested] 17+ messages in thread
end of thread, other threads:[~2026-07-10 19:23 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-10 19:22 [PATCH net v2 00/16] rxrpc: Fix CHALLENGE packet handling David Howells
2026-07-10 19:22 ` [PATCH net v2 01/16] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
2026-07-10 19:22 ` [PATCH net v2 02/16] rxrpc: Fix sendmsg to not return an error if last packet queued David Howells
2026-07-10 19:22 ` [PATCH net v2 03/16] afs: Fix UAF when sending a message David Howells
2026-07-10 19:22 ` [PATCH net v2 04/16] afs: Fix two delivery functions to pass back -EAGAIN David Howells
2026-07-10 19:22 ` [PATCH net v2 05/16] afs: Fix afs_fs_fetch_data() to set call->async David Howells
2026-07-10 19:22 ` [PATCH net v2 06/16] rxrpc: Fix packet encryption error handling David Howells
2026-07-10 19:22 ` [PATCH net v2 07/16] rxrpc: Fix update of call->tx_pending without holding lock David Howells
2026-07-10 19:22 ` [PATCH net v2 08/16] rxrpc: Fix generation of notifications after call completion David Howells
2026-07-10 19:22 ` [PATCH net v2 09/16] afs: Simplify call refcounting David Howells
2026-07-10 19:22 ` [PATCH net v2 10/16] afs: Make afs_put_call() take trace argument David Howells
2026-07-10 19:22 ` [PATCH net v2 11/16] afs: Fix UAF in afs_make_call() David Howells
2026-07-10 19:22 ` [PATCH net v2 12/16] keys: Add refcounting to user-defined key type payload David Howells
2026-07-10 19:22 ` [PATCH net v2 13/16] afs: Create a server appdata key David Howells
2026-07-10 19:22 ` [PATCH net v2 14/16] rxrpc: Pass appdata key to rxrpc_call and thence to rxrpc_bundle David Howells
2026-07-10 19:22 ` [PATCH net v2 15/16] rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE generation David Howells
2026-07-10 19:22 ` [PATCH net v2 16/16] rxrpc: Remove OOB challenge/response code David Howells
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox