[PATCH net v5 00/21] rxrpc: Miscellaneous fixes

[David Howells <dhowells@redhat.com>]

Here are some fixes for rxrpc:

 (1) Fix key quota calculation.

 (2) Fix a memory leak.

 (3) Fix rxrpc_new_client_call_for_sendmsg() to substitute NULL for an
     empty key.

     Might want to remove this substitution entirely or handle it in
     rxrpc_init_client_call_security() instead.

 (4) Fix deletion of call->link to be RCU safe.

 (5) Fix missing bounds checks when parsing RxGK tickets.

 (6) Fix use of wrong skbuff to get challenge serial number.  Also actually
     substitute the newer response skbuff and release the older one.

 (7) Fix unexpected RACK timer warning to report old mode.

 (8) Fix call key refcount leak.

 (9) Fix the interaction of jumbograms with Tx window space, setting the
     request-ack flag when the window space is getting low, typically
     because each jumbogram take a big bite out of the window and fewer UDP
     packets get traded.

(10) Don't call rxrpc_put_call() with a NULL pointer.

(11) Reject undecryptable rxkad response tickets by checking result of
     decryption.

(12) Fix buffer bounds calculation in the RESPONSE authenticator parser.

(13) Fix oversized response length check.

(14) Fix refcount leak on multiple setting of server keyring.

(15) Fix checks made by RXRPC_SECURITY_KEY and RXRPC_SECURITY_KEYRING (both
     should be allowed).

(16) Fix lack of result checking on calls to crypto_skcipher_en/decrypt().

(17) Fix token_len limit check in rxgk_verify_response().

(18) Fix rxgk context leak in rxgk_verify_response().

(19) Fix read beyond end of buffer in rxgk_do_verify_authenticator().

(20) Fix parsing of RESPONSE packet on a connection that has already been set
     from a prior response.

(21) Fix size of buffers used for rendering addresses into for procfiles.

David

The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes

Changes
=======
ver #5)
- AI review[2]:
  - Dropped patch to check rx->securities in rxrpc_setsockopt().
  - Changed patch to check rx->securities in rxrpc_server_keyring() to return
    error -EINVAL.
  - Added patch to check rx->key and rx->securities correctly.
  - Added patch to check return of crypto_skcipher_en/decrypt().
  - Added patch to check buf len in rxgk_do_verify_authenticator().
- Imported a patch to fix parsing of RESPONSE packet in wrong state.
- Imported a patch to fix size of address buffers in procfiles.

ver #4)
- Got rid of the on_list()/on_list_rcu() patch.
- Removed the list_del_init from rxrpc_destroy_all_calls().
- Made the list_del_rcu() in rxrpc_put_call() unconditional.
- Added four new patches.

ver #3)
- Rename the dwc2's on_list() to dwc2_on_list() to free up the name.
- Added a patch to fix the interaction of jumbograms with window space.

ver #2)
- AI review[1]:
  - Added a patch to fix key quota calculation.
  - Added a patch to fix a memory leak.
  - Added a patch to use NULL instead of an empty key in rxrpc_sengmsg().
  - Added a patch to use RCU-safe deletion on call->link.
  - Modified the response packet selection patch to select the newer
    response when there's an older response - and to release the older
    response skbuff.
- Move on_list_rcu() and add on_list().

Link: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com [1]
Link: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com [2]

Alok Tiwari (2):
  rxrpc: Fix use of wrong skb when comparing queued RESP challenge
    serial
  rxrpc: Fix rack timer warning to report unexpected mode

Anderson Nascimento (1):
  rxrpc: Fix key reference count leak from call->key

David Howells (9):
  rxrpc: Fix key quota calculation for multitoken keys
  rxrpc: Fix key parsing memleak
  rxrpc: Fix anonymous key handling
  rxrpc: Fix call removal to use RCU safe deletion
  rxrpc: Fix key/keyring checks in
    setsockopt(RXRPC_SECURITY_KEY/KEYRING)
  rxrpc: Fix missing error checks for rxkad encryption/decryption
    failure
  rxrpc: Fix integer overflow in rxgk_verify_response()
  rxrpc: Fix leak of rxgk context in rxgk_verify_response()
  rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()

Douya Le (1):
  rxrpc: Only put the call ref if one was acquired

Keenan Dong (2):
  rxrpc: fix RESPONSE authenticator parser OOB read
  rxrpc: fix oversized RESPONSE authenticator length check

Luxiao Xu (1):
  rxrpc: fix reference count leak in rxrpc_server_keyring()

Marc Dionne (1):
  rxrpc: Fix to request an ack if window is limited

Oleh Konko (1):
  rxrpc: Fix RxGK token loading to check bounds

Pengpeng Hou (1):
  rxrpc: proc: size address buffers for %pISpc output

Wang Jie (1):
  rxrpc: only handle RESPONSE during service challenge

Yuqi Xu (1):
  rxrpc: reject undecryptable rxkad response tickets

 include/trace/events/rxrpc.h |  4 ++-
 net/rxrpc/af_rxrpc.c         |  6 ----
 net/rxrpc/ar-internal.h      |  2 +-
 net/rxrpc/call_object.c      | 25 ++++++--------
 net/rxrpc/conn_event.c       | 19 ++++++++---
 net/rxrpc/input_rack.c       |  2 +-
 net/rxrpc/io_thread.c        |  3 +-
 net/rxrpc/key.c              | 40 +++++++++++++----------
 net/rxrpc/output.c           |  2 ++
 net/rxrpc/proc.c             | 37 ++++++++++++---------
 net/rxrpc/rxgk.c             | 19 +++++++----
 net/rxrpc/rxkad.c            | 63 ++++++++++++++++++++++++------------
 net/rxrpc/sendmsg.c          |  2 +-
 net/rxrpc/server_key.c       |  3 ++
 14 files changed, 138 insertions(+), 89 deletions(-)