From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25A8237700B for ; Wed, 22 Apr 2026 16:14:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776874493; cv=none; b=V618Ulp7fOh8xOwiXQ5gBWjfZZ2YKEbl35XLP7nW2/MIkjhekBP0JMYCX40lDpeZUUw+F0Hhrtg9sDp0ZXAzG+x9GjoX9YpNPQvZAj7DPaT70pVz1MBJes1DoNzXnHLWYhbNLqRtj1jFRaMrcn4MexVDBrm7qw4dHhuB0VRy2aY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776874493; c=relaxed/simple; bh=ceG9hlKcQQLjEH1fq+ZRm0GaB7amhKFeoxZPMjcJvzw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Z7WFLQ7gt9qZ/YGima5UzQx9ewZ7gxLDfY6S52Q6CCP4fADCxt12ZLVdFAuYGMOpIDJajmYiUEg3ycoakU84hI4h88+HT4Y1hQ3x3oTkjxTCBMkIwS4FckLZUwefTmdYgUil2DSfQLf+VufIs0WeJQ1QJx/xbw8F5VmuoF0FjNw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=XByyTfV1; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="XByyTfV1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776874490; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=6mOsgWOxnc0+otBr4h76GnPam6a+9tcfPC9mgj/QtDw=; b=XByyTfV1Q6ZyU0cTJ43lX0ntKcwMuKyDly1dFJXKnVmIxxOpXC95ByeWViHKoDqIRZUSAS Zxp8VIkF1VGtHVF/06duATuGgxFUT0SqUMPDwKf1ibpah1H1pBtBvF6I5fau90cgsg3eUC aVHeKGPtHruD/WPSwumqD4NX79YiAFk= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-572-S-YlvY_tPcivoOF_d9Eqww-1; Wed, 22 Apr 2026 12:14:47 -0400 X-MC-Unique: S-YlvY_tPcivoOF_d9Eqww-1 X-Mimecast-MFC-AGG-ID: S-YlvY_tPcivoOF_d9Eqww_1776874486 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7D334180034D; Wed, 22 Apr 2026 16:14:45 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.17]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id DA1A219560B7; Wed, 22 Apr 2026 16:14:40 +0000 (UTC) From: David Howells To: netdev@vger.kernel.org Cc: David Howells , Marc Dionne , Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , Simon Horman , Anderson Nascimento , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH net v2 0/6] rxrpc: Miscellaneous fixes Date: Wed, 22 Apr 2026 17:14:29 +0100 Message-ID: <20260422161438.2593376-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Here are some fixes for rxrpc, as found by Sashiko[1]: (1) Fix leaks in rxkad_verify_response(). (2) Fix handling of rxkad-encrypted packets with crypto-misaligned lengths. (3) Fix problem with unsharing DATA packets potentially causing a crash in the caller. (4) Fix lack of unsharing of RESPONSE packets. (5) Fix integer overflow in RxGK ticket length check. (6) Fix missing length check in RxKAD tickets. David The patches can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes Changes ======= ver #2) - Use of __free() constructs in networking code is disallowed, so rework the rxkad_verify_response() patch to just clean everything up at the end and cope with NULL pointers. - Reworked the unsharing fix: - Used skb_cloned() and skb_copy() directly rather than skb_unshare(). The problem with skb_unshare() is that it kills the source skbuff if it can't copy, which then has to be propagated up the call chain. Even so, the code still had an bug from this[1]. - Split into two patches, one for DATA and one for RESPONSE packets. - Do the DATA unshare a lot further along. - Imported a patch to add a length check on RxKAD tickets. Link: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com [1] Anderson Nascimento (1): rxrpc: Fix missing validation of ticket length in non-XDR key preparsing David Howells (5): rxrpc: Fix memory leaks in rxkad_verify_response() rxrpc: Fix rxkad crypto unalignment handling rxrpc: Fix potential UAF after skb_unshare() failure rxrpc: Fix conn-level packet handling to unshare RESPONSE packets rxgk: Fix potential integer overflow in length check include/trace/events/rxrpc.h | 5 +- net/rxrpc/ar-internal.h | 1 - net/rxrpc/call_event.c | 19 +++++- net/rxrpc/conn_event.c | 29 ++++++++- net/rxrpc/io_thread.c | 24 +------- net/rxrpc/key.c | 4 ++ net/rxrpc/rxgk_app.c | 2 +- net/rxrpc/rxgk_common.h | 1 + net/rxrpc/rxkad.c | 112 +++++++++++++++-------------------- net/rxrpc/skbuff.c | 9 --- 10 files changed, 106 insertions(+), 100 deletions(-)