From: Simon Horman <horms@kernel.org>
To: dhowells@redhat.com
Cc: Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, marc.dionne@auristor.com,
kuba@kernel.org, davem@davemloft.net, edumazet@google.com,
pabeni@redhat.com, linux-afs@lists.infradead.org,
linux-kernel@vger.kernel.org, jaltman@auristor.com,
stable@kernel.org
Subject: Re: [PATCH net v2 07/10] rxrpc: Fix oob challenge leak in cleanup after notification failure
Date: Sat, 20 Jun 2026 10:17:39 +0100 [thread overview]
Message-ID: <20260620091739.969563-1-horms@kernel.org> (raw)
In-Reply-To: <20260618134802.2477777-8-dhowells@redhat.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
rxrpc: Fix oob challenge leak in cleanup after notification failure
Fix rxrpc_notify_socket_oob() to return an indication of failure in the
event that it failed to queue a packet and fix rxrpc_post_challenge() to
clean up the connection ref in such an event.
Link: https://sashiko.dev/#/patchset/20260616155749.2125907-1-dhowells%40redhat.com
> diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
> index c96ca615b787c..611c790bc6d0c 100644
> --- a/net/rxrpc/conn_event.c
> +++ b/net/rxrpc/conn_event.c
> @@ -436,7 +436,7 @@ static bool rxrpc_post_challenge(struct rxrpc_connection *conn,
> struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
> struct rxrpc_call *call = NULL;
> struct rxrpc_sock *rx;
> - bool respond = false;
> + bool respond = false, queued = false;
[Severity: Critical]
This is a pre-existing issue, but can the lockless read of
conn->channels[i].call in net/rxrpc/conn_event.c lead to a NULL pointer
dereference?
Looking at rxrpc_post_challenge(), the code does:
if (conn->channels[i].call) {
call = conn->channels[i].call;
rx = rcu_dereference(call->socket);
Without READ_ONCE(), the compiler could issue two separate loads. If a
concurrent thread clears the channel's call pointer after the if-check but
before the assignment, call becomes NULL.
Does this cause the subsequent rcu_dereference(call->socket) to panic by
dereferencing NULL->socket?
[Severity: High]
This isn't a bug introduced by this patch, but does taking a connection
reference here in rxrpc_post_challenge() lead to a leak if the packet is
later discarded due to connection abort or teardown?
If rxrpc_process_event() in net/rxrpc/conn_event.c encounters
conn->state == RXRPC_CONN_ABORTED, it returns -ECONNABORTED early:
if (conn->state == RXRPC_CONN_ABORTED)
return -ECONNABORTED;
This bypasses the cleanup, and the skb is consumed by
rxrpc_do_process_connection() without dropping the sp->chall.conn reference.
Similarly, during teardown, rxrpc_purge_queue() in net/rxrpc/skbuff.c
consumes skbs via:
while ((skb = skb_dequeue((list))) != NULL) {
...
consume_skb(skb);
}
Since it doesn't inspect the cb scratch space, doesn't this permanently leak
the connection references stored in sp->chall.conn?
[ ... ]
> if (call)
> - rxrpc_notify_socket_oob(call, skb);
> + queued = rxrpc_notify_socket_oob(call, skb);
[Severity: High]
This is a pre-existing issue, but does failing to set skb->mark to
RXRPC_OOB_CHALLENGE here in rxrpc_post_challenge() break OOB challenge
processing?
The skb->mark remains RXRPC_SKB_MARK_PACKET as set during ingress.
When the application attempts to respond via rxrpc_respond_to_oob() or read
via rxrpc_recvmsg_oob(), won't the operation fail with -EPROTO because it
expects skb->mark == RXRPC_OOB_CHALLENGE?
Additionally, when the OOB message is freed via rxrpc_kernel_free_oob(),
doesn't the switch statement on oob->mark fail to match, bypassing
rxrpc_put_connection() and leaking the connection reference stored in
sp->chall.conn?
> rcu_read_unlock();
> + if (call && !queued) {
> + rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
> + sp->chall.conn = NULL;
> + return false;
> + }
>
> if (!call)
> rxrpc_post_packet_to_conn(conn, skb);
> diff --git a/net/rxrpc/oob.c b/net/rxrpc/oob.c
> index 3318c8bd82ad5..c80ee2487d094 100644
> --- a/net/rxrpc/oob.c
> +++ b/net/rxrpc/oob.c
[ ... ]
> @@ -49,6 +50,7 @@ void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)
> skb->skb_mstamp_ns = rx->oob_id_counter++;
> rxrpc_get_skb(skb, rxrpc_skb_get_post_oob);
> skb_queue_tail(&rx->recvmsg_oobq, skb);
> + queued = true;
[Severity: High]
This isn't a bug introduced by this patch, but does unbounded queuing of
challenge packets onto recvmsg_oobq risk a kernel OOM?
In net/rxrpc/oob.c, rxrpc_notify_socket_oob() uses skb_queue_tail() without
checking memory limits (like sk_rmem_alloc vs sk_rcvbuf) or restricting the
total number of challenges.
Since rxrpc_encap_rcv() intercepts these packets before standard UDP memory
accounting occurs, could a remote attacker flood the host with valid
CHALLENGE packets?
If the application is slow to process them or ignores them, will these
accumulate infinitely in recvmsg_oobq and cause a Denial of Service?
next prev parent reply other threads:[~2026-06-20 9:17 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 13:47 [PATCH net v2 00/10] rxrpc: Miscellaneous fixes David Howells
2026-06-18 13:47 ` [PATCH net v2 01/10] rxrpc: input: reject ACKALL outside transmit phase David Howells
2026-06-19 21:32 ` Jeffrey E Altman
2026-06-18 13:47 ` [PATCH net v2 02/10] rxrpc: Fix leak of connection from OOB challenge David Howells
2026-06-18 13:47 ` [PATCH net v2 03/10] rxrpc: Fix double unlock in rxrpc_recvmsg() David Howells
2026-06-18 13:47 ` [PATCH net v2 04/10] afs: Fix further netns teardown to cancel the preallocation charger David Howells
2026-06-18 13:47 ` [PATCH net v2 05/10] afs: Fix uncancelled rxrpc OOB message handler David Howells
2026-06-20 9:13 ` Simon Horman
2026-06-18 13:47 ` [PATCH net v2 06/10] rxrpc: Fix the reception of a reply packet before data transmission David Howells
2026-06-20 9:17 ` Simon Horman
2026-06-18 13:47 ` [PATCH net v2 07/10] rxrpc: Fix oob challenge leak in cleanup after notification failure David Howells
2026-06-20 9:17 ` Simon Horman [this message]
2026-06-18 13:47 ` [PATCH net v2 08/10] rxrpc: Fix potential infinite loop in rxrpc_recvmsg() David Howells
2026-06-18 13:48 ` [PATCH net v2 09/10] rxrpc: Fix socket notification race David Howells
2026-06-18 13:48 ` [PATCH net v2 10/10] rxrpc: Fix leak of released call in recvmsg(MSG_PEEK) David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260620091739.969563-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox