From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH net 0/4] rxrpc: Fix CHALLENGE packet handling
Date: Thu, 2 Jul 2026 15:49:14 +0100 [thread overview]
Message-ID: <20260702144919.172295-1-dhowells@redhat.com> (raw)
Here's a fix for AF_RXRPC's CHALLENGE packet handling, addressing an issue
raised by Sashiko[1], plus three fixes for things found or noted along the
way:
(1) Fix a NULL deref in afs_deliver_cb_init_call_back_state3().
(2) Fix rxrpc_sendmsg so that it doesn't return an error if it queued the
last packet of a call. After that point, the error will be returned
by recvmsg() and returned it twice in two different places may
complicate userspace cleaning up its own structures.
(3) Fix a UAF in afs_make_call().
(4) Fix CHALLENGE packet overqueuing and simplify RESPONSE packet
generation by pre-creating the RxGK application data up front and
passing it in a user key (thereby allowing userspace to partake).
This allows all the OOB queuing stuff to be deleted.
[!] Note that this entails a significant change in the UAPI for
AF_RXRPC, with the CMSG types and sockopt to support the OOB queuing
being removed and replaced with a new single CMSG type that conveys
the user key ID. I don't think it likely anyone is using this outside
of my kafs-utils package.
This also involves a change to the user-defined key type, making the
payload refcounted so that it can be accessed and the length read,
then a buffer allocated that will hold it and other data, and then the
content copied. The problem is that the user is perfectly at liberty
to change the content of a user-defined key (which will RCU-replace
the content of the key), so the length might change when we drop the
RCU read lock in order to allocate. This could be got around by
locking the key->rwsem sharedly, but that might be able to deadlock
part of the rxrpc protocol engine if memory reclaim occurs.
I've posted this as a fix for net/main, but would patch (4) at least be
better going into net-next/main given the amount it changes?
David
The patches can be found here also:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes
[1] https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com
David Howells (4):
afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3()
rxrpc: Fix sendmsg to not return an error if last packet queued
afs: Fix UAF when sending a message
rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE
generation
fs/afs/cm_security.c | 151 ++++++--------
fs/afs/cmservice.c | 3 +-
fs/afs/fs_probe.c | 5 +
fs/afs/internal.h | 37 ++--
fs/afs/main.c | 1 -
fs/afs/rxrpc.c | 51 ++---
fs/afs/server.c | 2 +-
include/keys/user-type.h | 2 +
include/net/af_rxrpc.h | 20 +-
include/trace/events/afs.h | 7 +-
include/trace/events/rxrpc.h | 2 -
include/uapi/linux/rxrpc.h | 6 +-
net/dns_resolver/dns_key.c | 1 +
net/rxrpc/Makefile | 1 -
net/rxrpc/af_rxrpc.c | 49 +----
net/rxrpc/ar-internal.h | 22 +-
net/rxrpc/call_object.c | 4 +-
net/rxrpc/conn_client.c | 2 +
net/rxrpc/conn_event.c | 68 +-----
net/rxrpc/key.c | 36 ++++
net/rxrpc/oob.c | 387 -----------------------------------
net/rxrpc/recvmsg.c | 84 +-------
net/rxrpc/rxgk.c | 128 +++---------
net/rxrpc/rxkad.c | 27 ---
net/rxrpc/sendmsg.c | 26 ++-
net/rxrpc/server_key.c | 40 ----
security/keys/user_defined.c | 23 ++-
27 files changed, 258 insertions(+), 927 deletions(-)
delete mode 100644 net/rxrpc/oob.c
next reply other threads:[~2026-07-02 14:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 14:49 David Howells [this message]
2026-07-02 14:49 ` [PATCH net 1/4] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
2026-07-02 17:31 ` Jeffrey E Altman
2026-07-02 14:49 ` [PATCH net 2/4] rxrpc: Fix sendmsg to not return an error if last packet queued David Howells
2026-07-02 14:49 ` [PATCH net 3/4] afs: Fix UAF when sending a message David Howells
2026-07-03 11:12 ` Marc Dionne
2026-07-02 14:49 ` [PATCH net 4/4] rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE generation David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702144919.172295-1-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox