Netdev List
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
	Marc Dionne <marc.dionne@auristor.com>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
	linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH net 0/4] rxrpc: Fix CHALLENGE packet handling
Date: Thu,  2 Jul 2026 15:49:14 +0100	[thread overview]
Message-ID: <20260702144919.172295-1-dhowells@redhat.com> (raw)

Here's a fix for AF_RXRPC's CHALLENGE packet handling, addressing an issue
raised by Sashiko[1], plus three fixes for things found or noted along the
way:

 (1) Fix a NULL deref in afs_deliver_cb_init_call_back_state3().

 (2) Fix rxrpc_sendmsg so that it doesn't return an error if it queued the
     last packet of a call.  After that point, the error will be returned
     by recvmsg() and returned it twice in two different places may
     complicate userspace cleaning up its own structures.

 (3) Fix a UAF in afs_make_call().

 (4) Fix CHALLENGE packet overqueuing and simplify RESPONSE packet
     generation by pre-creating the RxGK application data up front and
     passing it in a user key (thereby allowing userspace to partake).
     This allows all the OOB queuing stuff to be deleted.

     [!] Note that this entails a significant change in the UAPI for
     AF_RXRPC, with the CMSG types and sockopt to support the OOB queuing
     being removed and replaced with a new single CMSG type that conveys
     the user key ID.  I don't think it likely anyone is using this outside
     of my kafs-utils package.

     This also involves a change to the user-defined key type, making the
     payload refcounted so that it can be accessed and the length read,
     then a buffer allocated that will hold it and other data, and then the
     content copied.  The problem is that the user is perfectly at liberty
     to change the content of a user-defined key (which will RCU-replace
     the content of the key), so the length might change when we drop the
     RCU read lock in order to allocate.  This could be got around by
     locking the key->rwsem sharedly, but that might be able to deadlock
     part of the rxrpc protocol engine if memory reclaim occurs.

I've posted this as a fix for net/main, but would patch (4) at least be
better going into net-next/main given the amount it changes?

David

The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes

[1] https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com

David Howells (4):
  afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3()
  rxrpc: Fix sendmsg to not return an error if last packet queued
  afs: Fix UAF when sending a message
  rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE
    generation

 fs/afs/cm_security.c         | 151 ++++++--------
 fs/afs/cmservice.c           |   3 +-
 fs/afs/fs_probe.c            |   5 +
 fs/afs/internal.h            |  37 ++--
 fs/afs/main.c                |   1 -
 fs/afs/rxrpc.c               |  51 ++---
 fs/afs/server.c              |   2 +-
 include/keys/user-type.h     |   2 +
 include/net/af_rxrpc.h       |  20 +-
 include/trace/events/afs.h   |   7 +-
 include/trace/events/rxrpc.h |   2 -
 include/uapi/linux/rxrpc.h   |   6 +-
 net/dns_resolver/dns_key.c   |   1 +
 net/rxrpc/Makefile           |   1 -
 net/rxrpc/af_rxrpc.c         |  49 +----
 net/rxrpc/ar-internal.h      |  22 +-
 net/rxrpc/call_object.c      |   4 +-
 net/rxrpc/conn_client.c      |   2 +
 net/rxrpc/conn_event.c       |  68 +-----
 net/rxrpc/key.c              |  36 ++++
 net/rxrpc/oob.c              | 387 -----------------------------------
 net/rxrpc/recvmsg.c          |  84 +-------
 net/rxrpc/rxgk.c             | 128 +++---------
 net/rxrpc/rxkad.c            |  27 ---
 net/rxrpc/sendmsg.c          |  26 ++-
 net/rxrpc/server_key.c       |  40 ----
 security/keys/user_defined.c |  23 ++-
 27 files changed, 258 insertions(+), 927 deletions(-)
 delete mode 100644 net/rxrpc/oob.c


             reply	other threads:[~2026-07-02 14:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 14:49 David Howells [this message]
2026-07-02 14:49 ` [PATCH net 1/4] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
2026-07-02 17:31   ` Jeffrey E Altman
2026-07-02 14:49 ` [PATCH net 2/4] rxrpc: Fix sendmsg to not return an error if last packet queued David Howells
2026-07-02 14:49 ` [PATCH net 3/4] afs: Fix UAF when sending a message David Howells
2026-07-03 11:12   ` Marc Dionne
2026-07-02 14:49 ` [PATCH net 4/4] rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE generation David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702144919.172295-1-dhowells@redhat.com \
    --to=dhowells@redhat.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-afs@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marc.dionne@auristor.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox