Netdev List
 help / color / mirror / Atom feed
* [PATCH net 0/4] rxrpc: Fix CHALLENGE packet handling
@ 2026-07-02 14:49 David Howells
  2026-07-02 14:49 ` [PATCH net 1/4] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: David Howells @ 2026-07-02 14:49 UTC (permalink / raw)
  To: netdev
  Cc: David Howells, Marc Dionne, Jakub Kicinski, David S. Miller,
	Eric Dumazet, Paolo Abeni, Simon Horman, linux-afs, linux-kernel

Here's a fix for AF_RXRPC's CHALLENGE packet handling, addressing an issue
raised by Sashiko[1], plus three fixes for things found or noted along the
way:

 (1) Fix a NULL deref in afs_deliver_cb_init_call_back_state3().

 (2) Fix rxrpc_sendmsg so that it doesn't return an error if it queued the
     last packet of a call.  After that point, the error will be returned
     by recvmsg() and returned it twice in two different places may
     complicate userspace cleaning up its own structures.

 (3) Fix a UAF in afs_make_call().

 (4) Fix CHALLENGE packet overqueuing and simplify RESPONSE packet
     generation by pre-creating the RxGK application data up front and
     passing it in a user key (thereby allowing userspace to partake).
     This allows all the OOB queuing stuff to be deleted.

     [!] Note that this entails a significant change in the UAPI for
     AF_RXRPC, with the CMSG types and sockopt to support the OOB queuing
     being removed and replaced with a new single CMSG type that conveys
     the user key ID.  I don't think it likely anyone is using this outside
     of my kafs-utils package.

     This also involves a change to the user-defined key type, making the
     payload refcounted so that it can be accessed and the length read,
     then a buffer allocated that will hold it and other data, and then the
     content copied.  The problem is that the user is perfectly at liberty
     to change the content of a user-defined key (which will RCU-replace
     the content of the key), so the length might change when we drop the
     RCU read lock in order to allocate.  This could be got around by
     locking the key->rwsem sharedly, but that might be able to deadlock
     part of the rxrpc protocol engine if memory reclaim occurs.

I've posted this as a fix for net/main, but would patch (4) at least be
better going into net-next/main given the amount it changes?

David

The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes

[1] https://sashiko.dev/#/patchset/20260624163819.3017002-1-dhowells%40redhat.com

David Howells (4):
  afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3()
  rxrpc: Fix sendmsg to not return an error if last packet queued
  afs: Fix UAF when sending a message
  rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE
    generation

 fs/afs/cm_security.c         | 151 ++++++--------
 fs/afs/cmservice.c           |   3 +-
 fs/afs/fs_probe.c            |   5 +
 fs/afs/internal.h            |  37 ++--
 fs/afs/main.c                |   1 -
 fs/afs/rxrpc.c               |  51 ++---
 fs/afs/server.c              |   2 +-
 include/keys/user-type.h     |   2 +
 include/net/af_rxrpc.h       |  20 +-
 include/trace/events/afs.h   |   7 +-
 include/trace/events/rxrpc.h |   2 -
 include/uapi/linux/rxrpc.h   |   6 +-
 net/dns_resolver/dns_key.c   |   1 +
 net/rxrpc/Makefile           |   1 -
 net/rxrpc/af_rxrpc.c         |  49 +----
 net/rxrpc/ar-internal.h      |  22 +-
 net/rxrpc/call_object.c      |   4 +-
 net/rxrpc/conn_client.c      |   2 +
 net/rxrpc/conn_event.c       |  68 +-----
 net/rxrpc/key.c              |  36 ++++
 net/rxrpc/oob.c              | 387 -----------------------------------
 net/rxrpc/recvmsg.c          |  84 +-------
 net/rxrpc/rxgk.c             | 128 +++---------
 net/rxrpc/rxkad.c            |  27 ---
 net/rxrpc/sendmsg.c          |  26 ++-
 net/rxrpc/server_key.c       |  40 ----
 security/keys/user_defined.c |  23 ++-
 27 files changed, 258 insertions(+), 927 deletions(-)
 delete mode 100644 net/rxrpc/oob.c


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-07-03 11:12 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 14:49 [PATCH net 0/4] rxrpc: Fix CHALLENGE packet handling David Howells
2026-07-02 14:49 ` [PATCH net 1/4] afs: Fix NULL deref in afs_deliver_cb_init_call_back_state3() David Howells
2026-07-02 17:31   ` Jeffrey E Altman
2026-07-02 14:49 ` [PATCH net 2/4] rxrpc: Fix sendmsg to not return an error if last packet queued David Howells
2026-07-02 14:49 ` [PATCH net 3/4] afs: Fix UAF when sending a message David Howells
2026-07-03 11:12   ` Marc Dionne
2026-07-02 14:49 ` [PATCH net 4/4] rxrpc: Fix CHALLENGE packet overqueuing and simplify RESPONSE generation David Howells

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox