From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Anderson Nascimento <anderson@allelesecurity.com>,
Luxiao Xu <rakukuip@gmail.com>, Yuan Tan <yuantan098@gmail.com>,
Simon Horman <horms@kernel.org>,
linux-afs@lists.infradead.org, stable@kernel.org,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.1 54/55] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
Date: Mon, 13 Apr 2026 18:01:28 +0200 [thread overview]
Message-ID: <20260413155726.848189961@linuxfoundation.org> (raw)
In-Reply-To: <20260413155724.820472494@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f upstream.
An AF_RXRPC socket can be both client and server at the same time. When
sending new calls (ie. it's acting as a client), it uses rx->key to set the
security, and when accepting incoming calls (ie. it's acting as a server),
it uses rx->securities.
setsockopt(RXRPC_SECURITY_KEY) sets rx->key to point to an rxrpc-type key
and setsockopt(RXRPC_SECURITY_KEYRING) sets rx->securities to point to a
keyring of rxrpc_s-type keys.
Now, it should be possible to use both rx->key and rx->securities on the
same socket - but for userspace AF_RXRPC sockets rxrpc_setsockopt()
prevents that.
Fix this by:
(1) Remove the incorrect check rxrpc_setsockopt(RXRPC_SECURITY_KEYRING)
makes on rx->key.
(2) Move the check that rxrpc_setsockopt(RXRPC_SECURITY_KEY) makes on
rx->key down into rxrpc_request_key().
(3) Remove rxrpc_request_key()'s check on rx->securities.
This (in combination with a previous patch) pushes the checks down into the
functions that set those pointers and removes the cross-checks that prevent
both key and keyring being set.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Anderson Nascimento <anderson@allelesecurity.com>
cc: Luxiao Xu <rakukuip@gmail.com>
cc: Yuan Tan <yuantan098@gmail.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-16-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/af_rxrpc.c | 6 ------
net/rxrpc/key.c | 2 +-
2 files changed, 1 insertion(+), 7 deletions(-)
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -615,9 +615,6 @@ static int rxrpc_setsockopt(struct socke
goto success;
case RXRPC_SECURITY_KEY:
- ret = -EINVAL;
- if (rx->key)
- goto error;
ret = -EISCONN;
if (rx->sk.sk_state != RXRPC_UNBOUND)
goto error;
@@ -625,9 +622,6 @@ static int rxrpc_setsockopt(struct socke
goto error;
case RXRPC_SECURITY_KEYRING:
- ret = -EINVAL;
- if (rx->key)
- goto error;
ret = -EISCONN;
if (rx->sk.sk_state != RXRPC_UNBOUND)
goto error;
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -452,7 +452,7 @@ int rxrpc_request_key(struct rxrpc_sock
_enter("");
- if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities)
+ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->key)
return -EINVAL;
description = memdup_sockptr_nul(optval, optlen);
next prev parent reply other threads:[~2026-04-13 16:18 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 16:00 [PATCH 6.1 00/55] 6.1.169-rc1 review Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 01/55] lib/crypto: chacha: Zeroize permuted_state before it leaves scope Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 02/55] wifi: rt2x00usb: fix devres lifetime Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 03/55] xfrm_user: fix info leak in build_report() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 04/55] mptcp: fix slab-use-after-free in __inet_lookup_established Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 05/55] Input: uinput - fix circular locking dependency with ff-core Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 06/55] Input: uinput - take event lock when submitting FF request "event" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 07/55] MIPS: Always record SEGBITS in cpu_data.vmbits Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 08/55] MIPS: mm: Suppress TLB uniquification on EHINV hardware Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 09/55] MIPS: mm: Rewrite TLB uniquification for the hidden bit feature Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 10/55] media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 11/55] media: uvcvideo: Use heuristic to find stream entity Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 12/55] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 13/55] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 14/55] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 15/55] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 16/55] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 17/55] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 18/55] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 19/55] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 20/55] apparmor: fix differential encoding verification Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 21/55] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 22/55] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 23/55] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 24/55] Revert "ACPI: EC: Evaluate orphan _REG under EC device" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 25/55] ACPICA: Add a depth argument to acpi_execute_reg_methods() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 26/55] ACPI: EC: Evaluate _REG outside the EC scope more carefully Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 27/55] usb: gadget: f_hid: move list and spinlock inits from bind to alloc Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 28/55] rfkill: Use sysfs_emit() to instead of sprintf() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 29/55] rfkill: sync before userspace visibility/changes Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 30/55] net: rfkill: reduce data->mtx scope in rfkill_fop_open Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 31/55] net: rfkill: prevent unlimited numbers of rfkill events from being created Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 32/55] seg6: separate dst_cache for input and output paths in seg6 lwtunnel Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 33/55] Revert "mptcp: add needs_id for netlink appending addr" Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 34/55] drm/scheduler: signal scheduled fence when kill job Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 35/55] netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 36/55] netfilter: nft_ct: fix use-after-free in timeout object destroy Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 37/55] xfrm: clear trailing padding in build_polexpire() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 38/55] tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 39/55] wifi: brcmsmac: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 40/55] arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 41/55] arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 42/55] nfc: pn533: allocate rx skb before consuming bytes Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 43/55] batman-adv: reject oversized global TT response buffers Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 44/55] EDAC/mc: Fix error path ordering in edac_mc_alloc() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 45/55] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 46/55] net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 47/55] batman-adv: hold claim backbone gateways by reference Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 48/55] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 49/55] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 50/55] mmc: vub300: fix NULL-deref on disconnect Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 51/55] net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 52/55] net: stmmac: fix integer underflow in chain mode Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 53/55] rxrpc: fix reference count leak in rxrpc_server_keyring() Greg Kroah-Hartman
2026-04-13 16:01 ` Greg Kroah-Hartman [this message]
2026-04-13 16:01 ` [PATCH 6.1 55/55] Revert "PCI: Enable ACS after configuring IOMMU for OF platforms" Greg Kroah-Hartman
2026-04-13 17:38 ` [PATCH 6.1 00/55] 6.1.169-rc1 review Brett A C Sheffield
2026-04-13 18:51 ` Florian Fainelli
2026-04-14 7:53 ` Jon Hunter
2026-04-14 8:13 ` Pavel Machek
2026-04-14 8:20 ` Pavel Machek
2026-04-14 9:06 ` Peter Schneider
2026-04-14 11:49 ` Ron Economos
2026-04-14 12:30 ` Francesco Dolcini
2026-04-14 17:44 ` Shuah Khan
2026-04-14 17:44 ` Miguel Ojeda
2026-04-14 18:18 ` Mark Brown
2026-04-16 22:09 ` Barry K. Nathan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413155726.848189961@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anderson@allelesecurity.com \
--cc=dhowells@redhat.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=patches@lists.linux.dev \
--cc=rakukuip@gmail.com \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox