From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Luxiao Xu <rakukuip@gmail.com>, Yifan Wu <yifanwucs@gmail.com>,
Juefei Pu <tomapufckgml@gmail.com>,
Yuan Tan <yuantan098@gmail.com>, Xin Liu <bird@lzu.edu.cn>,
Ren Wei <enjou1224z@gmail.com>, Ren Wei <n05ec@lzu.edu.cn>,
David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Simon Horman <horms@kernel.org>,
linux-afs@lists.infradead.org, stable@kernel.org,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10.y] rxrpc: fix reference count leak in rxrpc_server_keyring()
Date: Mon, 13 Apr 2026 21:19:03 -0400 [thread overview]
Message-ID: <20260414011903.3831717-1-sashal@kernel.org> (raw)
In-Reply-To: <2026041355-flap-narrow-9fea@gregkh>
From: Luxiao Xu <rakukuip@gmail.com>
[ Upstream commit f125846ee79fcae537a964ce66494e96fa54a6de ]
This patch fixes a reference count leak in rxrpc_server_keyring()
by checking if rx->securities is already set.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-15-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied patch to net/rxrpc/key.c instead of net/rxrpc/server_key.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/key.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index 979338a64c0ca..0144155d02e05 100644
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -933,6 +933,9 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, sockptr_t optval, int optlen)
_enter("");
+ if (rx->securities)
+ return -EINVAL;
+
if (optlen <= 0 || optlen > PAGE_SIZE - 1)
return -EINVAL;
--
2.53.0
prev parent reply other threads:[~2026-04-14 1:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 12:34 FAILED: patch "[PATCH] rxrpc: fix reference count leak in rxrpc_server_keyring()" failed to apply to 5.10-stable tree gregkh
2026-04-14 1:19 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414011903.3831717-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bird@lzu.edu.cn \
--cc=dhowells@redhat.com \
--cc=enjou1224z@gmail.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=n05ec@lzu.edu.cn \
--cc=rakukuip@gmail.com \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox