--- /dev/null
+From 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Apr 2026 13:12:43 +0100
+Subject: rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
+
+From: David Howells <dhowells@redhat.com>
+
+commit 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f upstream.
+
+An AF_RXRPC socket can be both client and server at the same time. When
+sending new calls (ie. it's acting as a client), it uses rx->key to set the
+security, and when accepting incoming calls (ie. it's acting as a server),
+it uses rx->securities.
+
+setsockopt(RXRPC_SECURITY_KEY) sets rx->key to point to an rxrpc-type key
+and setsockopt(RXRPC_SECURITY_KEYRING) sets rx->securities to point to a
+keyring of rxrpc_s-type keys.
+
+Now, it should be possible to use both rx->key and rx->securities on the
+same socket - but for userspace AF_RXRPC sockets rxrpc_setsockopt()
+prevents that.
+
+Fix this by:
+
+ (1) Remove the incorrect check rxrpc_setsockopt(RXRPC_SECURITY_KEYRING)
+ makes on rx->key.
+
+ (2) Move the check that rxrpc_setsockopt(RXRPC_SECURITY_KEY) makes on
+ rx->key down into rxrpc_request_key().
+
+ (3) Remove rxrpc_request_key()'s check on rx->securities.
+
+This (in combination with a previous patch) pushes the checks down into the
+functions that set those pointers and removes the cross-checks that prevent
+both key and keyring being set.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Anderson Nascimento <anderson@allelesecurity.com>
+cc: Luxiao Xu <rakukuip@gmail.com>
+cc: Yuan Tan <yuantan098@gmail.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-16-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/af_rxrpc.c | 6 ------
+ net/rxrpc/key.c | 2 +-
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -615,9 +615,6 @@ static int rxrpc_setsockopt(struct socke
+ goto success;
+
+ case RXRPC_SECURITY_KEY:
+- ret = -EINVAL;
+- if (rx->key)
+- goto error;
+ ret = -EISCONN;
+ if (rx->sk.sk_state != RXRPC_UNBOUND)
+ goto error;
+@@ -625,9 +622,6 @@ static int rxrpc_setsockopt(struct socke
+ goto error;
+
+ case RXRPC_SECURITY_KEYRING:
+- ret = -EINVAL;
+- if (rx->key)
+- goto error;
+ ret = -EISCONN;
+ if (rx->sk.sk_state != RXRPC_UNBOUND)
+ goto error;
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -452,7 +452,7 @@ int rxrpc_request_key(struct rxrpc_sock
+
+ _enter("");
+
+- if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities)
++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->key)
+ return -EINVAL;
+
+ description = memdup_sockptr_nul(optval, optlen);
--- /dev/null
+From f125846ee79fcae537a964ce66494e96fa54a6de Mon Sep 17 00:00:00 2001
+From: Luxiao Xu <rakukuip@gmail.com>
+Date: Wed, 8 Apr 2026 13:12:42 +0100
+Subject: rxrpc: fix reference count leak in rxrpc_server_keyring()
+
+From: Luxiao Xu <rakukuip@gmail.com>
+
+commit f125846ee79fcae537a964ce66494e96fa54a6de upstream.
+
+This patch fixes a reference count leak in rxrpc_server_keyring()
+by checking if rx->securities is already set.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-15-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/server_key.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rxrpc/server_key.c
++++ b/net/rxrpc/server_key.c
+@@ -125,6 +125,9 @@ int rxrpc_server_keyring(struct rxrpc_so
+
+ _enter("");
+
++ if (rx->securities)
++ return -EINVAL;
++
+ if (optlen <= 0 || optlen > PAGE_SIZE - 1)
+ return -EINVAL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
