From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 12:41:40 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=050a2f96cccf8183be003d08ba6dcf26b54a6f34;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch --- diff --git a/queue-5.10/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch b/queue-5.10/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch new file mode 100644 index 0000000000..91697986bd --- /dev/null +++ b/queue-5.10/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch @@ -0,0 +1,87 @@ +From 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:43 +0100 +Subject: rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) + +From: David Howells + +commit 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f upstream. + +An AF_RXRPC socket can be both client and server at the same time. When +sending new calls (ie. it's acting as a client), it uses rx->key to set the +security, and when accepting incoming calls (ie. it's acting as a server), +it uses rx->securities. + +setsockopt(RXRPC_SECURITY_KEY) sets rx->key to point to an rxrpc-type key +and setsockopt(RXRPC_SECURITY_KEYRING) sets rx->securities to point to a +keyring of rxrpc_s-type keys. + +Now, it should be possible to use both rx->key and rx->securities on the +same socket - but for userspace AF_RXRPC sockets rxrpc_setsockopt() +prevents that. + +Fix this by: + + (1) Remove the incorrect check rxrpc_setsockopt(RXRPC_SECURITY_KEYRING) + makes on rx->key. + + (2) Move the check that rxrpc_setsockopt(RXRPC_SECURITY_KEY) makes on + rx->key down into rxrpc_request_key(). + + (3) Remove rxrpc_request_key()'s check on rx->securities. + +This (in combination with a previous patch) pushes the checks down into the +functions that set those pointers and removes the cross-checks that prevent +both key and keyring being set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Anderson Nascimento +cc: Luxiao Xu +cc: Yuan Tan +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-16-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/af_rxrpc.c | 6 ------ + net/rxrpc/key.c | 2 +- + 2 files changed, 1 insertion(+), 7 deletions(-) + +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -614,9 +614,6 @@ static int rxrpc_setsockopt(struct socke + goto success; + + case RXRPC_SECURITY_KEY: +- ret = -EINVAL; +- if (rx->key) +- goto error; + ret = -EISCONN; + if (rx->sk.sk_state != RXRPC_UNBOUND) + goto error; +@@ -624,9 +621,6 @@ static int rxrpc_setsockopt(struct socke + goto error; + + case RXRPC_SECURITY_KEYRING: +- ret = -EINVAL; +- if (rx->key) +- goto error; + ret = -EISCONN; + if (rx->sk.sk_state != RXRPC_UNBOUND) + goto error; +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -903,7 +903,7 @@ int rxrpc_request_key(struct rxrpc_sock + + _enter(""); + +- if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities) ++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->key) + return -EINVAL; + + description = memdup_sockptr_nul(optval, optlen); diff --git a/queue-5.10/series b/queue-5.10/series index 7df6fcd43e..fd04ad3d82 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -453,3 +453,4 @@ net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch mmc-vub300-fix-null-deref-on-disconnect.patch net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch net-stmmac-fix-integer-underflow-in-chain-mode.patch +rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch