From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 12:39:04 +0000 (+0200) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d57f5741c72ff1e4b1621e55dd93a9a33debc2f2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: rxrpc-fix-anonymous-key-handling.patch rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch rxrpc-fix-key-parsing-memleak.patch rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch rxrpc-fix-key-reference-count-leak-from-call-key.patch rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch rxrpc-fix-oversized-response-authenticator-length-check.patch rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch rxrpc-fix-response-authenticator-parser-oob-read.patch rxrpc-fix-rxgk-token-loading-to-check-bounds.patch rxrpc-fix-to-request-an-ack-if-window-is-limited.patch rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch rxrpc-only-handle-response-during-service-challenge.patch rxrpc-only-put-the-call-ref-if-one-was-acquired.patch rxrpc-proc-size-address-buffers-for-pispc-output.patch rxrpc-reject-undecryptable-rxkad-response-tickets.patch --- diff --git a/queue-6.18/rxrpc-fix-anonymous-key-handling.patch b/queue-6.18/rxrpc-fix-anonymous-key-handling.patch new file mode 100644 index 0000000000..56a3f62328 --- /dev/null +++ b/queue-6.18/rxrpc-fix-anonymous-key-handling.patch @@ -0,0 +1,50 @@ +From 6a59d84b4fc2f27f7b40e348506cc686712e260b Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:31 +0100 +Subject: rxrpc: Fix anonymous key handling + +From: David Howells + +commit 6a59d84b4fc2f27f7b40e348506cc686712e260b upstream. + +In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to +be substituted for a NULL key pointer, but the variable this is done with +is subsequently not used. + +Fix this by using "key" rather than "rx->key" when filling in the +connection parameters. + +Note that this only affects direct use of AF_RXRPC; the kAFS filesystem +doesn't use sendmsg() directly and so bypasses the issue. Further, +AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key +in that manner works. Since this hasn't been noticed to this point, it +might be better just to remove the "key" variable and the code that sets it +- and, arguably, rxrpc_init_client_call_security() would be a better place +to handle it. + +Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-4-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/sendmsg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -637,7 +637,7 @@ rxrpc_new_client_call_for_sendmsg(struct + memset(&cp, 0, sizeof(cp)); + cp.local = rx->local; + cp.peer = peer; +- cp.key = rx->key; ++ cp.key = key; + cp.security_level = rx->min_sec_level; + cp.exclusive = rx->exclusive | p->exclusive; + cp.upgrade = p->upgrade; diff --git a/queue-6.18/rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch b/queue-6.18/rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch new file mode 100644 index 0000000000..7a4eb06bb4 --- /dev/null +++ b/queue-6.18/rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch @@ -0,0 +1,48 @@ +From f564af387c8c28238f8ebc13314c589d7ba8475d Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:47 +0100 +Subject: rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() + +From: David Howells + +commit f564af387c8c28238f8ebc13314c589d7ba8475d upstream. + +Fix rxgk_do_verify_authenticator() to check the buffer size before checking +the nonce. + +Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") +Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-20-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxgk.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -1085,6 +1085,9 @@ static int rxgk_do_verify_authenticator( + + _enter(""); + ++ if ((end - p) * sizeof(__be32) < 24) ++ return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, ++ rxgk_abort_resp_short_auth); + if (memcmp(p, conn->rxgk.nonce, 20) != 0) + return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, + rxgk_abort_resp_bad_nonce); +@@ -1098,7 +1101,7 @@ static int rxgk_do_verify_authenticator( + p += xdr_round_up(app_len) / sizeof(__be32); + if (end - p < 4) + return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, +- rxgk_abort_resp_short_applen); ++ rxgk_abort_resp_short_auth); + + level = ntohl(*p++); + epoch = ntohl(*p++); diff --git a/queue-6.18/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch b/queue-6.18/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch new file mode 100644 index 0000000000..0bb0591c70 --- /dev/null +++ b/queue-6.18/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch @@ -0,0 +1,101 @@ +From 146d4ab94cf129ee06cd467cb5c71368a6b5bad6 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:32 +0100 +Subject: rxrpc: Fix call removal to use RCU safe deletion + +From: David Howells + +commit 146d4ab94cf129ee06cd467cb5c71368a6b5bad6 upstream. + +Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() +rather than list_del_init() to prevent stuffing up reading +/proc/net/rxrpc/calls from potentially getting into an infinite loop. + +This, however, means that list_empty() no longer works on an entry that's +been deleted from the list, making it harder to detect prior deletion. Fix +this by: + +Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that +are unexpectedly still on the list. Limiting the number of steps means +there's no need to call cond_resched() or to remove calls from the list +here, thereby eliminating the need for rxrpc_put_call() to check for that. + +rxrpc_put_call() can then be fixed to unconditionally delete the call from +the list as it is the only place that the deletion occurs. + +Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Linus Torvalds +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-5-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 2 +- + net/rxrpc/call_object.c | 24 +++++++++--------------- + 2 files changed, 10 insertions(+), 16 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -347,7 +347,7 @@ + EM(rxrpc_call_see_release, "SEE release ") \ + EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ + EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \ +- E_(rxrpc_call_see_zap, "SEE zap ") ++ E_(rxrpc_call_see_still_live, "SEE !still-l") + + #define rxrpc_txqueue_traces \ + EM(rxrpc_txqueue_await_reply, "AWR") \ +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -654,11 +654,9 @@ void rxrpc_put_call(struct rxrpc_call *c + if (dead) { + ASSERTCMP(__rxrpc_call_state(call), ==, RXRPC_CALL_COMPLETE); + +- if (!list_empty(&call->link)) { +- spin_lock(&rxnet->call_lock); +- list_del_init(&call->link); +- spin_unlock(&rxnet->call_lock); +- } ++ spin_lock(&rxnet->call_lock); ++ list_del_rcu(&call->link); ++ spin_unlock(&rxnet->call_lock); + + rxrpc_cleanup_call(call); + } +@@ -730,24 +728,20 @@ void rxrpc_destroy_all_calls(struct rxrp + _enter(""); + + if (!list_empty(&rxnet->calls)) { +- spin_lock(&rxnet->call_lock); ++ int shown = 0; + +- while (!list_empty(&rxnet->calls)) { +- call = list_entry(rxnet->calls.next, +- struct rxrpc_call, link); +- _debug("Zapping call %p", call); ++ spin_lock(&rxnet->call_lock); + +- rxrpc_see_call(call, rxrpc_call_see_zap); +- list_del_init(&call->link); ++ list_for_each_entry(call, &rxnet->calls, link) { ++ rxrpc_see_call(call, rxrpc_call_see_still_live); + + pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", + call, refcount_read(&call->ref), + rxrpc_call_states[__rxrpc_call_state(call)], + call->flags, call->events); + +- spin_unlock(&rxnet->call_lock); +- cond_resched(); +- spin_lock(&rxnet->call_lock); ++ if (++shown >= 10) ++ break; + } + + spin_unlock(&rxnet->call_lock); diff --git a/queue-6.18/rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch b/queue-6.18/rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch new file mode 100644 index 0000000000..11d7448678 --- /dev/null +++ b/queue-6.18/rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch @@ -0,0 +1,43 @@ +From 699e52180f4231c257821c037ed5c99d5eb0edb8 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:45 +0100 +Subject: rxrpc: Fix integer overflow in rxgk_verify_response() + +From: David Howells + +commit 699e52180f4231c257821c037ed5c99d5eb0edb8 upstream. + +In rxgk_verify_response(), there's a potential integer overflow due to +rounding up token_len before checking it, thereby allowing the length check to +be bypassed. + +Fix this by checking the unrounded value against len too (len is limited as +the response must fit in a single UDP packet). + +Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") +Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-18-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxgk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -1209,7 +1209,8 @@ static int rxgk_verify_response(struct r + + token_offset = offset; + token_len = ntohl(rhdr.token_len); +- if (xdr_round_up(token_len) + sizeof(__be32) > len) ++ if (token_len > len || ++ xdr_round_up(token_len) + sizeof(__be32) > len) + goto short_packet; + + trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, token_len); diff --git a/queue-6.18/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch b/queue-6.18/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch new file mode 100644 index 0000000000..22531165a7 --- /dev/null +++ b/queue-6.18/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch @@ -0,0 +1,87 @@ +From 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:43 +0100 +Subject: rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) + +From: David Howells + +commit 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f upstream. + +An AF_RXRPC socket can be both client and server at the same time. When +sending new calls (ie. it's acting as a client), it uses rx->key to set the +security, and when accepting incoming calls (ie. it's acting as a server), +it uses rx->securities. + +setsockopt(RXRPC_SECURITY_KEY) sets rx->key to point to an rxrpc-type key +and setsockopt(RXRPC_SECURITY_KEYRING) sets rx->securities to point to a +keyring of rxrpc_s-type keys. + +Now, it should be possible to use both rx->key and rx->securities on the +same socket - but for userspace AF_RXRPC sockets rxrpc_setsockopt() +prevents that. + +Fix this by: + + (1) Remove the incorrect check rxrpc_setsockopt(RXRPC_SECURITY_KEYRING) + makes on rx->key. + + (2) Move the check that rxrpc_setsockopt(RXRPC_SECURITY_KEY) makes on + rx->key down into rxrpc_request_key(). + + (3) Remove rxrpc_request_key()'s check on rx->securities. + +This (in combination with a previous patch) pushes the checks down into the +functions that set those pointers and removes the cross-checks that prevent +both key and keyring being set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Anderson Nascimento +cc: Luxiao Xu +cc: Yuan Tan +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-16-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/af_rxrpc.c | 6 ------ + net/rxrpc/key.c | 2 +- + 2 files changed, 1 insertion(+), 7 deletions(-) + +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -654,9 +654,6 @@ static int rxrpc_setsockopt(struct socke + goto success; + + case RXRPC_SECURITY_KEY: +- ret = -EINVAL; +- if (rx->key) +- goto error; + ret = -EISCONN; + if (rx->sk.sk_state != RXRPC_UNBOUND) + goto error; +@@ -664,9 +661,6 @@ static int rxrpc_setsockopt(struct socke + goto error; + + case RXRPC_SECURITY_KEYRING: +- ret = -EINVAL; +- if (rx->key) +- goto error; + ret = -EISCONN; + if (rx->sk.sk_state != RXRPC_UNBOUND) + goto error; +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -622,7 +622,7 @@ int rxrpc_request_key(struct rxrpc_sock + + _enter(""); + +- if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities) ++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->key) + return -EINVAL; + + description = memdup_sockptr_nul(optval, optlen); diff --git a/queue-6.18/rxrpc-fix-key-parsing-memleak.patch b/queue-6.18/rxrpc-fix-key-parsing-memleak.patch new file mode 100644 index 0000000000..ce908f2273 --- /dev/null +++ b/queue-6.18/rxrpc-fix-key-parsing-memleak.patch @@ -0,0 +1,39 @@ +From b555912b9b21075e8298015f888ffe3ff60b1a97 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:30 +0100 +Subject: rxrpc: Fix key parsing memleak + +From: David Howells + +commit b555912b9b21075e8298015f888ffe3ff60b1a97 upstream. + +In rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be +leaked in a few error paths after it's allocated. + +Fix this by freeing it in the "reject_token:" case. + +Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-3-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -274,6 +274,7 @@ nomem_token: + nomem: + return -ENOMEM; + reject_token: ++ kfree(token->rxgk); + kfree(token); + reject: + return -EKEYREJECTED; diff --git a/queue-6.18/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch b/queue-6.18/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch new file mode 100644 index 0000000000..b356d4d3a7 --- /dev/null +++ b/queue-6.18/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch @@ -0,0 +1,67 @@ +From bdbfead6d38979475df0c2f4bad2b19394fe9bdc Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:29 +0100 +Subject: rxrpc: Fix key quota calculation for multitoken keys + +From: David Howells + +commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc upstream. + +In the rxrpc key preparsing, every token extracted sets the proposed quota +value, but for multitoken keys, this will overwrite the previous proposed +quota, losing it. + +Fix this by adding to the proposed quota instead. + +Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru + return -EKEYREJECTED; + + plen = sizeof(*token) + sizeof(*token->kad) + tktlen; +- prep->quotalen = datalen + plen; ++ prep->quotalen += datalen + plen; + + plen -= sizeof(*token); + token = kzalloc(sizeof(*token), GFP_KERNEL); +@@ -199,7 +199,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(s + } + + plen = sizeof(*token) + sizeof(*token->rxgk) + tktlen + keylen; +- prep->quotalen = datalen + plen; ++ prep->quotalen += datalen + plen; + + plen -= sizeof(*token); + token = kzalloc(sizeof(*token), GFP_KERNEL); +@@ -460,6 +460,7 @@ static int rxrpc_preparse(struct key_pre + memcpy(&kver, prep->data, sizeof(kver)); + prep->data += sizeof(kver); + prep->datalen -= sizeof(kver); ++ prep->quotalen = 0; + + _debug("KEY I/F VERSION: %u", kver); + +@@ -497,7 +498,7 @@ static int rxrpc_preparse(struct key_pre + goto error; + + plen = sizeof(*token->kad) + v1->ticket_length; +- prep->quotalen = plen + sizeof(*token); ++ prep->quotalen += plen + sizeof(*token); + + ret = -ENOMEM; + token = kzalloc(sizeof(*token), GFP_KERNEL); diff --git a/queue-6.18/rxrpc-fix-key-reference-count-leak-from-call-key.patch b/queue-6.18/rxrpc-fix-key-reference-count-leak-from-call-key.patch new file mode 100644 index 0000000000..52436e06dd --- /dev/null +++ b/queue-6.18/rxrpc-fix-key-reference-count-leak-from-call-key.patch @@ -0,0 +1,52 @@ +From d666540d217e8d420544ebdfbadeedd623562733 Mon Sep 17 00:00:00 2001 +From: Anderson Nascimento +Date: Wed, 8 Apr 2026 13:12:36 +0100 +Subject: rxrpc: Fix key reference count leak from call->key + +From: Anderson Nascimento + +commit d666540d217e8d420544ebdfbadeedd623562733 upstream. + +When creating a client call in rxrpc_alloc_client_call(), the code obtains +a reference to the key. This is never cleaned up and gets leaked when the +call is destroyed. + +Fix this by freeing call->key in rxrpc_destroy_call(). + +Before the patch, it shows the key reference counter elevated: + +$ cat /proc/keys | grep afs@54321 +1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka +$ + +After the patch, the invalidated key is removed when the code exits: + +$ cat /proc/keys | grep afs@54321 +$ + +Fixes: f3441d4125fc ("rxrpc: Copy client call parameters into rxrpc_call earlier") +Signed-off-by: Anderson Nascimento +Co-developed-by: David Howells +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-9-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_object.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -692,6 +692,7 @@ static void rxrpc_destroy_call(struct wo + rxrpc_put_bundle(call->bundle, rxrpc_bundle_put_call); + rxrpc_put_peer(call->peer, rxrpc_peer_put_call); + rxrpc_put_local(call->local, rxrpc_local_put_call); ++ key_put(call->key); + call_rcu(&call->rcu, rxrpc_rcu_free_call); + } + diff --git a/queue-6.18/rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch b/queue-6.18/rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch new file mode 100644 index 0000000000..2cbf397db3 --- /dev/null +++ b/queue-6.18/rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch @@ -0,0 +1,49 @@ +From 7e1876caa8363056f58a21d3b31b82c2daf7e608 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:46 +0100 +Subject: rxrpc: Fix leak of rxgk context in rxgk_verify_response() + +From: David Howells + +commit 7e1876caa8363056f58a21d3b31b82c2daf7e608 upstream. + +Fix rxgk_verify_response() to clean up the rxgk context it creates. + +Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") +Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-19-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxgk.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -1270,16 +1270,18 @@ static int rxgk_verify_response(struct r + if (ret < 0) { + rxrpc_abort_conn(conn, skb, RXGK_SEALEDINCON, ret, + rxgk_abort_resp_auth_dec); +- goto out; ++ goto out_gk; + } + + ret = rxgk_verify_authenticator(conn, krb5, skb, auth_offset, auth_len); + if (ret < 0) +- goto out; ++ goto out_gk; + + conn->key = key; + key = NULL; + ret = 0; ++out_gk: ++ rxgk_put(gk); + out: + key_put(key); + _leave(" = %d", ret); diff --git a/queue-6.18/rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch b/queue-6.18/rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch new file mode 100644 index 0000000000..61e4348eb5 --- /dev/null +++ b/queue-6.18/rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch @@ -0,0 +1,203 @@ +From f93af41b9f5f798823d0d0fb8765c2a936d76270 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 8 Apr 2026 13:12:44 +0100 +Subject: rxrpc: Fix missing error checks for rxkad encryption/decryption failure + +From: David Howells + +commit f93af41b9f5f798823d0d0fb8765c2a936d76270 upstream. + +Add error checking for failure of crypto_skcipher_en/decrypt() to various +rxkad function as the crypto functions can fail with ENOMEM at least. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-17-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxkad.c | 57 ++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 38 insertions(+), 19 deletions(-) + +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -197,6 +197,7 @@ static int rxkad_prime_packet_security(s + struct rxrpc_crypt iv; + __be32 *tmpbuf; + size_t tmpsize = 4 * sizeof(__be32); ++ int ret; + + _enter(""); + +@@ -225,13 +226,13 @@ static int rxkad_prime_packet_security(s + skcipher_request_set_sync_tfm(req, ci); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); +- crypto_skcipher_encrypt(req); ++ ret = crypto_skcipher_encrypt(req); + skcipher_request_free(req); + + memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv)); + kfree(tmpbuf); +- _leave(" = 0"); +- return 0; ++ _leave(" = %d", ret); ++ return ret; + } + + /* +@@ -264,6 +265,7 @@ static int rxkad_secure_packet_auth(cons + struct scatterlist sg; + size_t pad; + u16 check; ++ int ret; + + _enter(""); + +@@ -286,11 +288,11 @@ static int rxkad_secure_packet_auth(cons + skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); +- crypto_skcipher_encrypt(req); ++ ret = crypto_skcipher_encrypt(req); + skcipher_request_zero(req); + +- _leave(" = 0"); +- return 0; ++ _leave(" = %d", ret); ++ return ret; + } + + /* +@@ -345,7 +347,7 @@ static int rxkad_secure_packet(struct rx + union { + __be32 buf[2]; + } crypto __aligned(8); +- u32 x, y; ++ u32 x, y = 0; + int ret; + + _enter("{%d{%x}},{#%u},%u,", +@@ -376,8 +378,10 @@ static int rxkad_secure_packet(struct rx + skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); +- crypto_skcipher_encrypt(req); ++ ret = crypto_skcipher_encrypt(req); + skcipher_request_zero(req); ++ if (ret < 0) ++ goto out; + + y = ntohl(crypto.buf[1]); + y = (y >> 16) & 0xffff; +@@ -413,6 +417,7 @@ static int rxkad_secure_packet(struct rx + memset(p + txb->pkt_len, 0, gap); + } + ++out: + skcipher_request_free(req); + _leave(" = %d [set %x]", ret, y); + return ret; +@@ -453,8 +458,10 @@ static int rxkad_verify_packet_1(struct + skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, sg, sg, 8, iv.x); +- crypto_skcipher_decrypt(req); ++ ret = crypto_skcipher_decrypt(req); + skcipher_request_zero(req); ++ if (ret < 0) ++ return ret; + + /* Extract the decrypted packet length */ + if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) +@@ -531,10 +538,14 @@ static int rxkad_verify_packet_2(struct + skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x); +- crypto_skcipher_decrypt(req); ++ ret = crypto_skcipher_decrypt(req); + skcipher_request_zero(req); + if (sg != _sg) + kfree(sg); ++ if (ret < 0) { ++ WARN_ON_ONCE(ret != -ENOMEM); ++ return ret; ++ } + + /* Extract the decrypted packet length */ + if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) +@@ -602,8 +613,10 @@ static int rxkad_verify_packet(struct rx + skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); +- crypto_skcipher_encrypt(req); ++ ret = crypto_skcipher_encrypt(req); + skcipher_request_zero(req); ++ if (ret < 0) ++ goto out; + + y = ntohl(crypto.buf[1]); + cksum = (y >> 16) & 0xffff; +@@ -1077,21 +1090,23 @@ static int rxkad_decrypt_ticket(struct r + /* + * decrypt the response packet + */ +-static void rxkad_decrypt_response(struct rxrpc_connection *conn, +- struct rxkad_response *resp, +- const struct rxrpc_crypt *session_key) ++static int rxkad_decrypt_response(struct rxrpc_connection *conn, ++ struct rxkad_response *resp, ++ const struct rxrpc_crypt *session_key) + { + struct skcipher_request *req = rxkad_ci_req; + struct scatterlist sg[1]; + struct rxrpc_crypt iv; ++ int ret; + + _enter(",,%08x%08x", + ntohl(session_key->n[0]), ntohl(session_key->n[1])); + + mutex_lock(&rxkad_ci_mutex); +- if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, +- sizeof(*session_key)) < 0) +- BUG(); ++ ret = crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, ++ sizeof(*session_key)); ++ if (ret < 0) ++ goto unlock; + + memcpy(&iv, session_key, sizeof(iv)); + +@@ -1100,12 +1115,14 @@ static void rxkad_decrypt_response(struc + skcipher_request_set_sync_tfm(req, rxkad_ci); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); +- crypto_skcipher_decrypt(req); ++ ret = crypto_skcipher_decrypt(req); + skcipher_request_zero(req); + ++unlock: + mutex_unlock(&rxkad_ci_mutex); + + _leave(""); ++ return ret; + } + + /* +@@ -1198,7 +1215,9 @@ static int rxkad_verify_response(struct + + /* use the session key from inside the ticket to decrypt the + * response */ +- rxkad_decrypt_response(conn, response, &session_key); ++ ret = rxkad_decrypt_response(conn, response, &session_key); ++ if (ret < 0) ++ goto temporary_error_free_ticket; + + if (ntohl(response->encrypted.epoch) != conn->proto.epoch || + ntohl(response->encrypted.cid) != conn->proto.cid || diff --git a/queue-6.18/rxrpc-fix-oversized-response-authenticator-length-check.patch b/queue-6.18/rxrpc-fix-oversized-response-authenticator-length-check.patch new file mode 100644 index 0000000000..82edbdb672 --- /dev/null +++ b/queue-6.18/rxrpc-fix-oversized-response-authenticator-length-check.patch @@ -0,0 +1,61 @@ +From a2567217ade970ecc458144b6be469bc015b23e5 Mon Sep 17 00:00:00 2001 +From: Keenan Dong +Date: Wed, 8 Apr 2026 13:12:41 +0100 +Subject: rxrpc: fix oversized RESPONSE authenticator length check + +From: Keenan Dong + +commit a2567217ade970ecc458144b6be469bc015b23e5 upstream. + +rxgk_verify_response() decodes auth_len from the packet and is supposed +to verify that it fits in the remaining bytes. The existing check is +inverted, so oversized RESPONSE authenticators are accepted and passed +to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an +impossible length and hit BUG_ON(len). + +Decoded from the original latest-net reproduction logs with +scripts/decode_stacktrace.sh: + +RIP: __skb_to_sgvec() + [net/core/skbuff.c:5285 (discriminator 1)] +Call Trace: + skb_to_sgvec() [net/core/skbuff.c:5305] + rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] + rxgk_verify_response() [net/rxrpc/rxgk.c:1268] + rxrpc_process_connection() + [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 + net/rxrpc/conn_event.c:386] + process_one_work() [kernel/workqueue.c:3281] + worker_thread() + [kernel/workqueue.c:3353 kernel/workqueue.c:3440] + kthread() [kernel/kthread.c:436] + ret_from_fork() [arch/x86/kernel/process.c:164] + +Reject authenticator lengths that exceed the remaining packet payload. + +Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") +Signed-off-by: Keenan Dong +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: Willy Tarreau +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-14-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxgk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -1224,7 +1224,7 @@ static int rxgk_verify_response(struct r + + auth_offset = offset; + auth_len = ntohl(xauth_len); +- if (auth_len < len) ++ if (auth_len > len) + goto short_packet; + if (auth_len & 3) + goto inconsistent; diff --git a/queue-6.18/rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch b/queue-6.18/rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch new file mode 100644 index 0000000000..92e06c583a --- /dev/null +++ b/queue-6.18/rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch @@ -0,0 +1,41 @@ +From 65b3ffe0972ed023acc3981a0f7e1ae5d0208bd3 Mon Sep 17 00:00:00 2001 +From: Alok Tiwari +Date: Wed, 8 Apr 2026 13:12:35 +0100 +Subject: rxrpc: Fix rack timer warning to report unexpected mode + +From: Alok Tiwari + +commit 65b3ffe0972ed023acc3981a0f7e1ae5d0208bd3 upstream. + +rxrpc_rack_timer_expired() clears call->rack_timer_mode to OFF before +the switch. The default case warning therefore always prints OFF and +doesn't identify the unexpected timer mode. + +Log the saved mode value instead so the warning reports the actual +unexpected rack timer mode. + +Fixes: 7c482665931b ("rxrpc: Implement RACK/TLP to deal with transmission stalls [RFC8985]") +Signed-off-by: Alok Tiwari +Signed-off-by: David Howells +Reviewed-by: Simon Horman +Reviewed-by: Jeffrey Altman +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-8-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input_rack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/input_rack.c ++++ b/net/rxrpc/input_rack.c +@@ -413,6 +413,6 @@ void rxrpc_rack_timer_expired(struct rxr + break; + //case RXRPC_CALL_RACKTIMER_ZEROWIN: + default: +- pr_warn("Unexpected rack timer %u", call->rack_timer_mode); ++ pr_warn("Unexpected rack timer %u", mode); + } + } diff --git a/queue-6.18/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch b/queue-6.18/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch new file mode 100644 index 0000000000..e08dd40c72 --- /dev/null +++ b/queue-6.18/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch @@ -0,0 +1,45 @@ +From f125846ee79fcae537a964ce66494e96fa54a6de Mon Sep 17 00:00:00 2001 +From: Luxiao Xu +Date: Wed, 8 Apr 2026 13:12:42 +0100 +Subject: rxrpc: fix reference count leak in rxrpc_server_keyring() + +From: Luxiao Xu + +commit f125846ee79fcae537a964ce66494e96fa54a6de upstream. + +This patch fixes a reference count leak in rxrpc_server_keyring() +by checking if rx->securities is already set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Luxiao Xu +Signed-off-by: Ren Wei +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-15-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/server_key.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/rxrpc/server_key.c ++++ b/net/rxrpc/server_key.c +@@ -125,6 +125,9 @@ int rxrpc_server_keyring(struct rxrpc_so + + _enter(""); + ++ if (rx->securities) ++ return -EINVAL; ++ + if (optlen <= 0 || optlen > PAGE_SIZE - 1) + return -EINVAL; + diff --git a/queue-6.18/rxrpc-fix-response-authenticator-parser-oob-read.patch b/queue-6.18/rxrpc-fix-response-authenticator-parser-oob-read.patch new file mode 100644 index 0000000000..cac895bb6a --- /dev/null +++ b/queue-6.18/rxrpc-fix-response-authenticator-parser-oob-read.patch @@ -0,0 +1,73 @@ +From 3e3138007887504ee9206d0bfb5acb062c600025 Mon Sep 17 00:00:00 2001 +From: Keenan Dong +Date: Wed, 8 Apr 2026 13:12:40 +0100 +Subject: rxrpc: fix RESPONSE authenticator parser OOB read + +From: Keenan Dong + +commit 3e3138007887504ee9206d0bfb5acb062c600025 upstream. + +rxgk_verify_authenticator() copies auth_len bytes into a temporary +buffer and then passes p + auth_len as the parser limit to +rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the +parser end pointer by a factor of four and lets malformed RESPONSE +authenticators read past the kmalloc() buffer. + +Decoded from the original latest-net reproduction logs with +scripts/decode_stacktrace.sh: + +BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() +Call Trace: + dump_stack_lvl() [lib/dump_stack.c:123] + print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] + kasan_report() [mm/kasan/report.c:597] + rxgk_verify_response() + [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 + net/rxrpc/rxgk.c:1274] + rxrpc_process_connection() + [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 + net/rxrpc/conn_event.c:386] + process_one_work() [kernel/workqueue.c:3281] + worker_thread() + [kernel/workqueue.c:3353 kernel/workqueue.c:3440] + kthread() [kernel/kthread.c:436] + ret_from_fork() [arch/x86/kernel/process.c:164] + +Allocated by task 54: + rxgk_verify_response() + [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 + net/rxrpc/rxgk.c:1274] + rxrpc_process_connection() + [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 + net/rxrpc/conn_event.c:386] + +Convert the byte count to __be32 units before constructing the parser +limit. + +Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") +Signed-off-by: Keenan Dong +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: Willy Tarreau +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-13-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxgk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -1164,7 +1164,8 @@ static int rxgk_verify_authenticator(str + } + + p = auth; +- ret = rxgk_do_verify_authenticator(conn, krb5, skb, p, p + auth_len); ++ ret = rxgk_do_verify_authenticator(conn, krb5, skb, p, ++ p + auth_len / sizeof(*p)); + error: + kfree(auth); + return ret; diff --git a/queue-6.18/rxrpc-fix-rxgk-token-loading-to-check-bounds.patch b/queue-6.18/rxrpc-fix-rxgk-token-loading-to-check-bounds.patch new file mode 100644 index 0000000000..f3a87764a0 --- /dev/null +++ b/queue-6.18/rxrpc-fix-rxgk-token-loading-to-check-bounds.patch @@ -0,0 +1,132 @@ +From d179a868dd755b0cfcf7582e00943d702b9943b8 Mon Sep 17 00:00:00 2001 +From: Oleh Konko +Date: Wed, 8 Apr 2026 13:12:33 +0100 +Subject: rxrpc: Fix RxGK token loading to check bounds + +From: Oleh Konko + +commit d179a868dd755b0cfcf7582e00943d702b9943b8 upstream. + +rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length +from the XDR token as u32 values and passes each through round_up(x, 4) +before using the rounded value for validation and allocation. When the raw +length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and +kzalloc both use 0 while the subsequent memcpy still copies the original +~4 GiB value, producing a heap buffer overflow reachable from an +unprivileged add_key() call. + +Fix this by: + + (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket + lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with + the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. + + (2) Sizing the flexible-array allocation from the validated raw key + length via struct_size_t() instead of the rounded value. + + (3) Caching the raw lengths so that the later field assignments and + memcpy calls do not re-read from the token, eliminating a class of + TOCTOU re-parse. + +The control path (valid token with lengths within bounds) is unaffected. + +Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") +Signed-off-by: Oleh Konko +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-6-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 26d4336a4a02..77237a82be3b 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -171,7 +172,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + size_t plen; + const __be32 *ticket, *key; + s64 tmp; +- u32 tktlen, keylen; ++ size_t raw_keylen, raw_tktlen, keylen, tktlen; + + _enter(",{%x,%x,%x,%x},%x", + ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), +@@ -181,18 +182,22 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + goto reject; + + key = xdr + (6 * 2 + 1); +- keylen = ntohl(key[-1]); +- _debug("keylen: %x", keylen); +- keylen = round_up(keylen, 4); ++ raw_keylen = ntohl(key[-1]); ++ _debug("keylen: %zx", raw_keylen); ++ if (raw_keylen > AFSTOKEN_GK_KEY_MAX) ++ goto reject; ++ keylen = round_up(raw_keylen, 4); + if ((6 * 2 + 2) * 4 + keylen > toklen) + goto reject; + + ticket = xdr + (6 * 2 + 1 + (keylen / 4) + 1); +- tktlen = ntohl(ticket[-1]); +- _debug("tktlen: %x", tktlen); +- tktlen = round_up(tktlen, 4); ++ raw_tktlen = ntohl(ticket[-1]); ++ _debug("tktlen: %zx", raw_tktlen); ++ if (raw_tktlen > AFSTOKEN_GK_TOKEN_MAX) ++ goto reject; ++ tktlen = round_up(raw_tktlen, 4); + if ((6 * 2 + 2) * 4 + keylen + tktlen != toklen) { +- kleave(" = -EKEYREJECTED [%x!=%x, %x,%x]", ++ kleave(" = -EKEYREJECTED [%zx!=%x, %zx,%zx]", + (6 * 2 + 2) * 4 + keylen + tktlen, toklen, + keylen, tktlen); + goto reject; +@@ -206,7 +211,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + if (!token) + goto nomem; + +- token->rxgk = kzalloc(sizeof(*token->rxgk) + keylen, GFP_KERNEL); ++ token->rxgk = kzalloc(struct_size_t(struct rxgk_key, _key, raw_keylen), GFP_KERNEL); + if (!token->rxgk) + goto nomem_token; + +@@ -221,9 +226,9 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + token->rxgk->enctype = tmp = xdr_dec64(xdr + 5 * 2); + if (tmp < 0 || tmp > UINT_MAX) + goto reject_token; +- token->rxgk->key.len = ntohl(key[-1]); ++ token->rxgk->key.len = raw_keylen; + token->rxgk->key.data = token->rxgk->_key; +- token->rxgk->ticket.len = ntohl(ticket[-1]); ++ token->rxgk->ticket.len = raw_tktlen; + + if (token->rxgk->endtime != 0) { + expiry = rxrpc_s64_to_time64(token->rxgk->endtime); +@@ -236,8 +241,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + memcpy(token->rxgk->key.data, key, token->rxgk->key.len); + + /* Pad the ticket so that we can use it directly in XDR */ +- token->rxgk->ticket.data = kzalloc(round_up(token->rxgk->ticket.len, 4), +- GFP_KERNEL); ++ token->rxgk->ticket.data = kzalloc(tktlen, GFP_KERNEL); + if (!token->rxgk->ticket.data) + goto nomem_yrxgk; + memcpy(token->rxgk->ticket.data, ticket, token->rxgk->ticket.len); +-- +2.53.0 + diff --git a/queue-6.18/rxrpc-fix-to-request-an-ack-if-window-is-limited.patch b/queue-6.18/rxrpc-fix-to-request-an-ack-if-window-is-limited.patch new file mode 100644 index 0000000000..55be17d631 --- /dev/null +++ b/queue-6.18/rxrpc-fix-to-request-an-ack-if-window-is-limited.patch @@ -0,0 +1,84 @@ +From 0cd3e3f3f2ec1a45aa559e2c0f3d57fac5eb3c25 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Wed, 8 Apr 2026 13:12:37 +0100 +Subject: rxrpc: Fix to request an ack if window is limited + +From: Marc Dionne + +commit 0cd3e3f3f2ec1a45aa559e2c0f3d57fac5eb3c25 upstream. + +Peers may only send immediate acks for every 2 UDP packets received. +When sending a jumbogram, it is important to check that there is +sufficient window space to send another same sized jumbogram following +the current one, and request an ack if there isn't. Failure to do so may +cause the call to stall waiting for an ack until the resend timer fires. + +Where jumbograms are in use this causes a very significant drop in +performance. + +Fixes: fe24a5494390 ("rxrpc: Send jumbo DATA packets") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-10-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 1 + + net/rxrpc/ar-internal.h | 2 +- + net/rxrpc/output.c | 2 ++ + net/rxrpc/proc.c | 5 +++-- + 4 files changed, 7 insertions(+), 3 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -521,6 +521,7 @@ + #define rxrpc_req_ack_traces \ + EM(rxrpc_reqack_ack_lost, "ACK-LOST ") \ + EM(rxrpc_reqack_app_stall, "APP-STALL ") \ ++ EM(rxrpc_reqack_jumbo_win, "JUMBO-WIN ") \ + EM(rxrpc_reqack_more_rtt, "MORE-RTT ") \ + EM(rxrpc_reqack_no_srv_last, "NO-SRVLAST") \ + EM(rxrpc_reqack_old_rtt, "OLD-RTT ") \ +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -117,7 +117,7 @@ struct rxrpc_net { + atomic_t stat_tx_jumbo[10]; + atomic_t stat_rx_jumbo[10]; + +- atomic_t stat_why_req_ack[8]; ++ atomic_t stat_why_req_ack[9]; + + atomic_t stat_io_loop; + }; +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -479,6 +479,8 @@ static size_t rxrpc_prepare_data_subpack + why = rxrpc_reqack_old_rtt; + else if (!last && !after(READ_ONCE(call->send_top), txb->seq)) + why = rxrpc_reqack_app_stall; ++ else if (call->tx_winsize <= (2 * req->n) || call->cong_cwnd <= (2 * req->n)) ++ why = rxrpc_reqack_jumbo_win; + else + goto dont_set_request_ack; + +--- a/net/rxrpc/proc.c ++++ b/net/rxrpc/proc.c +@@ -518,11 +518,12 @@ int rxrpc_stats_show(struct seq_file *se + atomic_read(&rxnet->stat_rx_acks[RXRPC_ACK_IDLE]), + atomic_read(&rxnet->stat_rx_acks[0])); + seq_printf(seq, +- "Why-Req-A: acklost=%u mrtt=%u ortt=%u stall=%u\n", ++ "Why-Req-A: acklost=%u mrtt=%u ortt=%u stall=%u jwin=%u\n", + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_ack_lost]), + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_more_rtt]), + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_old_rtt]), +- atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall])); ++ atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_app_stall]), ++ atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_jumbo_win])); + seq_printf(seq, + "Why-Req-A: nolast=%u retx=%u slows=%u smtxw=%u\n", + atomic_read(&rxnet->stat_why_req_ack[rxrpc_reqack_no_srv_last]), diff --git a/queue-6.18/rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch b/queue-6.18/rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch new file mode 100644 index 0000000000..78ec454107 --- /dev/null +++ b/queue-6.18/rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch @@ -0,0 +1,75 @@ +From b33f5741bb187db8ff32e8f5b96def77cc94dfca Mon Sep 17 00:00:00 2001 +From: Alok Tiwari +Date: Wed, 8 Apr 2026 13:12:34 +0100 +Subject: rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial + +From: Alok Tiwari + +commit b33f5741bb187db8ff32e8f5b96def77cc94dfca upstream. + +In rxrpc_post_response(), the code should be comparing the challenge serial +number from the cached response before deciding to switch to a newer +response, but looks at the newer packet private data instead, rendering the +comparison always false. + +Fix this by switching to look at the older packet. + +Fix further[1] to substitute the new packet in place of the old one if +newer and also to release whichever we don't use. + +Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE") +Signed-off-by: Alok Tiwari +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com [1] +Link: https://patch.msgid.link/20260408121252.2249051-7-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 1 + + net/rxrpc/conn_event.c | 5 +++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h +index a826cd80007b..f7f559204b87 100644 +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -185,6 +185,7 @@ + EM(rxrpc_skb_put_input, "PUT input ") \ + EM(rxrpc_skb_put_jumbo_subpacket, "PUT jumbo-sub") \ + EM(rxrpc_skb_put_oob, "PUT oob ") \ ++ EM(rxrpc_skb_put_old_response, "PUT old-resp ") \ + EM(rxrpc_skb_put_purge, "PUT purge ") \ + EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \ + EM(rxrpc_skb_put_response, "PUT response ") \ +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index 98ad9b51ca2c..c50cbfc5a313 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -557,11 +557,11 @@ void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb) + spin_lock_irq(&local->lock); + old = conn->tx_response; + if (old) { +- struct rxrpc_skb_priv *osp = rxrpc_skb(skb); ++ struct rxrpc_skb_priv *osp = rxrpc_skb(old); + + /* Always go with the response to the most recent challenge. */ + if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) +- conn->tx_response = old; ++ conn->tx_response = skb; + else + old = skb; + } else { +@@ -569,4 +569,5 @@ void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb) + } + spin_unlock_irq(&local->lock); + rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response); ++ rxrpc_free_skb(old, rxrpc_skb_put_old_response); + } +-- +2.53.0 + diff --git a/queue-6.18/rxrpc-only-handle-response-during-service-challenge.patch b/queue-6.18/rxrpc-only-handle-response-during-service-challenge.patch new file mode 100644 index 0000000000..7ced4f4792 --- /dev/null +++ b/queue-6.18/rxrpc-only-handle-response-during-service-challenge.patch @@ -0,0 +1,78 @@ +From c43ffdcfdbb5567b1f143556df8a04b4eeea041c Mon Sep 17 00:00:00 2001 +From: Wang Jie +Date: Wed, 8 Apr 2026 13:12:48 +0100 +Subject: rxrpc: only handle RESPONSE during service challenge + +From: Wang Jie + +commit c43ffdcfdbb5567b1f143556df8a04b4eeea041c upstream. + +Only process RESPONSE packets while the service connection is still in +RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before +running response verification and security initialization, then use a local +secured flag to decide whether to queue the secured-connection work after +the state transition. This keeps duplicate or late RESPONSE packets from +re-running the setup path and removes the unlocked post-transition state +test. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Signed-off-by: Jie Wang +Signed-off-by: Yang Yang +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-21-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/conn_event.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -247,6 +247,7 @@ static int rxrpc_process_event(struct rx + struct sk_buff *skb) + { + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); ++ bool secured = false; + int ret; + + if (conn->state == RXRPC_CONN_ABORTED) +@@ -262,6 +263,13 @@ static int rxrpc_process_event(struct rx + return ret; + + case RXRPC_PACKET_TYPE_RESPONSE: ++ spin_lock_irq(&conn->state_lock); ++ if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) { ++ spin_unlock_irq(&conn->state_lock); ++ return 0; ++ } ++ spin_unlock_irq(&conn->state_lock); ++ + ret = conn->security->verify_response(conn, skb); + if (ret < 0) + return ret; +@@ -272,11 +280,13 @@ static int rxrpc_process_event(struct rx + return ret; + + spin_lock_irq(&conn->state_lock); +- if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) ++ if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) { + conn->state = RXRPC_CONN_SERVICE; ++ secured = true; ++ } + spin_unlock_irq(&conn->state_lock); + +- if (conn->state == RXRPC_CONN_SERVICE) { ++ if (secured) { + /* Offload call state flipping to the I/O thread. As + * we've already received the packet, put it on the + * front of the queue. diff --git a/queue-6.18/rxrpc-only-put-the-call-ref-if-one-was-acquired.patch b/queue-6.18/rxrpc-only-put-the-call-ref-if-one-was-acquired.patch new file mode 100644 index 0000000000..5cf09f1ca1 --- /dev/null +++ b/queue-6.18/rxrpc-only-put-the-call-ref-if-one-was-acquired.patch @@ -0,0 +1,53 @@ +From 6331f1b24a3e85465f6454e003a3e6c22005a5c5 Mon Sep 17 00:00:00 2001 +From: Douya Le +Date: Wed, 8 Apr 2026 13:12:38 +0100 +Subject: rxrpc: Only put the call ref if one was acquired + +From: Douya Le + +commit 6331f1b24a3e85465f6454e003a3e6c22005a5c5 upstream. + +rxrpc_input_packet_on_conn() can process a to-client packet after the +current client call on the channel has already been torn down. In that +case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is +no reference to drop. + +The client-side implicit-end error path does not account for that and +unconditionally calls rxrpc_put_call(). This turns a protocol error +path into a kernel crash instead of rejecting the packet. + +Only drop the call reference if one was actually acquired. Keep the +existing protocol error handling unchanged. + +Fixes: 5e6ef4f1017c ("rxrpc: Make the I/O thread take over the call and local processor work") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Signed-off-by: Douya Le +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Signed-off-by: Ao Zhou +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-11-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/io_thread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/io_thread.c ++++ b/net/rxrpc/io_thread.c +@@ -419,7 +419,8 @@ static int rxrpc_input_packet_on_conn(st + + if (sp->hdr.callNumber > chan->call_id) { + if (rxrpc_to_client(sp)) { +- rxrpc_put_call(call, rxrpc_call_put_input); ++ if (call) ++ rxrpc_put_call(call, rxrpc_call_put_input); + return rxrpc_protocol_error(skb, + rxrpc_eproto_unexpected_implicit_end); + } diff --git a/queue-6.18/rxrpc-proc-size-address-buffers-for-pispc-output.patch b/queue-6.18/rxrpc-proc-size-address-buffers-for-pispc-output.patch new file mode 100644 index 0000000000..f8ef2057b6 --- /dev/null +++ b/queue-6.18/rxrpc-proc-size-address-buffers-for-pispc-output.patch @@ -0,0 +1,164 @@ +From a44ce6aa2efb61fe44f2cfab72bb01544bbca272 Mon Sep 17 00:00:00 2001 +From: Pengpeng Hou +Date: Wed, 8 Apr 2026 13:12:49 +0100 +Subject: rxrpc: proc: size address buffers for %pISpc output + +From: Pengpeng Hou + +commit a44ce6aa2efb61fe44f2cfab72bb01544bbca272 upstream. + +The AF_RXRPC procfs helpers format local and remote socket addresses into +fixed 50-byte stack buffers with "%pISpc". + +That is too small for the longest current-tree IPv6-with-port form the +formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a +dotted-quad tail not only for v4mapped addresses, but also for ISATAP +addresses via ipv6_addr_is_isatap(). + +As a result, a case such as + + [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 + +is possible with the current formatter. That is 50 visible characters, so +51 bytes including the trailing NUL, which does not fit in the existing +char[50] buffers used by net/rxrpc/proc.c. + +Size the buffers from the formatter's maximum textual form and switch the +call sites to scnprintf(). + +Changes since v1: +- correct the changelog to cite the actual maximum current-tree case + explicitly +- frame the proof around the ISATAP formatting path instead of the earlier + mapped-v4 example + +Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") +Signed-off-by: Pengpeng Hou +Signed-off-by: David Howells +cc: Marc Dionne +cc: Anderson Nascimento +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-22-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/proc.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +--- a/net/rxrpc/proc.c ++++ b/net/rxrpc/proc.c +@@ -10,6 +10,10 @@ + #include + #include "ar-internal.h" + ++#define RXRPC_PROC_ADDRBUF_SIZE \ ++ (sizeof("[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255]") + \ ++ sizeof(":12345")) ++ + static const char *const rxrpc_conn_states[RXRPC_CONN__NR_STATES] = { + [RXRPC_CONN_UNUSED] = "Unused ", + [RXRPC_CONN_CLIENT_UNSECURED] = "ClUnsec ", +@@ -53,7 +57,7 @@ static int rxrpc_call_seq_show(struct se + struct rxrpc_net *rxnet = rxrpc_net(seq_file_net(seq)); + enum rxrpc_call_state state; + rxrpc_seq_t tx_bottom; +- char lbuff[50], rbuff[50]; ++ char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; + long timeout = 0; + + if (v == &rxnet->calls) { +@@ -69,11 +73,11 @@ static int rxrpc_call_seq_show(struct se + + local = call->local; + if (local) +- sprintf(lbuff, "%pISpc", &local->srx.transport); ++ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &local->srx.transport); + else + strcpy(lbuff, "no_local"); + +- sprintf(rbuff, "%pISpc", &call->dest_srx.transport); ++ scnprintf(rbuff, sizeof(rbuff), "%pISpc", &call->dest_srx.transport); + + state = rxrpc_call_state(call); + if (state != RXRPC_CALL_SERVER_PREALLOC) +@@ -142,7 +146,7 @@ static int rxrpc_connection_seq_show(str + struct rxrpc_connection *conn; + struct rxrpc_net *rxnet = rxrpc_net(seq_file_net(seq)); + const char *state; +- char lbuff[50], rbuff[50]; ++ char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; + + if (v == &rxnet->conn_proc_list) { + seq_puts(seq, +@@ -161,8 +165,8 @@ static int rxrpc_connection_seq_show(str + goto print; + } + +- sprintf(lbuff, "%pISpc", &conn->local->srx.transport); +- sprintf(rbuff, "%pISpc", &conn->peer->srx.transport); ++ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &conn->local->srx.transport); ++ scnprintf(rbuff, sizeof(rbuff), "%pISpc", &conn->peer->srx.transport); + print: + state = rxrpc_is_conn_aborted(conn) ? + rxrpc_call_completions[conn->completion] : +@@ -228,7 +232,7 @@ static int rxrpc_bundle_seq_show(struct + { + struct rxrpc_bundle *bundle; + struct rxrpc_net *rxnet = rxrpc_net(seq_file_net(seq)); +- char lbuff[50], rbuff[50]; ++ char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; + + if (v == &rxnet->bundle_proc_list) { + seq_puts(seq, +@@ -242,8 +246,8 @@ static int rxrpc_bundle_seq_show(struct + + bundle = list_entry(v, struct rxrpc_bundle, proc_link); + +- sprintf(lbuff, "%pISpc", &bundle->local->srx.transport); +- sprintf(rbuff, "%pISpc", &bundle->peer->srx.transport); ++ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &bundle->local->srx.transport); ++ scnprintf(rbuff, sizeof(rbuff), "%pISpc", &bundle->peer->srx.transport); + seq_printf(seq, + "UDP %-47.47s %-47.47s %4x %3u %3d" + " %c%c%c %08x | %08x %08x %08x %08x %08x\n", +@@ -279,7 +283,7 @@ static int rxrpc_peer_seq_show(struct se + { + struct rxrpc_peer *peer; + time64_t now; +- char lbuff[50], rbuff[50]; ++ char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; + + if (v == SEQ_START_TOKEN) { + seq_puts(seq, +@@ -290,9 +294,9 @@ static int rxrpc_peer_seq_show(struct se + + peer = list_entry(v, struct rxrpc_peer, hash_link); + +- sprintf(lbuff, "%pISpc", &peer->local->srx.transport); ++ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &peer->local->srx.transport); + +- sprintf(rbuff, "%pISpc", &peer->srx.transport); ++ scnprintf(rbuff, sizeof(rbuff), "%pISpc", &peer->srx.transport); + + now = ktime_get_seconds(); + seq_printf(seq, +@@ -401,7 +405,7 @@ const struct seq_operations rxrpc_peer_s + static int rxrpc_local_seq_show(struct seq_file *seq, void *v) + { + struct rxrpc_local *local; +- char lbuff[50]; ++ char lbuff[RXRPC_PROC_ADDRBUF_SIZE]; + + if (v == SEQ_START_TOKEN) { + seq_puts(seq, +@@ -412,7 +416,7 @@ static int rxrpc_local_seq_show(struct s + + local = hlist_entry(v, struct rxrpc_local, link); + +- sprintf(lbuff, "%pISpc", &local->srx.transport); ++ scnprintf(lbuff, sizeof(lbuff), "%pISpc", &local->srx.transport); + + seq_printf(seq, + "UDP %-47.47s %3u %3u %3u\n", diff --git a/queue-6.18/rxrpc-reject-undecryptable-rxkad-response-tickets.patch b/queue-6.18/rxrpc-reject-undecryptable-rxkad-response-tickets.patch new file mode 100644 index 0000000000..e6e4f5540f --- /dev/null +++ b/queue-6.18/rxrpc-reject-undecryptable-rxkad-response-tickets.patch @@ -0,0 +1,64 @@ +From fe4447cd95623b1cfacc15f280aab73a6d7340b2 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Wed, 8 Apr 2026 13:12:39 +0100 +Subject: rxrpc: reject undecryptable rxkad response tickets + +From: Yuqi Xu + +commit fe4447cd95623b1cfacc15f280aab73a6d7340b2 upstream. + +rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then +parses the buffer as plaintext without checking whether +crypto_skcipher_decrypt() succeeded. + +A malformed RESPONSE can therefore use a non-block-aligned ticket +length, make the decrypt operation fail, and still drive the ticket +parser with attacker-controlled bytes. + +Check the decrypt result and abort the connection with RXKADBADTICKET +when ticket decryption fails. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-12-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxkad.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -958,6 +958,7 @@ static int rxkad_decrypt_ticket(struct r + struct in_addr addr; + unsigned int life; + time64_t issue, now; ++ int ret; + bool little_endian; + u8 *p, *q, *name, *end; + +@@ -977,8 +978,11 @@ static int rxkad_decrypt_ticket(struct r + sg_init_one(&sg[0], ticket, ticket_len); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); +- crypto_skcipher_decrypt(req); ++ ret = crypto_skcipher_decrypt(req); + skcipher_request_free(req); ++ if (ret < 0) ++ return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO, ++ rxkad_abort_resp_tkt_short); + + p = ticket; + end = p + ticket_len; diff --git a/queue-6.18/series b/queue-6.18/series index bb508380e3..bdff2c19ad 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -59,3 +59,24 @@ idpf-set-the-payload-size-before-calling-the-async-handler.patch net-lan966x-fix-page_pool-error-handling-in-lan966x_fdma_rx_alloc_page_pool.patch net-lan966x-fix-page-pool-leak-in-error-paths.patch net-lan966x-fix-use-after-free-and-leak-in-lan966x_fdma_reload.patch +rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch +rxrpc-fix-key-parsing-memleak.patch +rxrpc-fix-anonymous-key-handling.patch +rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch +rxrpc-fix-rxgk-token-loading-to-check-bounds.patch +rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch +rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch +rxrpc-fix-key-reference-count-leak-from-call-key.patch +rxrpc-fix-to-request-an-ack-if-window-is-limited.patch +rxrpc-only-put-the-call-ref-if-one-was-acquired.patch +rxrpc-reject-undecryptable-rxkad-response-tickets.patch +rxrpc-fix-response-authenticator-parser-oob-read.patch +rxrpc-fix-oversized-response-authenticator-length-check.patch +rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch +rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch +rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch +rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch +rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch +rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch +rxrpc-only-handle-response-during-service-challenge.patch +rxrpc-proc-size-address-buffers-for-pispc-output.patch