Patch "rxrpc: Fix key quota calculation for multitoken keys" has been added to the 6.18-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Mon Apr 13 05:39:05 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix key quota calculation for multitoken keys

to the 6.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
and it can be found in the queue-6.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From bdbfead6d38979475df0c2f4bad2b19394fe9bdc Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Wed, 8 Apr 2026 13:12:29 +0100
Subject: rxrpc: Fix key quota calculation for multitoken keys

From: David Howells <dhowells at redhat.com>

commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc upstream.

In the rxrpc key preparsing, every token extracted sets the proposed quota
value, but for multitoken keys, this will overwrite the previous proposed
quota, losing it.

Fix this by adding to the proposed quota instead.

Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/key.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru
 		return -EKEYREJECTED;
 
 	plen = sizeof(*token) + sizeof(*token->kad) + tktlen;
-	prep->quotalen = datalen + plen;
+	prep->quotalen += datalen + plen;
 
 	plen -= sizeof(*token);
 	token = kzalloc(sizeof(*token), GFP_KERNEL);
@@ -199,7 +199,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(s
 	}
 
 	plen = sizeof(*token) + sizeof(*token->rxgk) + tktlen + keylen;
-	prep->quotalen = datalen + plen;
+	prep->quotalen += datalen + plen;
 
 	plen -= sizeof(*token);
 	token = kzalloc(sizeof(*token), GFP_KERNEL);
@@ -460,6 +460,7 @@ static int rxrpc_preparse(struct key_pre
 	memcpy(&kver, prep->data, sizeof(kver));
 	prep->data += sizeof(kver);
 	prep->datalen -= sizeof(kver);
+	prep->quotalen = 0;
 
 	_debug("KEY I/F VERSION: %u", kver);
 
@@ -497,7 +498,7 @@ static int rxrpc_preparse(struct key_pre
 		goto error;
 
 	plen = sizeof(*token->kad) + v1->ticket_length;
-	prep->quotalen = plen + sizeof(*token);
+	prep->quotalen += plen + sizeof(*token);
 
 	ret = -ENOMEM;
 	token = kzalloc(sizeof(*token), GFP_KERNEL);


Patches currently in stable-queue which might be from dhowells at redhat.com are

queue-6.18/rxrpc-fix-rxgk-token-loading-to-check-bounds.patch
queue-6.18/rxrpc-only-put-the-call-ref-if-one-was-acquired.patch
queue-6.18/rxrpc-proc-size-address-buffers-for-pispc-output.patch
queue-6.18/rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch
queue-6.18/rxrpc-reject-undecryptable-rxkad-response-tickets.patch
queue-6.18/rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch
queue-6.18/rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch
queue-6.18/rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch
queue-6.18/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch
queue-6.18/rxrpc-fix-key-reference-count-leak-from-call-key.patch
queue-6.18/rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch
queue-6.18/rxrpc-fix-anonymous-key-handling.patch
queue-6.18/rxrpc-fix-to-request-an-ack-if-window-is-limited.patch
queue-6.18/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
queue-6.18/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
queue-6.18/mm-filemap-fix-nr_pages-calculation-overflow-in-filemap_map_pages.patch
queue-6.18/rxrpc-fix-key-parsing-memleak.patch
queue-6.18/rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch
queue-6.18/rxrpc-fix-response-authenticator-parser-oob-read.patch
queue-6.18/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch
queue-6.18/rxrpc-fix-oversized-response-authenticator-length-check.patch
queue-6.18/rxrpc-only-handle-response-during-service-challenge.patch

More information about the linux-afs mailing list