Patch "rxrpc: Fix anonymous key handling" has been added to the 6.12-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Mon Apr 13 05:39:08 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix anonymous key handling

to the 6.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-anonymous-key-handling.patch
and it can be found in the queue-6.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From 6a59d84b4fc2f27f7b40e348506cc686712e260b Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Wed, 8 Apr 2026 13:12:31 +0100
Subject: rxrpc: Fix anonymous key handling

From: David Howells <dhowells at redhat.com>

commit 6a59d84b4fc2f27f7b40e348506cc686712e260b upstream.

In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to
be substituted for a NULL key pointer, but the variable this is done with
is subsequently not used.

Fix this by using "key" rather than "rx->key" when filling in the
connection parameters.

Note that this only affects direct use of AF_RXRPC; the kAFS filesystem
doesn't use sendmsg() directly and so bypasses the issue.  Further,
AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key
in that manner works.  Since this hasn't been noticed to this point, it
might be better just to remove the "key" variable and the code that sets it
- and, arguably, rxrpc_init_client_call_security() would be a better place
to handle it.

Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info")
Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-4-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/sendmsg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -586,7 +586,7 @@ rxrpc_new_client_call_for_sendmsg(struct
 	memset(&cp, 0, sizeof(cp));
 	cp.local		= rx->local;
 	cp.peer			= peer;
-	cp.key			= rx->key;
+	cp.key			= key;
 	cp.security_level	= rx->min_sec_level;
 	cp.exclusive		= rx->exclusive | p->exclusive;
 	cp.upgrade		= p->upgrade;


Patches currently in stable-queue which might be from dhowells at redhat.com are

queue-6.12/rxrpc-only-put-the-call-ref-if-one-was-acquired.patch
queue-6.12/rxrpc-reject-undecryptable-rxkad-response-tickets.patch
queue-6.12/rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch
queue-6.12/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch
queue-6.12/rxrpc-fix-key-reference-count-leak-from-call-key.patch
queue-6.12/rxrpc-fix-anonymous-key-handling.patch
queue-6.12/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
queue-6.12/mm-filemap-fix-nr_pages-calculation-overflow-in-filemap_map_pages.patch
queue-6.12/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch

More information about the linux-afs mailing list