Patch "rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)" has been added to the 6.18-stable tree

Mon Apr 13 05:39:05 PDT 2026

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)

to the 6.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch
and it can be found in the queue-6.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Wed, 8 Apr 2026 13:12:43 +0100
Subject: rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)

From: David Howells <dhowells at redhat.com>

commit 2afd86ccbb2082a3c4258aea8c07e5bb6267bc2f upstream.

An AF_RXRPC socket can be both client and server at the same time.  When
sending new calls (ie. it's acting as a client), it uses rx->key to set the
security, and when accepting incoming calls (ie. it's acting as a server),
it uses rx->securities.

setsockopt(RXRPC_SECURITY_KEY) sets rx->key to point to an rxrpc-type key
and setsockopt(RXRPC_SECURITY_KEYRING) sets rx->securities to point to a
keyring of rxrpc_s-type keys.

Now, it should be possible to use both rx->key and rx->securities on the
same socket - but for userspace AF_RXRPC sockets rxrpc_setsockopt()
prevents that.

Fix this by:

 (1) Remove the incorrect check rxrpc_setsockopt(RXRPC_SECURITY_KEYRING)
     makes on rx->key.

 (2) Move the check that rxrpc_setsockopt(RXRPC_SECURITY_KEY) makes on
     rx->key down into rxrpc_request_key().

 (3) Remove rxrpc_request_key()'s check on rx->securities.

This (in combination with a previous patch) pushes the checks down into the
functions that set those pointers and removes the cross-checks that prevent
both key and keyring being set.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Anderson Nascimento <anderson at allelesecurity.com>
cc: Luxiao Xu <rakukuip at gmail.com>
cc: Yuan Tan <yuantan098 at gmail.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-16-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/af_rxrpc.c |    6 ------
 net/rxrpc/key.c      |    2 +-
 2 files changed, 1 insertion(+), 7 deletions(-)

--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -654,9 +654,6 @@ static int rxrpc_setsockopt(struct socke
 			goto success;
 
 		case RXRPC_SECURITY_KEY:
-			ret = -EINVAL;
-			if (rx->key)
-				goto error;
 			ret = -EISCONN;
 			if (rx->sk.sk_state != RXRPC_UNBOUND)
 				goto error;
@@ -664,9 +661,6 @@ static int rxrpc_setsockopt(struct socke
 			goto error;
 
 		case RXRPC_SECURITY_KEYRING:
-			ret = -EINVAL;
-			if (rx->key)
-				goto error;
 			ret = -EISCONN;
 			if (rx->sk.sk_state != RXRPC_UNBOUND)
 				goto error;
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -622,7 +622,7 @@ int rxrpc_request_key(struct rxrpc_sock
 
 	_enter("");
 
-	if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities)
+	if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->key)
 		return -EINVAL;
 
 	description = memdup_sockptr_nul(optval, optlen);


Patches currently in stable-queue which might be from dhowells at redhat.com are

queue-6.18/rxrpc-fix-rxgk-token-loading-to-check-bounds.patch
queue-6.18/rxrpc-only-put-the-call-ref-if-one-was-acquired.patch
queue-6.18/rxrpc-proc-size-address-buffers-for-pispc-output.patch
queue-6.18/rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch
queue-6.18/rxrpc-reject-undecryptable-rxkad-response-tickets.patch
queue-6.18/rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch
queue-6.18/rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch
queue-6.18/rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch
queue-6.18/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch
queue-6.18/rxrpc-fix-key-reference-count-leak-from-call-key.patch
queue-6.18/rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch
queue-6.18/rxrpc-fix-anonymous-key-handling.patch
queue-6.18/rxrpc-fix-to-request-an-ack-if-window-is-limited.patch
queue-6.18/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
queue-6.18/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
queue-6.18/mm-filemap-fix-nr_pages-calculation-overflow-in-filemap_map_pages.patch
queue-6.18/rxrpc-fix-key-parsing-memleak.patch
queue-6.18/rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch
queue-6.18/rxrpc-fix-response-authenticator-parser-oob-read.patch
queue-6.18/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch
queue-6.18/rxrpc-fix-oversized-response-authenticator-length-check.patch
queue-6.18/rxrpc-only-handle-response-during-service-challenge.patch

