[PATCH net v2 0/6] rxrpc: Miscellaneous fixes

David Howells dhowells at redhat.com
Wed Apr 22 09:14:29 PDT 2026 

Here are some fixes for rxrpc, as found by Sashiko[1]:

 (1) Fix leaks in rxkad_verify_response().

 (2) Fix handling of rxkad-encrypted packets with crypto-misaligned
     lengths.

 (3) Fix problem with unsharing DATA packets potentially causing a crash in
     the caller.

 (4) Fix lack of unsharing of RESPONSE packets.

 (5) Fix integer overflow in RxGK ticket length check.

 (6) Fix missing length check in RxKAD tickets.

David

The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes

Changes
=======
ver #2)
- Use of __free() constructs in networking code is disallowed, so rework
  the rxkad_verify_response() patch to just clean everything up at the end
  and cope with NULL pointers.
- Reworked the unsharing fix:
  - Used skb_cloned() and skb_copy() directly rather than skb_unshare().
    The problem with skb_unshare() is that it kills the source skbuff if it
    can't copy, which then has to be propagated up the call chain.  Even
    so, the code still had an bug from this[1].
  - Split into two patches, one for DATA and one for RESPONSE packets.
  - Do the DATA unshare a lot further along.
- Imported a patch to add a length check on RxKAD tickets.

Link: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com [1]

Anderson Nascimento (1):
  rxrpc: Fix missing validation of ticket length in non-XDR key
    preparsing

David Howells (5):
  rxrpc: Fix memory leaks in rxkad_verify_response()
  rxrpc: Fix rxkad crypto unalignment handling
  rxrpc: Fix potential UAF after skb_unshare() failure
  rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
  rxgk: Fix potential integer overflow in length check

 include/trace/events/rxrpc.h |   5 +-
 net/rxrpc/ar-internal.h      |   1 -
 net/rxrpc/call_event.c       |  19 +++++-
 net/rxrpc/conn_event.c       |  29 ++++++++-
 net/rxrpc/io_thread.c        |  24 +-------
 net/rxrpc/key.c              |   4 ++
 net/rxrpc/rxgk_app.c         |   2 +-
 net/rxrpc/rxgk_common.h      |   1 +
 net/rxrpc/rxkad.c            | 112 +++++++++++++++--------------------
 net/rxrpc/skbuff.c           |   9 ---
 10 files changed, 106 insertions(+), 100 deletions(-)

More information about the linux-afs mailing list