[PATCH 0/2] rxrpc: Fix key and keyring reference count leaks

[Anderson Nascimento]

Hello,

While auditing the RxRPC protocol, I identified two separate reference count leaks related to security keys and keyrings.

The first leak occurs during client call allocation if security initialization fails. The second occurs in the setsockopt path due to an incorrect struct member check, allowing multiple keyring assignments to the same socket. Both issues prevent the cleanup of key/keyring objects, as evidenced by /proc/keys remaining populated after the user processes exit.

This series fixes both issues by ensuring key_put() is called on the error path in the call allocator and by correcting the logic in rxrpc_setsockopt().

Patch Summary:

rxrpc: Fix keyring reference count leak in rxrpc_setsockopt()

Prevents multiple keyring assignments to a single socket by checking rx->securities instead of rx->key.

rxrpc: Fix key reference count leak in rxrpc_alloc_client_call()

Releases the key reference if rxrpc_init_client_call_security() fails.

Testing was performed by monitoring /proc/keys and using a reproducer that triggers failed security initialization and repeated setsockopt calls.

Anderson Nascimento (2):
  rxrpc: Fix keyring reference count leak in rxrpc_setsockopt()
  rxrpc: Fix key reference count leak in rxrpc_alloc_client_call()

 net/rxrpc/af_rxrpc.c    | 2 +-
 net/rxrpc/call_object.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

-- 
2.53.0