[PATCH 1/2] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt()
Simon Horman
horms at kernel.org
Thu Mar 19 09:10:04 PDT 2026
On Fri, Mar 13, 2026 at 10:23:26AM -0300, Anderson Nascimento wrote:
> In rxrpc_setsockopt(), the code checks 'rx->key' when handling the
> RXRPC_SECURITY_KEYRING option. However, this appears to be a logic error.
> The code should be checking 'rx->securities' to determine if a keyring
> has already been defined for the socket.
>
> Currently, if a user calls setsockopt(RXRPC_SECURITY_KEYRING) multiple
> times on the same socket, the check 'if (rx->key)' fails to block
> subsequent calls because 'rx->key' has not been defined by the function.
> This results in a reference count leak on the keyring.
>
> This patch changes the check to 'rx->securities' to correctly identify
> if the socket security keyring has already been configured, returning -EINVAL
> on subsequent attempts.
>
> Before the patch:
>
> It shows the keyring reference counter elevated.
>
> $ cat /proc/keys | grep AFSkeys1
> 27aca8ae I--Q--- 24469721 perm 3f010000 1000 1000 keyring AFSkeys1: empty
> $
>
> After the patch:
>
> The keyring reference counter remains stable and subsequent calls return an error:
>
> $ ./poc
> setsockopt: Invalid argument
> $
>
> Fixes: 17926a7 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
nit: Please use 12 (or more if needed to avoid a collision) bytes
for the hash in Fixes tags.
> Signed-off-by: Anderson Nascimento <anderson at allelesecurity.com>
...
More information about the linux-afs
mailing list