[PATCH net 0/5] rxrpc: Miscellaneous fixes

Next message: Manivannan Sadhasivam: "Re: [PATCH v2 4/5] dt-bindings: PCI: spacemit: Introduce Spacemit K3 PCIe host controller"
Previous message: Helge Deller: "Re: [PATCH 1/1] video, sm501: Fix buffer errors in OF binding code"
Next in thread: David Howells: "[PATCH net 3/5] rxrpc: Fix UAF in rxgk_issue_challenge()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Tue Jun 09 2026 - 10:09:52 EST

Here are some miscellaneous AF_RXRPC fixes:

(1) Make sure rxrpc_verify_data() allocates a buffer, even if the DATA packet
being looked at is zero length to avoid potential NULL-pointer
exceptions.

(2) Don't move an OOB message (e.g. an RxGK CHALLENGE) off the receive queue
onto the pending queue in recvmsg() if MSG_PEEK is specified.

(3) Fix a potential UAF in rxgk_issue_challenge() in which a tracepoint
refers to memory just freed by a different pointer.

(4) Fix afs net namespace teardown to cancel the incoming call preallocation
charger before we disable listening (which will delete the preallocation
queue).

(5) Fix rxrpc_kernel_charge_accept() to use the socket mutex to defend
against listen(0)/shutdown simultaneously deleting the preallocation queue.

David

The patches can be found here also:

http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes

David Howells (2):
rxrpc: Fix UAF in rxgk_issue_challenge()
afs: Fix netns teardown to cancel the preallocation charger

Hyunwoo Kim (1):
rxrpc: Don't move a peeked OOB message onto the pending queue

Jeffrey Altman (1):
rxrpc: rxrpc_verify_data ensure rx_dec_buffer alloc

Li Daming (1):
rxrpc: serialize kernel accept preallocation with socket teardown

fs/afs/rxrpc.c | 6 ++++--
net/rxrpc/call_accept.c | 25 +++++++++++++++++++------
net/rxrpc/recvmsg.c | 13 +++++++------
net/rxrpc/rxgk.c | 3 ++-
4 files changed, 32 insertions(+), 15 deletions(-)