| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/06/24 17:01 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": [
"AFS_FS",
"AF_RXRPC"
],
"FocusSymbols": [
"rxrpc_notify_socket_oob",
"rxrpc_post_challenge",
"rxrpc_respond_to_oob",
"afs_rx_notify_oob",
"afs_process_oob_queue",
"afs_close_socket",
"rxrpc_close_tx_phase",
"rxrpc_end_tx_phase",
"rxrpc_receiving_reply"
],
"Reasoning": "The patch introduces functional changes to the rxrpc and afs subsystems, specifically modifying the out-of-band (OOB) message handling and the rxrpc call state machine (adding RXRPC_CALL_CLIENT_PRE_SEND and RXRPC_CALL_CLIENT_AWAIT_ACK states). These changes affect core network logic and should be fuzzed to ensure they do not introduce regressions or vulnerabilities.",
"WorthFuzzing": true
} |
| 1/1 | 2026/06/24 17:01 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit ce55556d217835195f2cb9ddb0ac9543d1cdf4c6\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Wed Jun 24 17:01:33 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/fs/afs/cm_security.c b/fs/afs/cm_security.c\nindex edcbd249d2024a..103168c70dd4df 100644\n--- a/fs/afs/cm_security.c\n+++ b/fs/afs/cm_security.c\n@@ -101,7 +101,8 @@ void afs_process_oob_queue(struct work_struct *work)\n \tstruct sk_buff *oob;\n \tenum rxrpc_oob_type type;\n \n-\twhile ((oob = rxrpc_kernel_dequeue_oob(net-\u003esocket, \u0026type))) {\n+\twhile (READ_ONCE(net-\u003elive) \u0026\u0026\n+\t (oob = rxrpc_kernel_dequeue_oob(net-\u003esocket, \u0026type))) {\n \t\tswitch (type) {\n \t\tcase RXRPC_OOB_CHALLENGE:\n \t\t\tafs_respond_to_challenge(oob);\ndiff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c\nindex d5cfd24e815bdd..d82916657a3ddf 100644\n--- a/fs/afs/rxrpc.c\n+++ b/fs/afs/rxrpc.c\n@@ -128,8 +128,14 @@ void afs_close_socket(struct afs_net *net)\n \t_enter(\"\");\n \n \tcancel_work_sync(\u0026net-\u003echarge_preallocation_work);\n+\tcancel_work_sync(\u0026net-\u003erx_oob_work);\n+\t/* Future work items should now see -\u003elive is false. */\n+\n \tkernel_listen(net-\u003esocket, 0);\n+\n+\t/* Make sure work items are no longer running. */\n \tflush_workqueue(afs_async_calls);\n+\tcancel_work_sync(\u0026net-\u003echarge_preallocation_work);\n \n \tif (net-\u003espare_incoming_call) {\n \t\tafs_put_call(net-\u003espare_incoming_call);\n@@ -143,6 +149,7 @@ void afs_close_socket(struct afs_net *net)\n \n \tkernel_sock_shutdown(net-\u003esocket, SHUT_RDWR);\n \tflush_workqueue(afs_async_calls);\n+\tcancel_work_sync(\u0026net-\u003erx_oob_work);\n \tnet-\u003esocket-\u003esk-\u003esk_user_data = NULL;\n \tsock_release(net-\u003esocket);\n \tkey_put(net-\u003efs_cm_token_key);\n@@ -984,5 +991,6 @@ static void afs_rx_notify_oob(struct sock *sk, struct sk_buff *oob)\n {\n \tstruct afs_net *net = sk-\u003esk_user_data;\n \n-\tschedule_work(\u0026net-\u003erx_oob_work);\n+\tif (READ_ONCE(net-\u003elive))\n+\t\tqueue_work(afs_wq, \u0026net-\u003erx_oob_work);\n }\ndiff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h\nindex 5802f6f78723bc..ce946b0a03e2b3 100644\n--- a/net/rxrpc/ar-internal.h\n+++ b/net/rxrpc/ar-internal.h\n@@ -669,7 +669,9 @@ enum rxrpc_call_event {\n enum rxrpc_call_state {\n \tRXRPC_CALL_UNINITIALISED,\n \tRXRPC_CALL_CLIENT_AWAIT_CONN,\t/* - client waiting for connection to become available */\n+\tRXRPC_CALL_CLIENT_PRE_SEND,\t/* - client is connected, but hasn't sent anything yet */\n \tRXRPC_CALL_CLIENT_SEND_REQUEST,\t/* - client sending request phase */\n+\tRXRPC_CALL_CLIENT_AWAIT_ACK,\t/* - client awaiting ACKs of request */\n \tRXRPC_CALL_CLIENT_AWAIT_REPLY,\t/* - client awaiting reply */\n \tRXRPC_CALL_CLIENT_RECV_REPLY,\t/* - client receiving reply phase */\n \tRXRPC_CALL_SERVER_PREALLOC,\t/* - service preallocation */\n@@ -1374,9 +1376,9 @@ static inline struct rxrpc_net *rxrpc_net(struct net *net)\n }\n \n /*\n- * out_of_band.c\n+ * oob.c\n */\n-void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb);\n+bool rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb);\n void rxrpc_add_pending_oob(struct rxrpc_sock *rx, struct sk_buff *skb);\n int rxrpc_sendmsg_oob(struct rxrpc_sock *rx, struct msghdr *msg, size_t len);\n \ndiff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c\nindex fec59d9338b9fb..21be9c86d7a74f 100644\n--- a/net/rxrpc/call_event.c\n+++ b/net/rxrpc/call_event.c\n@@ -178,7 +178,7 @@ static void rxrpc_close_tx_phase(struct rxrpc_call *call)\n \n \tswitch (__rxrpc_call_state(call)) {\n \tcase RXRPC_CALL_CLIENT_SEND_REQUEST:\n-\t\trxrpc_set_call_state(call, RXRPC_CALL_CLIENT_AWAIT_REPLY);\n+\t\trxrpc_set_call_state(call, RXRPC_CALL_CLIENT_AWAIT_ACK);\n \t\tbreak;\n \tcase RXRPC_CALL_SERVER_SEND_REPLY:\n \t\trxrpc_set_call_state(call, RXRPC_CALL_SERVER_AWAIT_ACK);\n@@ -244,6 +244,8 @@ static void rxrpc_transmit_fresh_data(struct rxrpc_call *call, unsigned int limi\n \t\t\t\tbreak;\n \t\t} while (req.n \u003c limit \u0026\u0026 before(seq, send_top));\n \n+\t\tif (__rxrpc_call_state(call) == RXRPC_CALL_CLIENT_PRE_SEND)\n+\t\t\trxrpc_set_call_state(call, RXRPC_CALL_CLIENT_SEND_REQUEST);\n \t\tif (txb-\u003eflags \u0026 RXRPC_LAST_PACKET) {\n \t\t\trxrpc_close_tx_phase(call);\n \t\t\ttq = NULL;\n@@ -267,6 +269,7 @@ void rxrpc_transmit_some_data(struct rxrpc_call *call, unsigned int limit,\n \t\tfallthrough;\n \n \tcase RXRPC_CALL_SERVER_SEND_REPLY:\n+\tcase RXRPC_CALL_CLIENT_PRE_SEND:\n \tcase RXRPC_CALL_CLIENT_SEND_REQUEST:\n \t\tif (!rxrpc_tx_window_space(call))\n \t\t\treturn;\ndiff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c\nindex fcb9d38bb5214a..817ed9acb91e61 100644\n--- a/net/rxrpc/call_object.c\n+++ b/net/rxrpc/call_object.c\n@@ -18,7 +18,9 @@\n const char *const rxrpc_call_states[NR__RXRPC_CALL_STATES] = {\n \t[RXRPC_CALL_UNINITIALISED]\t\t= \"Uninit \",\n \t[RXRPC_CALL_CLIENT_AWAIT_CONN]\t\t= \"ClWtConn\",\n+\t[RXRPC_CALL_CLIENT_PRE_SEND]\t\t= \"ClPreSnd\",\n \t[RXRPC_CALL_CLIENT_SEND_REQUEST]\t= \"ClSndReq\",\n+\t[RXRPC_CALL_CLIENT_AWAIT_ACK]\t\t= \"ClAwtAck\",\n \t[RXRPC_CALL_CLIENT_AWAIT_REPLY]\t\t= \"ClAwtRpl\",\n \t[RXRPC_CALL_CLIENT_RECV_REPLY]\t\t= \"ClRcvRpl\",\n \t[RXRPC_CALL_SERVER_PREALLOC]\t\t= \"SvPrealc\",\ndiff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c\nindex 9b757798deddb8..48519f0de18539 100644\n--- a/net/rxrpc/conn_client.c\n+++ b/net/rxrpc/conn_client.c\n@@ -449,7 +449,7 @@ static void rxrpc_activate_one_channel(struct rxrpc_connection *conn,\n \ttrace_rxrpc_connect_call(call);\n \tcall-\u003etx_last_sent = ktime_get_real();\n \trxrpc_start_call_timer(call);\n-\trxrpc_set_call_state(call, RXRPC_CALL_CLIENT_SEND_REQUEST);\n+\trxrpc_set_call_state(call, RXRPC_CALL_CLIENT_PRE_SEND);\n \twake_up(\u0026call-\u003ewaitq);\n }\n \ndiff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c\nindex c96ca615b787c6..611c790bc6d0ce 100644\n--- a/net/rxrpc/conn_event.c\n+++ b/net/rxrpc/conn_event.c\n@@ -436,7 +436,7 @@ static bool rxrpc_post_challenge(struct rxrpc_connection *conn,\n \tstruct rxrpc_skb_priv *sp = rxrpc_skb(skb);\n \tstruct rxrpc_call *call = NULL;\n \tstruct rxrpc_sock *rx;\n-\tbool respond = false;\n+\tbool respond = false, queued = false;\n \n \tsp-\u003echall.conn =\n \t\trxrpc_get_connection(conn, rxrpc_conn_get_challenge_input);\n@@ -472,8 +472,13 @@ static bool rxrpc_post_challenge(struct rxrpc_connection *conn,\n \t}\n \n \tif (call)\n-\t\trxrpc_notify_socket_oob(call, skb);\n+\t\tqueued = rxrpc_notify_socket_oob(call, skb);\n \trcu_read_unlock();\n+\tif (call \u0026\u0026 !queued) {\n+\t\trxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);\n+\t\tsp-\u003echall.conn = NULL;\n+\t\treturn false;\n+\t}\n \n \tif (!call)\n \t\trxrpc_post_packet_to_conn(conn, skb);\ndiff --git a/net/rxrpc/input.c b/net/rxrpc/input.c\nindex ce761466b02d61..73cafe6bfa9f54 100644\n--- a/net/rxrpc/input.c\n+++ b/net/rxrpc/input.c\n@@ -181,7 +181,8 @@ void rxrpc_congestion_degrade(struct rxrpc_call *call)\n \tif (call-\u003econg_ca_state != RXRPC_CA_SLOW_START \u0026\u0026\n \t call-\u003econg_ca_state != RXRPC_CA_CONGEST_AVOIDANCE)\n \t\treturn;\n-\tif (__rxrpc_call_state(call) == RXRPC_CALL_CLIENT_AWAIT_REPLY)\n+\tif (__rxrpc_call_state(call) == RXRPC_CALL_CLIENT_AWAIT_ACK ||\n+\t __rxrpc_call_state(call) == RXRPC_CALL_CLIENT_AWAIT_REPLY)\n \t\treturn;\n \n \trtt = ns_to_ktime(call-\u003esrtt_us * (NSEC_PER_USEC / 8));\n@@ -236,6 +237,9 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,\n \t\tcall-\u003eacks_lowest_nak = to;\n \t}\n \n+\tif (after(seq, to))\n+\t\treturn false;\n+\n \t/* We may have a left over fully-consumed buffer at the front that we\n \t * couldn't drop before (rotate_and_keep below).\n \t */\n@@ -247,7 +251,7 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,\n \t\ttq = call-\u003etx_queue;\n \t}\n \n-\tdo {\n+\twhile (before_eq(seq, to)) {\n \t\tunsigned int ix = seq - call-\u003etx_qbase;\n \n \t\t_debug(\"tq=%x seq=%x i=%d f=%x\", tq-\u003eqbase, seq, ix, tq-\u003ebufs[ix]-\u003eflags);\n@@ -317,8 +321,7 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,\n \t\t\t\tbreak;\n \t\t\t}\n \t\t}\n-\n-\t} while (before_eq(seq, to));\n+\t}\n \n \tif (trace)\n \t\ttrace_rxrpc_rack_update(call, summary);\n@@ -356,6 +359,7 @@ static void rxrpc_end_tx_phase(struct rxrpc_call *call, bool reply_begun,\n \n \tswitch (__rxrpc_call_state(call)) {\n \tcase RXRPC_CALL_CLIENT_SEND_REQUEST:\n+\tcase RXRPC_CALL_CLIENT_AWAIT_ACK:\n \tcase RXRPC_CALL_CLIENT_AWAIT_REPLY:\n \t\tif (reply_begun) {\n \t\t\trxrpc_set_call_state(call, RXRPC_CALL_CLIENT_RECV_REPLY);\n@@ -392,6 +396,14 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call)\n \t\ttrace_rxrpc_timer_can(call, rxrpc_timer_trace_delayed_ack);\n \t}\n \n+\t/* Deal with an apparent reply coming in before we've got the request\n+\t * queued or transmitted.\n+\t */\n+\tif (!test_bit(RXRPC_CALL_EXPOSED, \u0026call-\u003eflags)) {\n+\t\trxrpc_proto_abort(call, top, rxrpc_eproto_early_reply);\n+\t\treturn false;\n+\t}\n+\n \tif (!test_bit(RXRPC_CALL_TX_LAST, \u0026call-\u003eflags)) {\n \t\tif (!rxrpc_rotate_tx_window(call, top, \u0026summary)) {\n \t\t\trxrpc_proto_abort(call, top, rxrpc_eproto_early_reply);\n@@ -694,6 +706,7 @@ static void rxrpc_input_data(struct rxrpc_call *call, struct sk_buff *skb)\n \n \tswitch (__rxrpc_call_state(call)) {\n \tcase RXRPC_CALL_CLIENT_SEND_REQUEST:\n+\tcase RXRPC_CALL_CLIENT_AWAIT_ACK:\n \tcase RXRPC_CALL_CLIENT_AWAIT_REPLY:\n \t\t/* Received data implicitly ACKs all of the request\n \t\t * packets we sent when we're acting as a client.\n@@ -1154,10 +1167,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)\n \tif (hard_ack + 1 == 0)\n \t\treturn rxrpc_proto_abort(call, 0, rxrpc_eproto_ackr_zero);\n \n-\t/* Ignore ACKs unless we are or have just been transmitting. */\n+\t/* Ignore ACKs unless we are transmitting or are waiting for\n+\t * acknowledgement of the packets we've just been transmitting.\n+\t */\n \tswitch (__rxrpc_call_state(call)) {\n \tcase RXRPC_CALL_CLIENT_SEND_REQUEST:\n-\tcase RXRPC_CALL_CLIENT_AWAIT_REPLY:\n+\tcase RXRPC_CALL_CLIENT_AWAIT_ACK:\n \tcase RXRPC_CALL_SERVER_SEND_REPLY:\n \tcase RXRPC_CALL_SERVER_AWAIT_ACK:\n \t\tbreak;\n@@ -1215,7 +1230,17 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb)\n {\n \tstruct rxrpc_ack_summary summary = { 0 };\n \n-\tif (rxrpc_rotate_tx_window(call, call-\u003etx_top, \u0026summary))\n+\tswitch (__rxrpc_call_state(call)) {\n+\tcase RXRPC_CALL_CLIENT_SEND_REQUEST:\n+\tcase RXRPC_CALL_CLIENT_AWAIT_ACK:\n+\tcase RXRPC_CALL_SERVER_SEND_REPLY:\n+\tcase RXRPC_CALL_SERVER_AWAIT_ACK:\n+\t\tbreak;\n+\tdefault:\n+\t\treturn;\n+\t}\n+\n+\tif (rxrpc_rotate_tx_window(call, call-\u003etx_transmitted, \u0026summary))\n \t\trxrpc_end_tx_phase(call, false, rxrpc_eproto_unexpected_ackall);\n }\n \ndiff --git a/net/rxrpc/oob.c b/net/rxrpc/oob.c\nindex 05ca9c1faa577d..c80ee2487d0941 100644\n--- a/net/rxrpc/oob.c\n+++ b/net/rxrpc/oob.c\n@@ -32,11 +32,12 @@ struct rxrpc_oob_params {\n * Post an out-of-band message for attention by the socket or kernel service\n * associated with a reference call.\n */\n-void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)\n+bool rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)\n {\n \tstruct rxrpc_skb_priv *sp = rxrpc_skb(skb);\n \tstruct rxrpc_sock *rx;\n \tstruct sock *sk;\n+\tbool queued = false;\n \n \trcu_read_lock();\n \n@@ -49,6 +50,7 @@ void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)\n \t\t\tskb-\u003eskb_mstamp_ns = rx-\u003eoob_id_counter++;\n \t\t\trxrpc_get_skb(skb, rxrpc_skb_get_post_oob);\n \t\t\tskb_queue_tail(\u0026rx-\u003erecvmsg_oobq, skb);\n+\t\t\tqueued = true;\n \n \t\t\ttrace_rxrpc_notify_socket(call-\u003edebug_id, sp-\u003ehdr.serial);\n \t\t\tif (rx-\u003eapp_ops)\n@@ -56,11 +58,12 @@ void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)\n \t\t}\n \n \t\tspin_unlock_irq(\u0026rx-\u003erecvmsg_lock);\n-\t\tif (!rx-\u003eapp_ops \u0026\u0026 !sock_flag(sk, SOCK_DEAD))\n+\t\tif (queued \u0026\u0026 !rx-\u003eapp_ops \u0026\u0026 !sock_flag(sk, SOCK_DEAD))\n \t\t\tsk-\u003esk_data_ready(sk);\n \t}\n \n \trcu_read_unlock();\n+\treturn queued;\n }\n \n /*\n@@ -210,6 +213,11 @@ static int rxrpc_respond_to_oob(struct rxrpc_sock *rx,\n \t\tbreak;\n \t}\n \n+\tswitch (skb-\u003emark) {\n+\tcase RXRPC_OOB_CHALLENGE:\n+\t\trxrpc_put_connection(sp-\u003echall.conn, rxrpc_conn_put_oob);\n+\t\tbreak;\n+\t}\n \trxrpc_free_skb(skb, rxrpc_skb_put_oob);\n \treturn ret;\n }\ndiff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c\nindex 82614cbdb60f5e..efcba4b2e74f0c 100644\n--- a/net/rxrpc/recvmsg.c\n+++ b/net/rxrpc/recvmsg.c\n@@ -27,8 +27,6 @@ void rxrpc_notify_socket(struct rxrpc_call *call)\n \n \t_enter(\"%d\", call-\u003edebug_id);\n \n-\tif (!list_empty(\u0026call-\u003erecvmsg_link))\n-\t\treturn;\n \tif (test_bit(RXRPC_CALL_RELEASED, \u0026call-\u003eflags)) {\n \t\trxrpc_see_call(call, rxrpc_call_see_notify_released);\n \t\treturn;\n@@ -438,7 +436,8 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,\n \t\treturn -EAGAIN;\n \t}\n \n-\tif (list_empty(\u0026rx-\u003erecvmsg_q)) {\n+\tif (list_empty(\u0026rx-\u003erecvmsg_q) \u0026\u0026\n+\t skb_queue_empty_lockless(\u0026rx-\u003erecvmsg_oobq)) {\n \t\tret = -EWOULDBLOCK;\n \t\tif (timeo == 0) {\n \t\t\tcall = NULL;\n@@ -471,7 +470,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,\n \t\trelease_sock(\u0026rx-\u003esk);\n \t\tif (ret == -EAGAIN)\n \t\t\tgoto try_again;\n-\t\tgoto error_no_call;\n+\t\tgoto error_trace;\n \t}\n \n \t/* Find the next call and dequeue it if we're not just peeking. If we\n@@ -530,8 +529,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,\n \tif (test_bit(RXRPC_CALL_RELEASED, \u0026call-\u003eflags)) {\n \t\trxrpc_see_call(call, rxrpc_call_see_already_released);\n \t\tmutex_unlock(\u0026call-\u003euser_mutex);\n-\t\tif (!(flags \u0026 MSG_PEEK))\n-\t\t\trxrpc_put_call(call, rxrpc_call_put_recvmsg);\n+\t\trxrpc_put_call(call, rxrpc_call_put_recvmsg);\n \t\tgoto try_again;\n \t}\n \ndiff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c\nindex c35de4fd75e311..ed2c9a51005ade 100644\n--- a/net/rxrpc/sendmsg.c\n+++ b/net/rxrpc/sendmsg.c\n@@ -366,7 +366,8 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,\n \tif (state \u003e= RXRPC_CALL_COMPLETE)\n \t\tgoto maybe_error;\n \tret = -EPROTO;\n-\tif (state != RXRPC_CALL_CLIENT_SEND_REQUEST \u0026\u0026\n+\tif (state != RXRPC_CALL_CLIENT_PRE_SEND \u0026\u0026\n+\t state != RXRPC_CALL_CLIENT_SEND_REQUEST \u0026\u0026\n \t state != RXRPC_CALL_SERVER_ACK_REQUEST \u0026\u0026\n \t state != RXRPC_CALL_SERVER_SEND_REPLY) {\n \t\t/* Request phase complete for this client call */\n"
} |
| 2/1 | 2026/06/24 17:01 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"AFS_FS",
"AF_RXRPC"
],
"FocusSymbols": [
"rxrpc_notify_socket_oob",
"rxrpc_post_challenge",
"rxrpc_respond_to_oob",
"afs_rx_notify_oob",
"afs_process_oob_queue",
"afs_close_socket",
"rxrpc_close_tx_phase",
"rxrpc_end_tx_phase",
"rxrpc_receiving_reply"
],
"Reasoning": "The patch introduces functional changes to the rxrpc and afs subsystems, specifically modifying the out-of-band (OOB) message handling and the rxrpc call state machine (adding RXRPC_CALL_CLIENT_PRE_SEND and RXRPC_CALL_CLIENT_AWAIT_ACK states). These changes affect core network logic and should be fuzzed to ensure they do not introduce regressions or vulnerabilities.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit ce55556d217835195f2cb9ddb0ac9543d1cdf4c6
Author: syz-cluster <triage@syzkaller.com>
Date: Wed Jun 24 17:01:33 2026 +0000
syz-cluster: applied patch under review
diff --git a/fs/afs/cm_security.c b/fs/afs/cm_security.c
index edcbd249d2024a..103168c70dd4df 100644
--- a/fs/afs/cm_security.c
+++ b/fs/afs/cm_security.c
@@ -101,7 +101,8 @@ void afs_process_oob_queue(struct work_struct *work)
struct sk_buff *oob;
enum rxrpc_oob_type type;
- while ((oob = rxrpc_kernel_dequeue_oob(net->socket, &type))) {
+ while (READ_ONCE(net->live) &&
+ (oob = rxrpc_kernel_dequeue_oob(net->socket, &type))) {
switch (type) {
case RXRPC_OOB_CHALLENGE:
afs_respond_to_challenge(oob);
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index d5cfd24e815bdd..d82916657a3ddf 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -128,8 +128,14 @@ void afs_close_socket(struct afs_net *net)
_enter("");
cancel_work_sync(&net->charge_preallocation_work);
+ cancel_work_sync(&net->rx_oob_work);
+ /* Future work items should now see ->live is false. */
+
kernel_listen(net->socket, 0);
+
+ /* Make sure work items are no longer running. */
flush_workqueue(afs_async_calls);
+ cancel_work_sync(&net->charge_preallocation_work);
if (net->spare_incoming_call) {
afs_put_call(net->spare_incoming_call);
@@ -143,6 +149,7 @@ void afs_close_socket(struct afs_net *net)
kernel_sock_shutdown(net->socket, SHUT_RDWR);
flush_workqueue(afs_async_calls);
+ cancel_work_sync(&net->rx_oob_work);
net->socket->sk->sk_user_data = NULL;
sock_release(net->socket);
key_put(net->fs_cm_token_key);
@@ -984,5 +991,6 @@ static void afs_rx_notify_oob(struct sock *sk, struct sk_buff *oob)
{
struct afs_net *net = sk->sk_user_data;
- schedule_work(&net->rx_oob_work);
+ if (READ_ONCE(net->live))
+ queue_work(afs_wq, &net->rx_oob_work);
}
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 5802f6f78723bc..ce946b0a03e2b3 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -669,7 +669,9 @@ enum rxrpc_call_event {
enum rxrpc_call_state {
RXRPC_CALL_UNINITIALISED,
RXRPC_CALL_CLIENT_AWAIT_CONN, /* - client waiting for connection to become available */
+ RXRPC_CALL_CLIENT_PRE_SEND, /* - client is connected, but hasn't sent anything yet */
RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
+ RXRPC_CALL_CLIENT_AWAIT_ACK, /* - client awaiting ACKs of request */
RXRPC_CALL_CLIENT_AWAIT_REPLY, /* - client awaiting reply */
RXRPC_CALL_CLIENT_RECV_REPLY, /* - client receiving reply phase */
RXRPC_CALL_SERVER_PREALLOC, /* - service preallocation */
@@ -1374,9 +1376,9 @@ static inline struct rxrpc_net *rxrpc_net(struct net *net)
}
/*
- * out_of_band.c
+ * oob.c
*/
-void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb);
+bool rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb);
void rxrpc_add_pending_oob(struct rxrpc_sock *rx, struct sk_buff *skb);
int rxrpc_sendmsg_oob(struct rxrpc_sock *rx, struct msghdr *msg, size_t len);
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index fec59d9338b9fb..21be9c86d7a74f 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -178,7 +178,7 @@ static void rxrpc_close_tx_phase(struct rxrpc_call *call)
switch (__rxrpc_call_state(call)) {
case RXRPC_CALL_CLIENT_SEND_REQUEST:
- rxrpc_set_call_state(call, RXRPC_CALL_CLIENT_AWAIT_REPLY);
+ rxrpc_set_call_state(call, RXRPC_CALL_CLIENT_AWAIT_ACK);
break;
case RXRPC_CALL_SERVER_SEND_REPLY:
rxrpc_set_call_state(call, RXRPC_CALL_SERVER_AWAIT_ACK);
@@ -244,6 +244,8 @@ static void rxrpc_transmit_fresh_data(struct rxrpc_call *call, unsigned int limi
break;
} while (req.n < limit && before(seq, send_top));
+ if (__rxrpc_call_state(call) == RXRPC_CALL_CLIENT_PRE_SEND)
+ rxrpc_set_call_state(call, RXRPC_CALL_CLIENT_SEND_REQUEST);
if (txb->flags & RXRPC_LAST_PACKET) {
rxrpc_close_tx_phase(call);
tq = NULL;
@@ -267,6 +269,7 @@ void rxrpc_transmit_some_data(struct rxrpc_call *call, unsigned int limit,
fallthrough;
case RXRPC_CALL_SERVER_SEND_REPLY:
+ case RXRPC_CALL_CLIENT_PRE_SEND:
case RXRPC_CALL_CLIENT_SEND_REQUEST:
if (!rxrpc_tx_window_space(call))
return;
diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
index fcb9d38bb5214a..817ed9acb91e61 100644
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -18,7 +18,9 @@
const char *const rxrpc_call_states[NR__RXRPC_CALL_STATES] = {
[RXRPC_CALL_UNINITIALISED] = "Uninit ",
[RXRPC_CALL_CLIENT_AWAIT_CONN] = "ClWtConn",
+ [RXRPC_CALL_CLIENT_PRE_SEND] = "ClPreSnd",
[RXRPC_CALL_CLIENT_SEND_REQUEST] = "ClSndReq",
+ [RXRPC_CALL_CLIENT_AWAIT_ACK] = "ClAwtAck",
[RXRPC_CALL_CLIENT_AWAIT_REPLY] = "ClAwtRpl",
[RXRPC_CALL_CLIENT_RECV_REPLY] = "ClRcvRpl",
[RXRPC_CALL_SERVER_PREALLOC] = "SvPrealc",
diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
index 9b757798deddb8..48519f0de18539 100644
--- a/net/rxrpc/conn_client.c
+++ b/net/rxrpc/conn_client.c
@@ -449,7 +449,7 @@ static void rxrpc_activate_one_channel(struct rxrpc_connection *conn,
trace_rxrpc_connect_call(call);
call->tx_last_sent = ktime_get_real();
rxrpc_start_call_timer(call);
- rxrpc_set_call_state(call, RXRPC_CALL_CLIENT_SEND_REQUEST);
+ rxrpc_set_call_state(call, RXRPC_CALL_CLIENT_PRE_SEND);
wake_up(&call->waitq);
}
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index c96ca615b787c6..611c790bc6d0ce 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -436,7 +436,7 @@ static bool rxrpc_post_challenge(struct rxrpc_connection *conn,
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_call *call = NULL;
struct rxrpc_sock *rx;
- bool respond = false;
+ bool respond = false, queued = false;
sp->chall.conn =
rxrpc_get_connection(conn, rxrpc_conn_get_challenge_input);
@@ -472,8 +472,13 @@ static bool rxrpc_post_challenge(struct rxrpc_connection *conn,
}
if (call)
- rxrpc_notify_socket_oob(call, skb);
+ queued = rxrpc_notify_socket_oob(call, skb);
rcu_read_unlock();
+ if (call && !queued) {
+ rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
+ sp->chall.conn = NULL;
+ return false;
+ }
if (!call)
rxrpc_post_packet_to_conn(conn, skb);
diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index ce761466b02d61..73cafe6bfa9f54 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -181,7 +181,8 @@ void rxrpc_congestion_degrade(struct rxrpc_call *call)
if (call->cong_ca_state != RXRPC_CA_SLOW_START &&
call->cong_ca_state != RXRPC_CA_CONGEST_AVOIDANCE)
return;
- if (__rxrpc_call_state(call) == RXRPC_CALL_CLIENT_AWAIT_REPLY)
+ if (__rxrpc_call_state(call) == RXRPC_CALL_CLIENT_AWAIT_ACK ||
+ __rxrpc_call_state(call) == RXRPC_CALL_CLIENT_AWAIT_REPLY)
return;
rtt = ns_to_ktime(call->srtt_us * (NSEC_PER_USEC / 8));
@@ -236,6 +237,9 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
call->acks_lowest_nak = to;
}
+ if (after(seq, to))
+ return false;
+
/* We may have a left over fully-consumed buffer at the front that we
* couldn't drop before (rotate_and_keep below).
*/
@@ -247,7 +251,7 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
tq = call->tx_queue;
}
- do {
+ while (before_eq(seq, to)) {
unsigned int ix = seq - call->tx_qbase;
_debug("tq=%x seq=%x i=%d f=%x", tq->qbase, seq, ix, tq->bufs[ix]->flags);
@@ -317,8 +321,7 @@ static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
break;
}
}
-
- } while (before_eq(seq, to));
+ }
if (trace)
trace_rxrpc_rack_update(call, summary);
@@ -356,6 +359,7 @@ static void rxrpc_end_tx_phase(struct rxrpc_call *call, bool reply_begun,
switch (__rxrpc_call_state(call)) {
case RXRPC_CALL_CLIENT_SEND_REQUEST:
+ case RXRPC_CALL_CLIENT_AWAIT_ACK:
case RXRPC_CALL_CLIENT_AWAIT_REPLY:
if (reply_begun) {
rxrpc_set_call_state(call, RXRPC_CALL_CLIENT_RECV_REPLY);
@@ -392,6 +396,14 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call)
trace_rxrpc_timer_can(call, rxrpc_timer_trace_delayed_ack);
}
+ /* Deal with an apparent reply coming in before we've got the request
+ * queued or transmitted.
+ */
+ if (!test_bit(RXRPC_CALL_EXPOSED, &call->flags)) {
+ rxrpc_proto_abort(call, top, rxrpc_eproto_early_reply);
+ return false;
+ }
+
if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
if (!rxrpc_rotate_tx_window(call, top, &summary)) {
rxrpc_proto_abort(call, top, rxrpc_eproto_early_reply);
@@ -694,6 +706,7 @@ static void rxrpc_input_data(struct rxrpc_call *call, struct sk_buff *skb)
switch (__rxrpc_call_state(call)) {
case RXRPC_CALL_CLIENT_SEND_REQUEST:
+ case RXRPC_CALL_CLIENT_AWAIT_ACK:
case RXRPC_CALL_CLIENT_AWAIT_REPLY:
/* Received data implicitly ACKs all of the request
* packets we sent when we're acting as a client.
@@ -1154,10 +1167,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
if (hard_ack + 1 == 0)
return rxrpc_proto_abort(call, 0, rxrpc_eproto_ackr_zero);
- /* Ignore ACKs unless we are or have just been transmitting. */
+ /* Ignore ACKs unless we are transmitting or are waiting for
+ * acknowledgement of the packets we've just been transmitting.
+ */
switch (__rxrpc_call_state(call)) {
case RXRPC_CALL_CLIENT_SEND_REQUEST:
- case RXRPC_CALL_CLIENT_AWAIT_REPLY:
+ case RXRPC_CALL_CLIENT_AWAIT_ACK:
case RXRPC_CALL_SERVER_SEND_REPLY:
case RXRPC_CALL_SERVER_AWAIT_ACK:
break;
@@ -1215,7 +1230,17 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb)
{
struct rxrpc_ack_summary summary = { 0 };
- if (rxrpc_rotate_tx_window(call, call->tx_top, &summary))
+ switch (__rxrpc_call_state(call)) {
+ case RXRPC_CALL_CLIENT_SEND_REQUEST:
+ case RXRPC_CALL_CLIENT_AWAIT_ACK:
+ case RXRPC_CALL_SERVER_SEND_REPLY:
+ case RXRPC_CALL_SERVER_AWAIT_ACK:
+ break;
+ default:
+ return;
+ }
+
+ if (rxrpc_rotate_tx_window(call, call->tx_transmitted, &summary))
rxrpc_end_tx_phase(call, false, rxrpc_eproto_unexpected_ackall);
}
diff --git a/net/rxrpc/oob.c b/net/rxrpc/oob.c
index 05ca9c1faa577d..c80ee2487d0941 100644
--- a/net/rxrpc/oob.c
+++ b/net/rxrpc/oob.c
@@ -32,11 +32,12 @@ struct rxrpc_oob_params {
* Post an out-of-band message for attention by the socket or kernel service
* associated with a reference call.
*/
-void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)
+bool rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)
{
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_sock *rx;
struct sock *sk;
+ bool queued = false;
rcu_read_lock();
@@ -49,6 +50,7 @@ void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)
skb->skb_mstamp_ns = rx->oob_id_counter++;
rxrpc_get_skb(skb, rxrpc_skb_get_post_oob);
skb_queue_tail(&rx->recvmsg_oobq, skb);
+ queued = true;
trace_rxrpc_notify_socket(call->debug_id, sp->hdr.serial);
if (rx->app_ops)
@@ -56,11 +58,12 @@ void rxrpc_notify_socket_oob(struct rxrpc_call *call, struct sk_buff *skb)
}
spin_unlock_irq(&rx->recvmsg_lock);
- if (!rx->app_ops && !sock_flag(sk, SOCK_DEAD))
+ if (queued && !rx->app_ops && !sock_flag(sk, SOCK_DEAD))
sk->sk_data_ready(sk);
}
rcu_read_unlock();
+ return queued;
}
/*
@@ -210,6 +213,11 @@ static int rxrpc_respond_to_oob(struct rxrpc_sock *rx,
break;
}
+ switch (skb->mark) {
+ case RXRPC_OOB_CHALLENGE:
+ rxrpc_put_connection(sp->chall.conn, rxrpc_conn_put_oob);
+ break;
+ }
rxrpc_free_skb(skb, rxrpc_skb_put_oob);
return ret;
}
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index 82614cbdb60f5e..efcba4b2e74f0c 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -27,8 +27,6 @@ void rxrpc_notify_socket(struct rxrpc_call *call)
_enter("%d", call->debug_id);
- if (!list_empty(&call->recvmsg_link))
- return;
if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) {
rxrpc_see_call(call, rxrpc_call_see_notify_released);
return;
@@ -438,7 +436,8 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
return -EAGAIN;
}
- if (list_empty(&rx->recvmsg_q)) {
+ if (list_empty(&rx->recvmsg_q) &&
+ skb_queue_empty_lockless(&rx->recvmsg_oobq)) {
ret = -EWOULDBLOCK;
if (timeo == 0) {
call = NULL;
@@ -471,7 +470,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
release_sock(&rx->sk);
if (ret == -EAGAIN)
goto try_again;
- goto error_no_call;
+ goto error_trace;
}
/* Find the next call and dequeue it if we're not just peeking. If we
@@ -530,8 +529,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) {
rxrpc_see_call(call, rxrpc_call_see_already_released);
mutex_unlock(&call->user_mutex);
- if (!(flags & MSG_PEEK))
- rxrpc_put_call(call, rxrpc_call_put_recvmsg);
+ rxrpc_put_call(call, rxrpc_call_put_recvmsg);
goto try_again;
}
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index c35de4fd75e311..ed2c9a51005ade 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -366,7 +366,8 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
if (state >= RXRPC_CALL_COMPLETE)
goto maybe_error;
ret = -EPROTO;
- if (state != RXRPC_CALL_CLIENT_SEND_REQUEST &&
+ if (state != RXRPC_CALL_CLIENT_PRE_SEND &&
+ state != RXRPC_CALL_CLIENT_SEND_REQUEST &&
state != RXRPC_CALL_SERVER_ACK_REQUEST &&
state != RXRPC_CALL_SERVER_SEND_REPLY) {
/* Request phase complete for this client call */
|
| 3/2 | 2026/06/24 17:01 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 7591 output: 31 thoughts: 518 Thoughts: **Analyzing a Patch to the AFS/RXRPC Subsystems** Okay, so I've got a patch here that's touching both the AFS filesystem code and the RXRPC network protocol code. My initial impression is that this is likely a functional change, not just a bug fix, given the breadth of the changes. I need to understand this thoroughly. Here's the breakdown, as I see it: * **AFS Security:** The `fs/afs/cm_security.c` file has a new `READ_ONCE(net->live)` check. This suggests an added safety mechanism, perhaps related to network liveliness or connection validity within AFS. * **RXRPC OOB Handling:** The patch modifies RXRPC's OOB (Out-of-Band) handling. `fs/afs/rxrpc.c` has a `cancel_work_sync` call. The more significant changes are in the RXRPC code specifically around state management and OOB challenge handling. It looks like `net/rxrpc/oob.c` has changes and `rxrpc_respond_to_oob` is now handling `RXRPC_OOB_CHALLENGE` to put connection into state. * **RXRPC State Transitions:** A significant chunk of this relates to RXRPC's state machine. I see new states, `RXRPC_CALL_CLIENT_PRE_SEND` and `RXRPC_CALL_CLIENT_AWAIT_ACK` added to the `rxrpc_call_state` enum. The state transitions in `call_event.c`, `conn_client.c`, and `input.c` are all updated to reflect these new states. The addition of state names in `call_object.c` is important for debugging and clarity. * **OOB and Recv/Send:** `conn_event.c`'s `rxrpc_post_challenge` now checks the queued `skb`. The `recvmsg` code in `net/rxrpc/recvmsg.c` has tweaks to remove an unnecessary `list_empty` check and an addition of a `skb_queue_empty_lockless` check. Finally, `sendmsg.c` in `net/rxrpc/sendmsg.c` now includes a `RXRPC_CALL_CLIENT_PRE_SEND` check in `rxrpc_send_data`. Overall, this is a fair amount of churn in core networking code. I need to keep in mind that these changes probably have security implications, because I see changes in the out of band handling. Given the scope and the core nature of these changes, this definitely needs fuzzing. I have to find the relevant configurations to check the dependencies. Based on the file paths, I'd say the relevant configurations are `CONFIG_AFS_FS` for the AFS changes and `CONFIG_AF_RXRPC` for the RXRPC changes. Time to dig into `net/rxrpc/Kconfig` and `fs/afs/Kconfig` to confirm and see if there are any other dependencies at play here. |
| 4/2 | 2026/06/24 17:01 | tool | grepper |
0mArgs:{
"Expression": "config AFS_FS",
"PathPrefix": "fs/afs/Kconfig"
}Results: {
"Output": "fs/afs/Kconfig-1-# SPDX-License-Identifier: GPL-2.0-only\nfs/afs/Kconfig:2:config AFS_FS\nfs/afs/Kconfig-3-\ttristate \"Andrew File System support (AFS)\"\n--\nfs/afs/Kconfig=17=config AFS_DEBUG\n--\nfs/afs/Kconfig-26-\nfs/afs/Kconfig:27:config AFS_FSCACHE\nfs/afs/Kconfig-28-\tbool \"Provide AFS client caching support\"\n"
} |
| 5/2 | 2026/06/24 17:01 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 8946 output: 33 thoughts: 13 Thoughts: Here's my take on the thought process: **Diving into the RxRPC Kernel Configuration** Okay, so I need to get a handle on how RxRPC is configured within the kernel. The best place to start is almost always the `Kconfig` file within that subsystem, right? It's the central hub for defining all the configuration options, dependencies, and help text. So, my initial thought is, "Let's crack open `net/rxrpc/Kconfig` and see what we're working with here." That file should give me a pretty clear picture of the build-time knobs and levers available for RxRPC. From there, I can understand how this is used within the wider kernel configuration system and all its dependencies. |
| 6/2 | 2026/06/24 17:01 | tool | grepper |
0mArgs:{
"Expression": "config AF_RXRPC",
"PathPrefix": "net/rxrpc/Kconfig"
}Results: {
"Output": "net/rxrpc/Kconfig-5-\nnet/rxrpc/Kconfig:6:config AF_RXRPC\nnet/rxrpc/Kconfig-7-\ttristate \"RxRPC session sockets\"\n--\nnet/rxrpc/Kconfig=25=if AF_RXRPC\nnet/rxrpc/Kconfig-26-\nnet/rxrpc/Kconfig:27:config AF_RXRPC_IPV6\nnet/rxrpc/Kconfig-28-\tbool \"IPv6 support for RxRPC\"\n--\nnet/rxrpc/Kconfig-33-\nnet/rxrpc/Kconfig:34:config AF_RXRPC_INJECT_LOSS\nnet/rxrpc/Kconfig-35-\tbool \"Inject packet loss into RxRPC packet stream\"\n--\nnet/rxrpc/Kconfig-39-\nnet/rxrpc/Kconfig:40:config AF_RXRPC_INJECT_RX_DELAY\nnet/rxrpc/Kconfig-41-\tbool \"Inject delay into packet reception\"\n--\nnet/rxrpc/Kconfig-49-\nnet/rxrpc/Kconfig:50:config AF_RXRPC_DEBUG\nnet/rxrpc/Kconfig-51-\tbool \"RxRPC dynamic debugging\"\n--\nnet/rxrpc/Kconfig=89=config RXPERF\n--\nnet/rxrpc/Kconfig-95-\nnet/rxrpc/Kconfig:96:config AF_RXRPC_KUNIT_TEST\nnet/rxrpc/Kconfig-97-\ttristate \"RxRPC crypto KUnit test\" if !KUNIT_ALL_TESTS\n"
} |
| 7/2 | 2026/06/24 17:01 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 9547 output: 220 thoughts: 975 Thoughts: **Focusing on Key Changes in AFS and RxRPC for Fuzzing** Alright, let's get down to it. Given the configurations `AFS_FS` and `AF_RXRPC`, I need to identify the crucial areas for fuzzing in this patch. My immediate thought is to zero in on the changes to the out-of-band (OOB) message handling and the state machine modifications within RxRPC. Initially, I'd noted a bunch of functions. Now, let's filter the candidate symbols. I was thinking of including hot-path functions like `rxrpc_send_data`, `rxrpc_recvmsg`, `rxrpc_input_data`, and `rxrpc_input_ack`, but since they are modified, there might be value. It's too much. The OOB handling seems like a good place to start. Therefore, `rxrpc_notify_socket_oob`, `rxrpc_post_challenge`, `rxrpc_respond_to_oob`, `afs_rx_notify_oob`, `afs_process_oob_queue`, and `afs_close_socket` are the primary ones that I see. Then I checked `rxrpc_rotate_tx_window` and `rxrpc_transmit_fresh_data`. One's called on ACKs and the other on fresh data, so they are somewhat hot. The state machine changes are important as well, so maybe I'll include `rxrpc_close_tx_phase`, `rxrpc_end_tx_phase`, and `rxrpc_receiving_reply`. These will capture the state transitions that might be disrupted by malformed input. I think the final focus symbols should be: `rxrpc_notify_socket_oob`, `rxrpc_post_challenge`, `rxrpc_respond_to_oob`, `afs_rx_notify_oob`, `afs_process_oob_queue`, `afs_close_socket`, `rxrpc_close_tx_phase`, `rxrpc_end_tx_phase`, and `rxrpc_receiving_reply`. Basically, I want to ensure the OOB interactions are robust and that the new RxRPC call states (`RXRPC_CALL_CLIENT_PRE_SEND`, `RXRPC_CALL_CLIENT_AWAIT_ACK`) are correctly handled and don't introduce any exploitable flaws. These functions are critical because they are the nexus of changes. Time to set up the fuzzing targets. |
| 8/2 | 2026/06/24 17:02 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"AFS_FS",
"AF_RXRPC"
],
"FocusSymbols": [
"rxrpc_notify_socket_oob",
"rxrpc_post_challenge",
"rxrpc_respond_to_oob",
"afs_rx_notify_oob",
"afs_process_oob_queue",
"afs_close_socket",
"rxrpc_close_tx_phase",
"rxrpc_end_tx_phase",
"rxrpc_receiving_reply"
],
"Reasoning": "The patch introduces functional changes to the rxrpc and afs subsystems, specifically modifying the out-of-band (OOB) message handling and the rxrpc call state machine (adding RXRPC_CALL_CLIENT_PRE_SEND and RXRPC_CALL_CLIENT_AWAIT_ACK states). These changes affect core network logic and should be fuzzed to ensure they do not introduce regressions or vulnerabilities.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"AFS_FS",
"AF_RXRPC"
],
"FocusSymbols": [
"rxrpc_notify_socket_oob",
"rxrpc_post_challenge",
"rxrpc_respond_to_oob",
"afs_rx_notify_oob",
"afs_process_oob_queue",
"afs_close_socket",
"rxrpc_close_tx_phase",
"rxrpc_end_tx_phase",
"rxrpc_receiving_reply"
],
"Reasoning": "The patch introduces functional changes to the rxrpc and afs subsystems, specifically modifying the out-of-band (OOB) message handling and the rxrpc call state machine (adding RXRPC_CALL_CLIENT_PRE_SEND and RXRPC_CALL_CLIENT_AWAIT_ACK states). These changes affect core network logic and should be fuzzed to ensure they do not introduce regressions or vulnerabilities.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|