CVE-2025-68299

In the Linux kernel, the following vulnerability has been resolved:

afs: Fix delayed allocation of a cell's anonymous key

The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this is triggered by afsparsesource() parsing the device name given to mount() and calling afslookupcell() with the name of the cell.

The normal key lookup then tries to use the key description on the anonymous authentication key as the reference for request_key() - but it may not yet be set and so an oops can happen.

This has been made more likely to happen by the fix for dynamic lookup failure.

Fix this by firstly allocating a reference name and attaching it to the afscell record when the record is created. It can share the memory allocation with the cell name (unfortunately it can't just overlap the cell name by prepending it with "afs@" as the cell name already has a '.' prepended for other purposes). This reference name is then passed to requestkey().

Secondly, the anon key is now allocated on demand at the point a key is requested in afsrequestkey() if it is not already allocated. A mutex is used to prevent multiple allocation for a cell.

Thirdly, make afsrequestkeyrcu() return NULL if the anonymous key isn't yet allocated (if we need it) and then the caller can return -ECHILD to drop out of RCU-mode and afsrequest_key() can be called.

Note that the anonymous key is kind of necessary to make the key lookup cache work as that doesn't currently cache a negative lookup, but it's probably worth some investigation to see if NULL can be used instead.