Commit b33f5741 authored by Alok Tiwari's avatar Alok Tiwari Committed by Jakub Kicinski
Browse files

rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial 



In rxrpc_post_response(), the code should be comparing the challenge serial
number from the cached response before deciding to switch to a newer
response, but looks at the newer packet private data instead, rendering the
comparison always false.

Fix this by switching to look at the older packet.

Fix further[1] to substitute the new packet in place of the old one if
newer and also to release whichever we don't use.

Fixes: 5800b1cf ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE")
Signed-off-by: default avatarAlok Tiwari <alok.a.tiwari@oracle.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com [1]
Link: https://patch.msgid.link/20260408121252.2249051-7-dhowells@redhat.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent d179a868

include/trace/events/rxrpc.h

+1 −0
Original line number Diff line number Diff line
@@ -185,6 +185,7 @@ 
	EM(rxrpc_skb_put_input,			"PUT input    ") \

	EM(rxrpc_skb_put_jumbo_subpacket,	"PUT jumbo-sub") \

	EM(rxrpc_skb_put_oob,			"PUT oob      ") \

	EM(rxrpc_skb_put_old_response,		"PUT old-resp ") \

	EM(rxrpc_skb_put_purge,			"PUT purge    ") \

	EM(rxrpc_skb_put_purge_oob,		"PUT purge-oob") \

	EM(rxrpc_skb_put_response,		"PUT response ") \

net/rxrpc/conn_event.c

+3 −2
Original line number Diff line number Diff line
@@ -557,11 +557,11 @@ void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb) 
	spin_lock_irq(&local->lock);

	old = conn->tx_response;

	if (old) {

		struct rxrpc_skb_priv *osp = rxrpc_skb(skb);

		struct rxrpc_skb_priv *osp = rxrpc_skb(old);



		/* Always go with the response to the most recent challenge. */

		if (after(sp->resp.challenge_serial, osp->resp.challenge_serial))

			conn->tx_response = old;

			conn->tx_response = skb;

		else

			old = skb;

	} else {
@@ -569,4 +569,5 @@ void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb) 
	}

	spin_unlock_irq(&local->lock);

	rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response);

	rxrpc_free_skb(old, rxrpc_skb_put_old_response);

}