[SRU][J][PATCH 1/2] rxrpc: Fix delayed ACKs to not set the reference serial number

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Tue Aug 6 08:01:39 PDT 2024 

From: David Howells <dhowells at redhat.com>

Fix the construction of delayed ACKs to not set the reference serial number
as they can't be used as an RTT reference.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: "David S. Miller" <davem at davemloft.net>
cc: Eric Dumazet <edumazet at google.com>
cc: Jakub Kicinski <kuba at kernel.org>
cc: Paolo Abeni <pabeni at redhat.com>
cc: linux-afs at lists.infradead.org
cc: netdev at vger.kernel.org
Signed-off-by: David S. Miller <davem at davemloft.net>
(backported from e7870cf13d20f56bfc19f9c3e89707c69cf104ef)
[mpellizzer: removed the "ackr_serial" field from
the struct "rxrpc_call" and adjusted the code accordingly]
CVE-2024-26677
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>
---
 net/rxrpc/ar-internal.h | 1 -
 net/rxrpc/call_event.c  | 2 --
 net/rxrpc/output.c      | 2 +-
 3 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index e0123efa2a62..cf1cc9c14a79 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -671,7 +671,6 @@ struct rxrpc_call {
 
 	/* Receive-phase ACK management (ACKs we send). */
 	u8			ackr_reason;	/* reason to ACK */
-	rxrpc_serial_t		ackr_serial;	/* serial of packet being ACK'd */
 	rxrpc_seq_t		ackr_highest_seq; /* Higest sequence number received */
 	atomic_t		ackr_nr_unacked; /* Number of unacked packets */
 	atomic_t		ackr_nr_consumed; /* Number of packets needing hard ACK */
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index 2a93e7b5fbd0..b6cde05d832d 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -67,13 +67,11 @@ static void __rxrpc_propose_ACK(struct rxrpc_call *call, u8 ack_reason,
 	if (ack_reason == call->ackr_reason) {
 		if (RXRPC_ACK_UPDATEABLE & (1 << ack_reason)) {
 			outcome = rxrpc_propose_ack_update;
-			call->ackr_serial = serial;
 		}
 		if (!immediate)
 			goto trace;
 	} else if (prior > rxrpc_ack_priority[call->ackr_reason]) {
 		call->ackr_reason = ack_reason;
-		call->ackr_serial = serial;
 	} else {
 		outcome = rxrpc_propose_ack_subsume;
 	}
diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
index 08c117bc083e..a007c2ebe311 100644
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@@ -87,7 +87,7 @@ static size_t rxrpc_fill_out_ack(struct rxrpc_connection *conn,
 		return 0;
 
 	/* Barrier against rxrpc_input_data(). */
-	serial = call->ackr_serial;
+	serial = 0;
 	hard_ack = READ_ONCE(call->rx_hard_ack);
 	top = smp_load_acquire(&call->rx_top);
 	*_hard_ack = hard_ack;
-- 
2.43.0

More information about the linux-afs mailing list