[report] xrpc: wrong skb used when comparing queued RESP challenge serial
Alok Tiwari
alok.a.tiwari at oracle.com
Sat Mar 14 12:29:17 PDT 2026
Hi David,
It looks like the comparison uses the wrong skb:
old = conn->tx_response;
if (old) {
struct rxrpc_skb_priv *osp = rxrpc_skb(skb); << should be old
/* Always go with the response to the most recent challenge. */
if (after(sp->resp.challenge_serial, osp->resp.challenge_serial))
conn->tx_response = old;
else
old = skb;
}
As written, osp is derived from skb rather than old, so after() does not
compare new vs queued, and the update logic also does not appear to
replace conn->tx_response with the newer skb.
please let me know if my understanding is correct:
Thanks,
Alok
---
net/rxrpc/conn_event.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 98ad9b51ca2c..2c27f47951f9 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -557,7 +557,7 @@ void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb)
spin_lock_irq(&local->lock);
old = conn->tx_response;
if (old) {
- struct rxrpc_skb_priv *osp = rxrpc_skb(skb);
+ struct rxrpc_skb_priv *osp = rxrpc_skb(old);
/* Always go with the response to the most recent challenge. */
if (after(sp->resp.challenge_serial, osp->resp.challenge_serial))
--
2.50.1
More information about the linux-afs
mailing list