[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20240806150149.1609414-3-massimiliano.pellizzer@canonical.com>
Date: Tue, 6 Aug 2024 17:01:40 +0200
From: Massimiliano Pellizzer <massimiliano.pellizzer@...onical.com>
To: kernel-team@...ts.ubuntu.com
Cc: David Howells <dhowells@...hat.com>,
Marc Dionne <marc.dionne@...istor.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
linux-afs@...ts.infradead.org,
netdev@...r.kernel.org
Subject: [SRU][F][PATCH 1/2] rxrpc: Fix delayed ACKs to not set the reference serial number
From: David Howells <dhowells@...hat.com>
Fix the construction of delayed ACKs to not set the reference serial number
as they can't be used as an RTT reference.
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: David Howells <dhowells@...hat.com>
cc: Marc Dionne <marc.dionne@...istor.com>
cc: "David S. Miller" <davem@...emloft.net>
cc: Eric Dumazet <edumazet@...gle.com>
cc: Jakub Kicinski <kuba@...nel.org>
cc: Paolo Abeni <pabeni@...hat.com>
cc: linux-afs@...ts.infradead.org
cc: netdev@...r.kernel.org
Signed-off-by: David S. Miller <davem@...emloft.net>
(backported from e7870cf13d20f56bfc19f9c3e89707c69cf104ef)
[mpellizzer: removed the "ackr_serial" field from
the struct "rxrpc_call" and adjusted the code accordingly]
CVE-2024-26677
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@...onical.com>
---
net/rxrpc/ar-internal.h | 1 -
net/rxrpc/call_event.c | 2 --
net/rxrpc/output.c | 2 +-
3 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index cb174f699665..5039613ad0e1 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -667,7 +667,6 @@ struct rxrpc_call {
/* Receive-phase ACK management (ACKs we send). */
u8 ackr_reason; /* reason to ACK */
- rxrpc_serial_t ackr_serial; /* serial of packet being ACK'd */
rxrpc_seq_t ackr_highest_seq; /* Higest sequence number received */
atomic_t ackr_nr_unacked; /* Number of unacked packets */
atomic_t ackr_nr_consumed; /* Number of packets needing hard ACK */
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index b5f173960725..c08715be8e9a 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -67,13 +67,11 @@ static void __rxrpc_propose_ACK(struct rxrpc_call *call, u8 ack_reason,
if (ack_reason == call->ackr_reason) {
if (RXRPC_ACK_UPDATEABLE & (1 << ack_reason)) {
outcome = rxrpc_propose_ack_update;
- call->ackr_serial = serial;
}
if (!immediate)
goto trace;
} else if (prior > rxrpc_ack_priority[call->ackr_reason]) {
call->ackr_reason = ack_reason;
- call->ackr_serial = serial;
} else {
outcome = rxrpc_propose_ack_subsume;
}
diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
index 09fcc54245c7..8816aaa98287 100644
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@@ -87,7 +87,7 @@ static size_t rxrpc_fill_out_ack(struct rxrpc_connection *conn,
return 0;
/* Barrier against rxrpc_input_data(). */
- serial = call->ackr_serial;
+ serial = 0;
hard_ack = READ_ONCE(call->rx_hard_ack);
top = smp_load_acquire(&call->rx_top);
*_hard_ack = hard_ack;
--
2.43.0
Powered by blists - more mailing lists