6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca sd@queasysnail.net
[ Upstream commit b014a4e066c555185b7c367efacdc33f16695495 ]
If we hit an error during the main loop of tls_sw_sendmsg_locked (eg failed allocation), we jump to send_end and immediately return. Previous iterations may have queued async encryption requests that are still pending. We should wait for those before returning, as we could otherwise be reading from memory that userspace believes we're not using anymore, which would be a sort of use-after-free.
This is similar to what tls_sw_recvmsg already does: failures during the main loop jump to the "wait for async" code, not straight to the unlock/return.
Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Reported-by: Jann Horn jannh@google.com Signed-off-by: Sabrina Dubroca sd@queasysnail.net Link: https://patch.msgid.link/c793efe9673b87f808d84fdefc0f732217030c52.1760432043... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- net/tls/tls_sw.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index c67cf1a06c0e5..0e378d7cb6903 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1029,7 +1029,7 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) if (ret == -EINPROGRESS) num_async++; else if (ret != -EAGAIN) - goto send_end; + goto end; } }
@@ -1182,8 +1182,9 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) goto alloc_encrypted; }
+send_end: if (!num_async) { - goto send_end; + goto end; } else if (num_zc || eor) { int err;
@@ -1201,7 +1202,7 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) tls_tx_records(sk, msg->msg_flags); }
-send_end: +end: ret = sk_stream_error(sk, msg->msg_flags, ret);
release_sock(sk);