4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vakul Garg vakul.garg@nxp.com
[ Upstream commit 52ea992cfac357b73180d5c051dca43bc8d20c2a ]
tls_sw_sendmsg() allocates plaintext and encrypted SG entries using function sk_alloc_sg(). In case the number of SG entries hit MAX_SKB_FRAGS, sk_alloc_sg() returns -ENOSPC and sets the variable for current SG index to '0'. This leads to calling of function tls_push_record() with 'sg_encrypted_num_elem = 0' and later causes kernel crash. To fix this, set the number of SG elements to the number of elements in plaintext/encrypted SG arrays in case sk_alloc_sg() returns -ENOSPC.
Fixes: 3c4d7559159b ("tls: kernel TLS support") Signed-off-by: Vakul Garg vakul.garg@nxp.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/tls/tls_sw.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -149,6 +149,9 @@ static int alloc_encrypted_sg(struct soc &ctx->sg_encrypted_num_elem, &ctx->sg_encrypted_size, 0);
+ if (rc == -ENOSPC) + ctx->sg_encrypted_num_elem = ARRAY_SIZE(ctx->sg_encrypted_data); + return rc; }
@@ -162,6 +165,9 @@ static int alloc_plaintext_sg(struct soc &ctx->sg_plaintext_num_elem, &ctx->sg_plaintext_size, tls_ctx->pending_open_record_frags);
+ if (rc == -ENOSPC) + ctx->sg_plaintext_num_elem = ARRAY_SIZE(ctx->sg_plaintext_data); + return rc; }