Commit 6267db2a authored by Jakub Kicinski's avatar Jakub Kicinski Committed by Ziyang Xuan
Browse files

tls: fix race between async notify and socket close 

mainline inclusion
from mainline-v6.8-rc5
commit aec7961916f3f9e88766e2688992da6980f11b8d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I92REK
CVE: CVE-2024-26583

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aec7961916f3f9e88766e2688992da6980f11b8d



--------------------------------

The submitting thread (one which called recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete()
so any code past that point risks touching already freed data.

Try to avoid the locking and extra flags altogether.
Have the main thread hold an extra reference, this way
we can depend solely on the atomic ref counter for
synchronization.

Don't futz with reiniting the completion, either, we are now
tightly controlling when completion fires.

Reported-by: default avatarvalis <sec@valis.email>
Fixes: 0cada332 ("net/tls: fix race condition causing kernel panic")
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Conflicts:
	include/net/tls.h
	net/tls/tls_sw.c
Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
parent 91bb7b8b
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment