tls: fix use-after-free on failed backlog decryption (13114dc5) · Commits · git / linux-net

net/tls/tls_sw.c

+17 −7

Original line number	Diff line number	Diff line
		@@ -52,6 +52,7 @@ struct tls_decrypt_arg {
		struct_group(inargs,
		bool zc;
		bool async;
		bool async_done;
		u8 tail;
		);

		@@ -286,15 +287,18 @@ static int tls_do_decryption(struct sock *sk,
		}

		ret = crypto_aead_decrypt(aead_req);
		if (ret == -EINPROGRESS)
		return 0;

		if (ret == -EBUSY) {
		ret = tls_decrypt_async_wait(ctx);
		ret = ret ?: -EINPROGRESS;
		darg->async_done = true;
		/* all completions have run, we're not doing async anymore */
		darg->async = false;
		return ret;
		}
		if (ret == -EINPROGRESS) {
		return 0;
		} else if (darg->async) {

		atomic_dec(&ctx->decrypt_pending);
		}
		darg->async = false;

		return ret;
		@@ -1593,8 +1597,11 @@ static int tls_decrypt_sg(struct sock sk, struct iov_iter out_iov,
		/* Prepare and submit AEAD request */
		err = tls_do_decryption(sk, sgin, sgout, dctx->iv,
		data_len + prot->tail_size, aead_req, darg);
		if (err)
		if (err) {
		if (darg->async_done)
		goto exit_free_skb;
		goto exit_free_pages;
		}

		darg->skb = clear_skb ?: tls_strp_msg(ctx);
		clear_skb = NULL;
		@@ -1606,6 +1613,9 @@ static int tls_decrypt_sg(struct sock sk, struct iov_iter out_iov,
		return err;
		}

		if (unlikely(darg->async_done))
		return 0;

		if (prot->tail_size)
		darg->tail = dctx->tail;