iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Maxim Mikityanskiy fccf4bf3f2 tls: Fix context leak on tls_device_down 
[ Upstream commit 3740651bf7e200109dd42d5b2fb22226b26f960a ]

The commit cited below claims to fix a use-after-free condition after
tls_device_down. Apparently, the description wasn't fully accurate. The
context stayed alive, but ctx->netdev became NULL, and the offload was
torn down without a proper fallback, so a bug was present, but a
different kind of bug.

Due to misunderstanding of the issue, the original patch dropped the
refcount_dec_and_test line for the context to avoid the alleged
premature deallocation. That line has to be restored, because it matches
the refcount_inc_not_zero from the same function, otherwise the contexts
that survived tls_device_down are leaked.

This patch fixes the described issue by restoring refcount_dec_and_test.
After this change, there is no leak anymore, and the fallback to
software kTLS still works.

Fixes: c55dcdd435aa ("net/tls: Fix use-after-free after the TLS device goes down and up")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/20220512091830.678684-1-maximmi@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-18 10:23:45 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
xen/9p: use alloc/free_pages_exact()
2022-03-11 12:11:54 +01:00
802
net/802/garp: fix memleak in garp_request_join()
2021-07-31 08:16:11 +02:00
8021q
net: vlan: fix underflow for the real_dev refcnt
2021-12-01 09:19:08 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net: atm: fix update of position index in lec_seq_next
2020-10-31 12:26:30 -07:00
ax25
ax25: Fix UAF bugs in ax25 timers
2022-04-20 09:23:32 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
Bluetooth: Fix the creation of hdev->name
2022-05-15 20:00:09 +02:00
bpf
bpf, test, cgroup: Use sk_{alloc,free} for test cases
2021-10-27 09:56:56 +02:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
net: bridge: vlan: fix memory leak in __allowed_ingress
2022-02-01 17:25:48 +01:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-22 12:27:56 +02:00
can
can: isotp: remove re-binding of bound socket
2022-05-12 12:25:35 +02:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-10-12 15:29:27 +02:00
core
bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook
2022-05-09 09:05:02 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
tcp: switch orphan_count to bare per-cpu counters
2021-11-18 14:04:08 +01:00
decnet
net: decnet: Fix sleeping inside in af_decnet
2021-07-28 14:35:38 +02:00
dns_resolver
dsa
net: dsa: Add missing of_node_put() in dsa_port_link_register_of
2022-05-09 09:05:02 +02:00
ethernet
ethtool
ethtool: do not perform operations on net devices being unregistered
2021-12-17 10:14:41 +01:00
hsr
net: hsr: fix mac_len checks
2021-06-03 09:00:50 +02:00
ieee802154
net: ieee802154: Return meaningful error codes from the netlink helpers
2022-02-08 18:30:37 +01:00
ife
ipv4
ipv4: drop dst in multicast routing path
2022-05-18 10:23:43 +02:00
ipv6
tcp: make sure treq->af_specific is initialized
2022-05-09 09:05:04 +02:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:34:05 +01:00
kcm
key
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
2022-04-08 14:39:48 +02:00
l2tp
net/l2tp: Fix reference count leak in l2tp_udp_recv_core
2021-09-22 12:27:56 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:57:10 +02:00
mac80211
mac80211: Reset MBSSID parameters upon connection
2022-05-18 10:23:42 +02:00
mac802154
net: mac802154: Fix general protection fault
2021-04-14 08:42:13 +02:00
mpls
net: mpls: Fix notifications when deleting a device
2021-12-08 09:03:23 +01:00
mptcp
mptcp: clear 'kern' flag from fallback sockets
2021-12-22 09:30:54 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: nft_socket: only do sk lookups when indev is available
2022-05-09 09:05:08 +02:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
netlink: do not reset transport header in netlink_recvmsg()
2022-05-18 10:23:43 +02:00
netrom
netrom: fix api breakage in nr_setsockopt()
2022-01-27 10:54:03 +01:00
nfc
NFC: netlink: fix sleep in atomic bug when firmware download timeout
2022-05-12 12:25:36 +02:00
nsh
openvswitch
openvswitch: fix OOB access in reserve_sfa_size()
2022-04-27 13:53:55 +02:00
packet
net/packet: fix packet_sock xmit return value checking
2022-04-27 13:53:50 +02:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:09:21 +02:00
rds
rds: memory leak in __rds_conn_create()
2021-12-22 09:30:54 +01:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-12 09:18:06 +01:00
rose
rose: Fix Null pointer dereference in rose_send_frame()
2020-11-20 10:04:58 -08:00
rxrpc
rxrpc: Restore removed timer deletion
2022-04-27 13:53:49 +02:00
sched
net/sched: act_pedit: really ensure the skb is writable
2022-05-18 10:23:44 +02:00
sctp
sctp: check asoc strreset_chunk in sctp_generate_reconf_event
2022-05-09 09:05:03 +02:00
smc
net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending
2022-05-18 10:23:44 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
Revert "SUNRPC: attempt AF_LOCAL connect on setup"
2022-05-12 12:25:31 +02:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: fix the timer expires after interval 100ms
2022-04-08 14:40:23 +02:00
tls
tls: Fix context leak on tls_device_down
2022-05-18 10:23:45 +02:00
unix
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
2022-01-27 10:54:31 +01:00
vmw_vsock
vsock: each transport cycles only on its own sockets
2022-03-23 09:13:27 +01:00
wimax
genetlink: move to smaller ops wherever possible
2020-10-02 19:11:11 -07:00
wireless
nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size
2022-04-20 09:23:28 +02:00
x25
net/x25: Fix null-ptr-deref caused by x25_disconnect
2022-04-08 14:40:30 +02:00
xdp
Revert "xsk: Do not sleep in poll() when need_wakeup set"
2021-12-22 09:30:59 +01:00
xfrm
xfrm: fix tunnel model fragmentation behavior
2022-04-08 14:39:47 +02:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
drop_monitor: Convert to using devlink tracepoint
2020-09-30 18:01:26 -07:00
Makefile
socket.c
ethtool: improve compat ioctl handling
2021-09-18 13:40:21 +02:00
sysctl_net.c