Patch "net/tls: Remove the context from the list in tls_device_down" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 30 Jul 2022 22:44:45 -0400

This is a note to let you know that I've just added the patch titled

    net/tls: Remove the context from the list in tls_device_down

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-tls-remove-the-context-from-the-list-in-tls_devi.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e1bf6422281150d1b6fb11cbaeb4d17c644404c8
Author: Maxim Mikityanskiy <maximmi@xxxxxxxxxx>
Date:   Thu Jul 21 12:11:27 2022 +0300

    net/tls: Remove the context from the list in tls_device_down
    
    [ Upstream commit f6336724a4d4220c89a4ec38bca84b03b178b1a3 ]
    
    tls_device_down takes a reference on all contexts it's going to move to
    the degraded state (software fallback). If sk_destruct runs afterwards,
    it can reduce the reference counter back to 1 and return early without
    destroying the context. Then tls_device_down will release the reference
    it took and call tls_device_free_ctx. However, the context will still
    stay in tls_device_down_list forever. The list will contain an item,
    memory for which is released, making a memory corruption possible.
    
    Fix the above bug by properly removing the context from all lists before
    any call to tls_device_free_ctx.
    
    Fixes: 3740651bf7e2 ("tls: Fix context leak on tls_device_down")
    Signed-off-by: Maxim Mikityanskiy <maximmi@xxxxxxxxxx>
    Reviewed-by: Tariq Toukan <tariqt@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index 4e33150cfb9e..cf75969375cf 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -1351,8 +1351,13 @@ static int tls_device_down(struct net_device *netdev)
 		 * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW.
 		 * Now release the ref taken above.
 		 */
-		if (refcount_dec_and_test(&ctx->refcount))
+		if (refcount_dec_and_test(&ctx->refcount)) {
+			/* sk_destruct ran after tls_device_down took a ref, and
+			 * it returned early. Complete the destruction here.
+			 */
+			list_del(&ctx->list);
 			tls_device_free_ctx(ctx);
+		}
 	}
 
 	up_write(&device_offload_lock);






