Patch "tls: separate no-async decryption request handling from async" has been added to the 6.7-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 3 Mar 2024 11:01:17 -0500

This is a note to let you know that I've just added the patch titled

    tls: separate no-async decryption request handling from async

to the 6.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tls-separate-no-async-decryption-request-handling-fr.patch
and it can be found in the queue-6.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 10b947c0cc5b738af12fb78443520b235d9ab1a7
Author: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
Date:   Wed Feb 28 23:43:59 2024 +0100

    tls: separate no-async decryption request handling from async
    
    [ Upstream commit 41532b785e9d79636b3815a64ddf6a096647d011 ]
    
    If we're not doing async, the handling is much simpler. There's no
    reference counting, we just need to wait for the completion to wake us
    up and return its result.
    
    We should preferably also use a separate crypto_wait. I'm not seeing a
    UAF as I did in the past, I think aec7961916f3 ("tls: fix race between
    async notify and socket close") took care of it.
    
    This will make the next fix easier.
    
    Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/47bde5f649707610eaef9f0d679519966fc31061.1709132643.git.sd@xxxxxxxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Stable-dep-of: 13114dc55430 ("tls: fix use-after-free on failed backlog decryption")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 1394fc44f3788..1fd37fe13ffd8 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -274,9 +274,15 @@ static int tls_do_decryption(struct sock *sk,
 		DEBUG_NET_WARN_ON_ONCE(atomic_read(&ctx->decrypt_pending) < 1);
 		atomic_inc(&ctx->decrypt_pending);
 	} else {
+		DECLARE_CRYPTO_WAIT(wait);
+
 		aead_request_set_callback(aead_req,
 					  CRYPTO_TFM_REQ_MAY_BACKLOG,
-					  crypto_req_done, &ctx->async_wait);
+					  crypto_req_done, &wait);
+		ret = crypto_aead_decrypt(aead_req);
+		if (ret == -EINPROGRESS || ret == -EBUSY)
+			ret = crypto_wait_req(ret, &wait);
+		return ret;
 	}
 
 	ret = crypto_aead_decrypt(aead_req);
@@ -285,10 +291,7 @@ static int tls_do_decryption(struct sock *sk,
 		ret = ret ?: -EINPROGRESS;
 	}
 	if (ret == -EINPROGRESS) {
-		if (darg->async)
-			return 0;
-
-		ret = crypto_wait_req(ret, &ctx->async_wait);
+		return 0;
 	} else if (darg->async) {
 		atomic_dec(&ctx->decrypt_pending);
 	}







