4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ilya Lesokhin <ilyal@xxxxxxxxxxxx> [ Upstream commit d91c3e17f75f218022140dee18cf515292184a8f ] Calling accept on a TCP socket with a TLS ulp attached results in two sockets that share the same ulp context. The ulp context is freed while a socket is destroyed, so after one of the sockets is released, the second second will trigger a use after free when it tries to access the ulp context attached to it. We restrict the TLS ulp to sockets in ESTABLISHED state to prevent the scenario above. Fixes: 3c4d7559159b ("tls: kernel TLS support") Reported-by: syzbot+904e7cd6c5c741609228@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Ilya Lesokhin <ilyal@xxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/tls/tls_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -444,6 +444,15 @@ static int tls_init(struct sock *sk) struct tls_context *ctx; int rc = 0; + /* The TLS ulp is currently supported only for TCP sockets + * in ESTABLISHED state. + * Supporting sockets in LISTEN state will require us + * to modify the accept implementation to clone rather then + * share the ulp context. + */ + if (sk->sk_state != TCP_ESTABLISHED) + return -ENOTSUPP; + /* allocate tls context */ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); if (!ctx) {