[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20231018182555.28f1a774@kernel.org>
Date: Wed, 18 Oct 2023 18:25:55 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Juntong Deng <juntong.deng@...look.com>
Cc: borisp@...dia.com, john.fastabend@...il.com, davem@...emloft.net,
edumazet@...gle.com, pabeni@...hat.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+29c22ea2d6b2c5fd2eae@...kaller.appspotmail.com,
Sabrina Dubroca <sd@...asysnail.net>
Subject: Re: [PATCH v2] net/tls: Fix slab-use-after-free in tls_encrypt_done
On Wed, 18 Oct 2023 00:22:15 +0800 Juntong Deng wrote:
> In the current implementation, ctx->async_wait.completion is completed
> after spin_lock_bh, which causes tls_sw_release_resources_tx to
> continue executing and return to tls_sk_proto_cleanup, then return
> to tls_sk_proto_close, and after that enter tls_sw_free_ctx_tx to kfree
> the entire struct tls_sw_context_tx (including ctx->encrypt_compl_lock).
>
> Since ctx->encrypt_compl_lock has been freed, subsequent spin_unlock_bh
> will result in slab-use-after-free error. Due to SMP, even using
> spin_lock_bh does not prevent tls_sw_release_resources_tx from continuing
> on other CPUs. After tls_sw_release_resources_tx is woken up, there is no
> attempt to hold ctx->encrypt_compl_lock again, therefore everything
> described above is possible.
Whoever triggered the Tx should wait for all outstanding encryption
to finish before exiting sendmsg() (or alike). This looks like
a band-aid. Sabrina is working on fixes for the async code, lets
get those in first before attempting spot fixes.
--
pw-bot: cr
Powered by blists - more mailing lists