Re: [PATCH net v2 3/4] net: tls: fix use-after-free in tls_sw_sendmsg_locked after bpf verdict

[Jiayuan Chen <jiayuan.chen@linux.dev>]

On 5/12/26 1:49 AM, Jakub Kicinski wrote:
> bpf_exec_tx_verdict() may return having modified the record
> and the plaintext/encrypted sk_msg pointers. We must always
> reload those pointers after calling bpf_exec_tx_verdict().
>
> On the wait_for_memory path after sk_stream_wait_memory() returns,
> the post-wait contains a shortcut:
>
> 	if (ctx->open_rec && msg_en->sg.size < required_size)
> 		goto alloc_encrypted;
>
> which dereferences the cached msg_en, which can equally point at
> a freed record if the prior bpf_exec_tx_verdict() split the open
> rec before returning -ENOMEM. Drop the shortcut it seems to have
> only been an optimization to skip trivial intro of the loop.
>
> Reported-by: Sashiko <sashiko-bot@kernel.org>
> Fixes: 54a3ecaeeeae ("bpf: fix ktls panic with sockmap")


Is the blamed commit correct? I don't think I touched the following code 
in this commit.

> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> ---
>   net/tls/tls_sw.c | 4 ----
>   1 file changed, 4 deletions(-)
>
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index 3bfdaf5e64f5..360f71fd7884 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -1112,7 +1112,6 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
>   		if (!sk_stream_memory_free(sk))
>   			goto wait_for_sndbuf;
>   
> -alloc_encrypted:
>   		ret = tls_alloc_encrypted_msg(sk, required_size);
>   		if (ret) {
>   			if (ret != -ENOSPC)
> @@ -1255,9 +1254,6 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
>   				tls_trim_both_msgs(sk, orig_size);
>   			goto send_end;
>   		}
> -
> -		if (ctx->open_rec && msg_en->sg.size < required_size)
> -			goto alloc_encrypted;
>   	}
>   
>   send_end: