From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jann Horn <jannh@google.com>,
Sabrina Dubroca <sd@queasysnail.net>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 048/105] tls: wait for pending async decryptions if tls_strp_msg_hold fails
Date: Tue, 21 Oct 2025 21:50:57 +0200 [thread overview]
Message-ID: <20251021195022.823800236@linuxfoundation.org> (raw)
In-Reply-To: <20251021195021.492915002@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit b8a6ff84abbcbbc445463de58704686011edc8e1 ]
Async decryption calls tls_strp_msg_hold to create a clone of the
input skb to hold references to the memory it uses. If we fail to
allocate that clone, proceeding with async decryption can lead to
various issues (UAF on the skb, writing into userspace memory after
the recv() call has returned).
In this case, wait for all pending decryption requests.
Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/b9fe61dcc07dab15da9b35cf4c7d86382a98caf2.1760432043.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index d3bf2dbc297ae..6ea557ebab171 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1637,8 +1637,10 @@ static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov,
if (unlikely(darg->async)) {
err = tls_strp_msg_hold(&ctx->strp, &ctx->async_hold);
- if (err)
- __skb_queue_tail(&ctx->async_hold, darg->skb);
+ if (err) {
+ err = tls_decrypt_async_wait(ctx);
+ darg->async = false;
+ }
return err;
}
--
2.51.0
next prev parent reply other threads:[~2025-10-21 19:54 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-21 19:50 [PATCH 6.6 000/105] 6.6.114-rc1 review Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 001/105] smb: client: Fix refcount leak for cifs_sb_tlink Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 002/105] r8152: add error handling in rtl8152_driver_init Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 003/105] KVM: arm64: Prevent access to vCPU events before init Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 004/105] f2fs: fix wrong block mapping for multi-devices Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 005/105] jbd2: ensure that all ongoing I/O complete before freeing blocks Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 006/105] ext4: wait for ongoing I/O to " Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 007/105] ext4: detect invalid INLINE_DATA + EXTENTS flag combination Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 008/105] btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 009/105] btrfs: fix incorrect readahead expansion length Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 010/105] btrfs: do not assert we found block group item when creating free space tree Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 011/105] can: gs_usb: gs_make_candev(): populate net_device->dev_port Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 012/105] can: gs_usb: increase max interface to U8_MAX Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 013/105] cifs: parse_dfs_referrals: prevent oob on malformed input Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 014/105] drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 015/105] drm/amdgpu: use atomic functions with memory barriers for vm fault info Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 016/105] drm/amd: Check whether secure display TA loaded successfully Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 017/105] cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 018/105] Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 019/105] epoll: Remove ep_scan_ready_list() in comments Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 020/105] eventpoll: Replace rwlock with spinlock Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 021/105] drm/msm/adreno: De-spaghettify the use of memory barriers Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 022/105] drm/msm/a6xx: Fix PDC sleep sequence Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 023/105] drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 024/105] drm/exynos: exynos7_drm_decon: properly clear channels during bind Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 025/105] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 026/105] media: nxp: imx8-isi: Drop unused argument to mxc_isi_channel_chain() Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 027/105] media: nxp: imx8-isi: m2m: Fix streaming cleanup on release Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 028/105] usb: gadget: Store endpoint pointer in usb_request Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 029/105] usb: gadget: Introduce free_usb_request helper Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 030/105] usb: gadget: f_ecm: Refactor bind path to use __free() Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 031/105] usb: gadget: f_acm: " Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 032/105] usb: gadget: f_ncm: " Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 033/105] usb: gadget: f_rndis: " Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 034/105] HID: multitouch: fix sticky fingers Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 035/105] dax: skip read lock assertion for read-only filesystems Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 036/105] can: m_can: m_can_plat_remove(): add missing pm_runtime_disable() Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 037/105] net: dlink: handle dma_map_single() failure properly Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 038/105] doc: fix seg6_flowlabel path Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 039/105] r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 040/105] net/ip6_tunnel: Prevent perpetual tunnel growth Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 041/105] amd-xgbe: Avoid spurious link down messages during interface toggle Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 042/105] tcp: fix tcp_tso_should_defer() vs large RTT Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 043/105] tg3: prevent use of uninitialized remote_adv and local_adv variables Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 044/105] tls: trim encrypted message to match the plaintext on short splice Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 045/105] net: tls: wait for async completion on last message Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 046/105] tls: wait for async encrypt in case of error during latter iterations of sendmsg Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 047/105] tls: always set record_type in tls_process_cmsg Greg Kroah-Hartman
2025-10-21 19:50 ` Greg Kroah-Hartman [this message]
2025-10-21 19:50 ` [PATCH 6.6 049/105] tls: dont rely on tx_work during send() Greg Kroah-Hartman
2025-10-21 19:50 ` [PATCH 6.6 050/105] net: usb: lan78xx: Add error handling to lan78xx_init_mac_address Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 051/105] net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 052/105] nvme-multipath: Skip nr_active increments in RETRY disposition Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 053/105] riscv: kprobes: Fix probe address validation Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 054/105] drm/bridge: lt9211: Drop check for last nibble of version register Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 055/105] ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 056/105] ASoC: nau8821: Cancel jdet_work before handling jack ejection Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 057/105] ASoC: nau8821: Generalize helper to clear IRQ status Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 058/105] ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 059/105] drm/i915/guc: Skip communication warning on reset in progress Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 060/105] drm/amd/powerplay: Fix CIK shutdown temperature Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 061/105] drm/rockchip: vop2: use correct destination rectangle height check Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 062/105] sched/balancing: Rename newidle_balance() => sched_balance_newidle() Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 063/105] sched/fair: Fix pelt lost idle time detection Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 064/105] ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 065/105] accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 066/105] selftests/bpf: make arg_parsing.c more robust to crashes Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 067/105] ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 068/105] HID: hid-input: only ignore 0 battery events for digitizers Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 069/105] HID: multitouch: fix name of Stylus input devices Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 070/105] selftests: arg_parsing: Ensure data is flushed to disk before reading Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 071/105] hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 072/105] arm64: cputype: Add Neoverse-V3AE definitions Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 073/105] arm64: errata: Apply workarounds for Neoverse-V3AE Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 074/105] block: fix race between set_blocksize and read paths Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 075/105] nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs() Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 076/105] NFSD: Rework encoding and decoding of nfsd4_deviceid Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 077/105] NFSD: Minor cleanup in layoutcommit processing Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 078/105] NFSD: Fix last write offset handling in layoutcommit Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 079/105] xfs: rename the old_crc variable in xlog_recover_process Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 080/105] xfs: fix log CRC mismatches between i386 and other architectures Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 081/105] PM: runtime: Add new devm functions Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 082/105] iio: imu: inv_icm42600: Simplify pm_runtime setup Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 083/105] phy: cdns-dphy: Store hs_clk_rate and return it Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 084/105] phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 085/105] iio: imu: inv_icm42600: reorganize DMA aligned buffers in structure Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 086/105] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 087/105] xfs: use deferred intent items for reaping crosslinked blocks Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 088/105] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 089/105] quota: remove unneeded return value of register_quota_format Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 090/105] fs: quota: create dedicated workqueue for quota_release_work Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 091/105] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 092/105] vfs: Dont leak disconnected dentries on umount Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 093/105] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 094/105] phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 095/105] PCI: Add PCI_VDEVICE_SUB helper macro Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 096/105] ixgbevf: Add support for Intel(R) E610 device Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 097/105] ixgbevf: fix getting link speed data for E610 devices Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 098/105] ixgbevf: fix mailbox API compatibility by negotiating supported features Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 099/105] nfsd: decouple the xprtsec policy check from check_nfsd_access() Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 100/105] PCI/sysfs: Ensure devices are powered for config reads (part 2) Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 101/105] ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 102/105] mm/ksm: fix flag-dropping behavior in ksm_madvise Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 103/105] PCI: j721e: Enable ACSPCIE Refclk if "ti,syscon-acspcie-proxy-ctrl" exists Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 104/105] PCI: j721e: Fix programming sequence of "strap" settings Greg Kroah-Hartman
2025-10-21 19:51 ` [PATCH 6.6 105/105] PCI: tegra194: Reset BARs when running in PCIe endpoint mode Greg Kroah-Hartman
2025-10-22 2:46 ` [PATCH 6.6 000/105] 6.6.114-rc1 review Florian Fainelli
2025-10-22 5:18 ` Hardik Garg
2025-10-22 5:34 ` Peter Schneider
2025-10-22 8:56 ` Brett A C Sheffield
2025-10-22 10:43 ` Ron Economos
2025-10-22 12:05 ` Naresh Kamboju
2025-10-22 13:09 ` Pavel Machek
2025-10-22 14:53 ` Mark Brown
2025-10-22 15:05 ` Jon Hunter
2025-10-22 16:17 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251021195022.823800236@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).