From: Chuck Lever <cel@kernel.org>
To: john.fastabend@gmail.com, kuba@kernel.org, sd@queasysnail.net
Cc: <netdev@vger.kernel.org>, <kernel-tls-handshake@lists.linux.dev>,
Chuck Lever <chuck.lever@oracle.com>,
Hannes Reinecke <hare@suse.de>,
Alistair Francis <alistair.francis@wdc.com>
Subject: [PATCH v1 1/6] tls: Fix dangling skb pointer in tls_sw_read_sock()
Date: Thu, 5 Mar 2026 16:13:57 -0500 [thread overview]
Message-ID: <20260305211402.39408-2-cel@kernel.org> (raw)
In-Reply-To: <20260305211402.39408-1-cel@kernel.org>
From: Chuck Lever <chuck.lever@oracle.com>
Evaluating a dangling pointer is undefined behavior under the C
standard. In tls_sw_read_sock(), consume_skb(skb) in the fully-
consumed path frees the skb, but the "do { } while (skb)" loop
condition then evaluates that freed pointer. Although the value is
never dereferenced -- the loop either continues and overwrites skb,
or exits -- any future change that adds a dereference between
consume_skb() and the loop condition would produce a silent
use-after-free.
Fixes: 662fbcec32f4 ("net/tls: implement ->read_sock()")
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
net/tls/tls_sw.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index a656ce235758..108d417dcfb7 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2355,7 +2355,7 @@ int tls_sw_read_sock(struct sock *sk, read_descriptor_t *desc,
goto read_sock_end;
decrypted = 0;
- do {
+ for (;;) {
if (!skb_queue_empty(&ctx->rx_list)) {
skb = __skb_dequeue(&ctx->rx_list);
rxm = strp_msg(skb);
@@ -2406,10 +2406,11 @@ int tls_sw_read_sock(struct sock *sk, read_descriptor_t *desc,
goto read_sock_requeue;
} else {
consume_skb(skb);
+ skb = NULL;
if (!desc->count)
- skb = NULL;
+ break;
}
- } while (skb);
+ }
read_sock_end:
tls_rx_reader_release(sk, ctx);
--
2.53.0
next prev parent reply other threads:[~2026-03-05 21:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 21:13 [PATCH v1 0/6] TLS read_sock performance scalability Chuck Lever
2026-03-05 21:13 ` Chuck Lever [this message]
2026-03-05 22:19 ` [PATCH v1 1/6] tls: Fix dangling skb pointer in tls_sw_read_sock() Jakub Kicinski
2026-03-06 14:33 ` Chuck Lever
2026-03-05 21:13 ` [PATCH v1 2/6] tls: Factor tls_strp_msg_release() from tls_strp_msg_done() Chuck Lever
2026-03-05 21:13 ` [PATCH v1 3/6] tls: Suppress spurious saved_data_ready during read_sock Chuck Lever
2026-03-05 21:14 ` [PATCH v1 4/6] tls: Flush backlog before tls_rx_rec_wait in read_sock Chuck Lever
2026-03-05 21:14 ` [PATCH v1 5/6] tls: Restructure tls_sw_read_sock() into submit/deliver phases Chuck Lever
2026-03-05 21:14 ` [PATCH v1 6/6] tls: Enable batch async decryption in read_sock Chuck Lever
2026-03-10 3:14 ` [PATCH v1 0/6] TLS read_sock performance scalability Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260305211402.39408-2-cel@kernel.org \
--to=cel@kernel.org \
--cc=alistair.francis@wdc.com \
--cc=chuck.lever@oracle.com \
--cc=hare@suse.de \
--cc=john.fastabend@gmail.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox