From: Sabrina Dubroca <sd@queasysnail.net>
To: Chuck Lever <cel@kernel.org>
Cc: John Fastabend <john.fastabend@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Simon Horman <horms@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev,
Chuck Lever <chuck.lever@oracle.com>,
Sagi Grimberg <sagi@grimberg.me>
Subject: Re: [PATCH net-next v11 1/6] tls: Avoid evaluating freed skb in tls_sw_read_sock() loop
Date: Wed, 27 May 2026 19:17:47 +0200 [thread overview]
Message-ID: <ahcnO2S7QfhTBNhK@krikkit> (raw)
In-Reply-To: <20260526-tls-read-sock-v11-1-244fe1dc4abd@oracle.com>
2026-05-26, 10:21:31 -0400, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
>
> tls_sw_read_sock() ends its receive loop with while (skb), but
> the else branch in the body calls consume_skb(skb) before the
> predicate is re-evaluated. A pointer becomes indeterminate when
> the object it points to reaches end-of-lifetime (C2011 6.2.4p2),
> and using an indeterminate value is undefined behavior (Annex
> J.2). The pointer is not dereferenced today -- the predicate
> either exits the loop or skb is overwritten at the top of the
> next iteration -- but any future change that adds a dereference
> between consume_skb() and the predicate would silently introduce
> a use-after-free.
>
> Replace the do/while form with an explicit for(;;) loop so
> termination happens through a break statement rather than
> predicate evaluation of a freed pointer.
>
> Cc: Sagi Grimberg <sagi@grimberg.me>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> net/tls/tls_sw.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
next prev parent reply other threads:[~2026-05-27 17:17 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 14:21 [PATCH net-next v11 0/6] tls: receive-path fixes and clean-ups Chuck Lever
2026-05-26 14:21 ` [PATCH net-next v11 1/6] tls: Avoid evaluating freed skb in tls_sw_read_sock() loop Chuck Lever
2026-05-27 9:46 ` Hannes Reinecke
2026-05-27 17:17 ` Sabrina Dubroca [this message]
2026-05-26 14:21 ` [PATCH net-next v11 2/6] tls: Re-present partially-consumed records in tls_sw_read_sock() Chuck Lever
2026-05-27 9:48 ` Hannes Reinecke
2026-05-27 17:14 ` Sabrina Dubroca
2026-05-26 14:21 ` [PATCH net-next v11 3/6] tls: Move decrypt-failure abort into tls_rx_one_record() Chuck Lever
2026-05-26 14:21 ` [PATCH net-next v11 4/6] tls: Factor tls_strp_msg_consume() from tls_strp_msg_done() Chuck Lever
2026-05-27 17:31 ` Sabrina Dubroca
2026-05-26 14:21 ` [PATCH net-next v11 5/6] tls: Suppress spurious saved_data_ready on all receive paths Chuck Lever
2026-05-27 9:51 ` Hannes Reinecke
2026-05-26 14:21 ` [PATCH net-next v11 6/6] tls: Flush backlog before waiting for a new record Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahcnO2S7QfhTBNhK@krikkit \
--to=sd@queasysnail.net \
--cc=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox