hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I990AF CVE: CVE-2021-47131
--------------------------------
This patch resolves KABI break introduces by backporting commit c55dcdd435aa ("net/tls: Fix use-after-free after the TLS device goes down and up").
Fixes: c55dcdd435aa ("net/tls: Fix use-after-free after the TLS device goes down and up") Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com --- include/net/tls.h | 12 ++++++++++-- net/tls/tls_device.c | 4 +++- net/tls/tls_main.c | 8 +++++--- 3 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/include/net/tls.h b/include/net/tls.h index 83040729a6a62..b891f09bba909 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -227,8 +227,6 @@ struct tls_context { u16 pending_open_record_frags; int (*push_pending_record)(struct sock *sk, int flags);
- struct sock *sk; - void (*sk_write_space)(struct sock *sk); void (*sk_destruct)(struct sock *sk); void (*sk_proto_close)(struct sock *sk, long timeout); @@ -243,6 +241,16 @@ struct tls_context { void (*unhash)(struct sock *sk); };
+struct tls_context_wrapper { + struct tls_context ctx; + struct sock *sk; +}; + +static inline struct tls_context_wrapper *tls_ctx_wrapper(const struct tls_context *ctx) +{ + return (struct tls_context_wrapper *)ctx; +} + struct tls_offload_context_rx { /* sw must be the first member of tls_offload_context_rx */ struct tls_sw_context_rx sw; diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index 70f53b5f444cd..223ea69266b0f 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -978,6 +978,7 @@ void tls_device_offload_cleanup_rx(struct sock *sk)
static int tls_device_down(struct net_device *netdev) { + struct tls_context_wrapper *ctx_wrapper; struct tls_context *ctx, *tmp; unsigned long flags; LIST_HEAD(list); @@ -999,7 +1000,8 @@ static int tls_device_down(struct net_device *netdev) /* Stop offloaded TX and switch to the fallback. * tls_is_sk_tx_device_offloaded will return false. */ - WRITE_ONCE(ctx->sk->sk_validate_xmit_skb, tls_validate_xmit_skb_sw); + ctx_wrapper = tls_ctx_wrapper(ctx); + WRITE_ONCE(ctx_wrapper->sk->sk_validate_xmit_skb, tls_validate_xmit_skb_sw);
/* Stop the RX and TX resync. * tls_dev_resync must not be called after tls_dev_del. diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index b3eafb85b8e16..9182314cc99a6 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -550,17 +550,19 @@ static int tls_setsockopt(struct sock *sk, int level, int optname, static struct tls_context *create_ctx(struct sock *sk) { struct inet_connection_sock *icsk = inet_csk(sk); + struct tls_context_wrapper *ctx_wrapper; struct tls_context *ctx;
- ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); - if (!ctx) + ctx_wrapper = kzalloc(sizeof(*ctx_wrapper), GFP_ATOMIC); + if (!ctx_wrapper) return NULL; + ctx = &ctx_wrapper->ctx;
icsk->icsk_ulp_data = ctx; ctx->setsockopt = sk->sk_prot->setsockopt; ctx->getsockopt = sk->sk_prot->getsockopt; ctx->sk_proto_close = sk->sk_prot->close; - ctx->sk = sk; + ctx_wrapper->sk = sk; return ctx; }