Jakub Kicinski says:
====================
net: tls: fix scatter-gather list issues
This series kicked of by a syzbot report fixes three issues around
scatter gather handling in the TLS code. First patch fixes a use-
-after-free situation which may occur if record was freed on error.
This could have already happened in BPF paths, and patch 2 now makes
the same condition occur in non-BPF code.
Patch 2 fixes the problem spotted by syzbot. If encryption failed
we have to clean the end markings from scatter gather list. As
suggested by John the patch frees the record entirely and caller
may retry copying data from user space buffer again.
Third patch fixes a bug in the TLS 1.3 code spotted while working
on patch 2. TLS 1.3 may effectively overflow the SG list which
leads to the BUG() in sg_page() being triggered.
Patch 4 adds a test case which triggers this bug reliably.
Next two patches are small cleanups of dead code and code which
makes dangerous assumptions.
Last but not least two minor improvements to the sockmap tests.
Tested:
- bpf/test_sockmap
- net/tls
- syzbot repro (which used error injection, hence no direct
selftest is added to preserve it).
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
OSDN Git Service
