From: Jakub Kicinski jakub.kicinski@netronome.com
[ Upstream commit 57c722e932cfb82e9820bbaae1b1f7222ea97b52 ]
Now that we swap the original proto and clear the ULP pointer on close we have to make sure no callback will try to access the freed state. sk_write_space is not part of sk_prot, remember to swap it.
Reported-by: syzbot+dcdc9deefaec44785f32@syzkaller.appspotmail.com Fixes: 95fa145479fb ("bpf: sockmap/tls, close can race with map free") Signed-off-by: Jakub Kicinski jakub.kicinski@netronome.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/tls/tls_main.c | 1 + 1 file changed, 1 insertion(+)
--- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -301,6 +301,7 @@ static void tls_sk_proto_close(struct so #else { #endif + sk->sk_write_space = ctx->sk_write_space; tls_ctx_free(ctx); ctx = NULL; }