From: Jakub Kicinski <kuba@kernel.org>
Date: Thu, 21 May 2026 00:23:56 +0000 (-0700)
Subject: Merge branch 'bpf-skmsg-fix-verdict-sk_data_ready-racing-with-ktls-rx'
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a2844dcc04d05103fc108804489f9d6b3ac52a8;p=thirdparty%2Fkernel%2Flinux.git

Merge branch 'bpf-skmsg-fix-verdict-sk_data_ready-racing-with-ktls-rx'

Xingwang Xiang says:

====================
bpf, skmsg: fix verdict sk_data_ready racing with ktls rx

sk_psock_verdict_data_ready() lacks the tls_sw_has_ctx_rx() guard that
sk_psock_strp_data_ready() gained in e91de6afa81c.  When a socket is
inserted into a sockmap (BPF_SK_SKB_VERDICT) before TLS RX is configured,
the missing guard causes tcp_read_skb() to drain sk_receive_queue without
advancing copied_seq, leaving a dangling frag_list pointer that
tls_decrypt_sg() walks — a use-after-free.

Patch 1 mirrors the fix from e91de6afa81c: add the tls_sw_has_ctx_rx()
check to sk_psock_verdict_data_ready() so that when a TLS RX context is
present the function defers to psock->saved_data_ready (sock_def_readable)
instead of calling tcp_read_skb().

Patch 2 adds a selftest that drives the vulnerable sequence end-to-end
and verifies recv() returns the correct decrypted data.
====================

Link: https://patch.msgid.link/20260517145630.20521-1-v3rdant.xiang@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

4a2844dcc04d05103fc108804489f9d6b3ac52a8