git.ipfire.org Git - thirdparty/linux.git/commit

author	Chuck Lever <chuck.lever@oracle.com>
	Thu, 4 Jun 2026 17:48:24 +0000 (13:48 -0400)
committer	Jakub Kicinski <kuba@kernel.org>
	Tue, 9 Jun 2026 03:10:20 +0000 (20:10 -0700)
commit	4da7925c124a356fa2dcf45ff4defce19da9e56c
tree	721cce7141bcddef3655c1742ee22670ecb00691	tree \| snapshot
parent	69710a37bad62afc3d2f1fbf7b108e5f8b3808cd	commit \| diff

tls: Avoid evaluating freed skb in tls_sw_read_sock() loop

tls_sw_read_sock() ends its receive loop with while (skb), but
the else branch in the body calls consume_skb(skb) before the
predicate is re-evaluated. A pointer becomes indeterminate when
the object it points to reaches end-of-lifetime (C2011 6.2.4p2),
and using an indeterminate value is undefined behavior (Annex
J.2). The pointer is not dereferenced today -- the predicate
either exits the loop or skb is overwritten at the top of the
next iteration -- but any future change that adds a dereference
between consume_skb() and the predicate would silently introduce
a use-after-free.

Replace the do/while form with an explicit for(;;) loop so
termination happens through a break statement rather than
predicate evaluation of a freed pointer.

Cc: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20260604-tls-read-sock-v12-1-b114efa6e3e2@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>