From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Sat, 10 Aug 2019 01:36:23 +0000 (-0700)
Subject: net/tls: swap sk_write_space on close
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=57c722e932cfb82e9820bbaae1b1f7222ea97b52;p=linux.git

net/tls: swap sk_write_space on close

Now that we swap the original proto and clear the ULP pointer
on close we have to make sure no callback will try to access
the freed state. sk_write_space is not part of sk_prot, remember
to swap it.

Reported-by: syzbot+dcdc9deefaec44785f32@syzkaller.appspotmail.com
Fixes: 95fa145479fb ("bpf: sockmap/tls, close can race with map free")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 9cbbae606ced4..ce6ef56a65ef6 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -308,6 +308,7 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
 	if (free_ctx)
 		icsk->icsk_ulp_data = NULL;
 	sk->sk_prot = ctx->sk_proto;
+	sk->sk_write_space = ctx->sk_write_space;
 	write_unlock_bh(&sk->sk_callback_lock);
 	release_sock(sk);
 	if (ctx->tx_conf == TLS_SW)