CVE-2021-47131

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tls: Fix use-after-free after the TLS device goes down and up<br /> <br /> When a netdev with active TLS offload goes down, tls_device_down is<br /> called to stop the offload and tear down the TLS context. However, the<br /> socket stays alive, and it still points to the TLS context, which is now<br /> deallocated. If a netdev goes up, while the connection is still active,<br /> and the data flow resumes after a number of TCP retransmissions, it will<br /> lead to a use-after-free of the TLS context.<br /> <br /> This commit addresses this bug by keeping the context alive until its<br /> normal destruction, and implements the necessary fallbacks, so that the<br /> connection can resume in software (non-offloaded) kTLS mode.<br /> <br /> On the TX side tls_sw_fallback is used to encrypt all packets. The RX<br /> side already has all the necessary fallbacks, because receiving<br /> non-decrypted packets is supported. The thing needed on the RX side is<br /> to block resync requests, which are normally produced after receiving<br /> non-decrypted packets.<br /> <br /> The necessary synchronization is implemented for a graceful teardown:<br /> first the fallbacks are deployed, then the driver resources are released<br /> (it used to be possible to have a tls_dev_resync after tls_dev_del).<br /> <br /> A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback<br /> mode. It&amp;#39;s used to skip the RX resync logic completely, as it becomes<br /> useless, and some objects may be released (for example, resync_async,<br /> which is allocated and freed by the driver).