CVE-2024-26800

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: fix use-after-free on failed backlog decryption<br /> <br /> When the decrypt request goes to the backlog and crypto_aead_decrypt<br /> returns -EBUSY, tls_do_decryption will wait until all async<br /> decryptions have completed. If one of them fails, tls_do_decryption<br /> will return -EBADMSG and tls_decrypt_sg jumps to the error path,<br /> releasing all the pages. But the pages have been passed to the async<br /> callback, and have already been released by tls_decrypt_done.<br /> <br /> The only true async case is when crypto_aead_decrypt returns<br /> -EINPROGRESS. With -EBUSY, we already waited so we can tell<br /> tls_sw_recvmsg that the data is available for immediate copy, but we<br /> need to notify tls_decrypt_sg (via the new -&gt;async_done flag) that the<br /> memory has already been released.