tls: rx: release the sock lock on locking timeout

Eric reports we should release the socket lock if the entire
"grab reader lock" operation has failed. The callers assume
they don't have to release it or otherwise unwind.

Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+16e72110feb2b653ef27@syzkaller.appspotmail.com
Fixes: 4cbc325ed6b4 ("tls: rx: allow only one reader at a time")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20220720203701.2179034-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 859ea02022c0878b1cf300c7e5b5cef0213241d3..ed5e6f1df9c7f9a4919fd3bfa53f101020cf0835 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1803,6 +1803,7 @@ static long tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
                               bool nonblock)
 {
        long timeo;
+       int err;
 
        lock_sock(sk);
 
@@ -1818,15 +1819,23 @@ static long tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
                              !READ_ONCE(ctx->reader_present), &wait);
                remove_wait_queue(&ctx->wq, &wait);
 
-               if (!timeo)
-                       return -EAGAIN;
-               if (signal_pending(current))
-                       return sock_intr_errno(timeo);
+               if (timeo <= 0) {
+                       err = -EAGAIN;
+                       goto err_unlock;
+               }
+               if (signal_pending(current)) {
+                       err = sock_intr_errno(timeo);
+                       goto err_unlock;
+               }
        }
 
        WRITE_ONCE(ctx->reader_present, 1);
 
        return timeo;
+
+err_unlock:
+       release_sock(sk);
+       return err;
 }
 
 static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)