From: Eric Dumazet <eduma...@google.com>
Date: Tue, 30 Jun 2020 16:41:01 -0700
> MD5 keys are read with RCU protection, and tcp_md5_do_add()
> might update in-place a prior key.
>
> Normally, typical RCU updates would allocate a new piece
> of memory. In this case only key->key and key->keylen might
> be updated, and we do not care if an incoming packet could
> see the old key, the new one, or some intermediate value,
> since changing the key on a live flow is known to be problematic
> anyway.
>
> We only want to make sure that in the case key->keylen
> is changed, cpus in tcp_md5_hash_key() wont try to use
> uninitialized data, or crash because key->keylen was
> read twice to feed sg_init_one() and ahash_request_set_crypt()
>
> Fixes: 9ea88a153001 ("tcp: md5: check md5 signature without socket lock")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Cc: Mathieu Desnoyers <mathieu.desnoy...@efficios.com>
Applied and queued up for -stable, thanks Eric.
