git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Jakub Kicinski <kuba@kernel.org>
	Tue, 28 Apr 2026 23:15:59 +0000 (16:15 -0700)
committer	Paolo Abeni <pabeni@redhat.com>
	Thu, 30 Apr 2026 11:38:29 +0000 (13:38 +0200)
commit	58689498ca3384851145a754dbb1d8ed1cf9fb54
tree	3cb276b27203c391f68522db2fd63018ae7b3a91	tree \| snapshot
parent	47888597a3b41b5088e758ab8ca36bf624d46327	commit \| diff

net: tls: fix strparser anchor skb leak on offload RX setup failure

When tls_set_device_offload_rx() fails at tls_dev_add(), the error path
calls tls_sw_free_resources_rx() to clean up the SW context that was
initialized by tls_set_sw_offload(). This function calls
tls_sw_release_resources_rx() (which stops the strparser via
tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),
but never frees the anchor skb that was allocated by alloc_skb(0) in
tls_strp_init().

Note that tls_sw_free_resources_rx() is exclusively used for this
"failed to start offload" code path, there's no other caller.

The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use
the standard strparser"), because the standard strparser doesn't try
to pre-allocate an skb.

The normal close path in tls_sk_proto_close() handles cleanup by calling
tls_sw_strparser_done() (which calls tls_strp_done()) after dropping
the socket lock, because tls_strp_done() does cancel_work_sync() and
the strparser work handler takes the socket lock.

Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260428231559.1358502-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

net/tls/tls.h		diff \| blob \| blame \| history
net/tls/tls_strp.c		diff \| blob \| blame \| history
net/tls/tls_sw.c		diff \| blob \| blame \| history