[PATCH] tls: fix encrypt_pending refcount leak on -EBUSY error path

Netdev List
 help / color / mirror / Atom feed

* [PATCH] tls: fix encrypt_pending refcount leak on -EBUSY error path
@ 2026-06-12  2:01 WenTao Liang
  2026-06-12 10:46 ` Sabrina Dubroca
  0 siblings, 1 reply; 2+ messages in thread
From: WenTao Liang @ 2026-06-12  2:01 UTC (permalink / raw)
  To: john.fastabend, kuba, sd, davem, edumazet, pabeni
  Cc: horms, netdev, linux-kernel, WenTao Liang, stable

In tls_do_encryption(), when crypto_aead_encrypt() returns -EBUSY,
tls_encrypt_async_wait() drains pending completions and restores
encrypt_pending to 1, expecting the caller to issue the final
decrement. However, if tls_encrypt_async_wait() returns an error
(rc != -EINPROGRESS), the function returns early at the error
cleanup block without decrementing encrypt_pending.

Since the -EBUSY path never submitted the request to the crypto
engine, tls_encrypt_done() callback will not fire for this request,
and the synchronous cleanup path (atomic_dec at line 599) is also
skipped. This leaves encrypt_pending permanently elevated by 1.

Fix the leak by adding atomic_dec(&ctx->encrypt_pending) before
returning on the -EBUSY error path.

Cc: stable@vger.kernel.org
Fixes: a9b8b18364ff ("net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
 net/tls/tls_sw.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 964ebc268ee4..97cfe06b1529 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -591,6 +591,7 @@ static int tls_do_encryption(struct sock *sk,
 		 * below on error, just remove the record and return.
 		 */
 		if (rc != -EINPROGRESS) {
+			atomic_dec(&ctx->encrypt_pending);
 			list_del(&rec->list);
 			return rc;
 		}
-- 
2.50.1 (Apple Git-155)

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] tls: fix encrypt_pending refcount leak on -EBUSY error path
  2026-06-12  2:01 [PATCH] tls: fix encrypt_pending refcount leak on -EBUSY error path WenTao Liang
@ 2026-06-12 10:46 ` Sabrina Dubroca
  0 siblings, 0 replies; 2+ messages in thread
From: Sabrina Dubroca @ 2026-06-12 10:46 UTC (permalink / raw)
  To: WenTao Liang
  Cc: john.fastabend, kuba, davem, edumazet, pabeni, horms, netdev,
	linux-kernel, stable

2026-06-12, 10:01:33 +0800, WenTao Liang wrote:
> In tls_do_encryption(), when crypto_aead_encrypt() returns -EBUSY,
> tls_encrypt_async_wait() drains pending completions and restores
> encrypt_pending to 1, expecting the caller to issue the final
> decrement. However, if tls_encrypt_async_wait() returns an error
> (rc != -EINPROGRESS), the function returns early at the error
> cleanup block without decrementing encrypt_pending.
> 
> Since the -EBUSY path never submitted the request to the crypto
> engine, tls_encrypt_done() callback will not fire for this request,
> and the synchronous cleanup path (atomic_dec at line 599) is also
> skipped. This leaves encrypt_pending permanently elevated by 1.

No. Please fix whatever scanner/LLM you're using to generate those.

-- 
Sabrina

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-12 10:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12  2:01 [PATCH] tls: fix encrypt_pending refcount leak on -EBUSY error path WenTao Liang
2026-06-12 10:46 ` Sabrina Dubroca

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox