Re: [PATCH net] net: tls: fix strparser anchor skb leak on offload RX setup failure

[Vadim Fedorenko <vadim.fedorenko@linux.dev>]

On 29/04/2026 00:15, Jakub Kicinski wrote:
> When tls_set_device_offload_rx() fails at tls_dev_add(), the error path
> calls tls_sw_free_resources_rx() to clean up the SW context that was
> initialized by tls_set_sw_offload(). This function calls
> tls_sw_release_resources_rx() (which stops the strparser via
> tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),
> but never frees the anchor skb that was allocated by alloc_skb(0) in
> tls_strp_init().
> 
> Note that tls_sw_free_resources_rx() is exclusively used for this
> "failed to start offload" code path, there's no other caller.
> 
> The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use
> the standard strparser"), because the standard strparser doesn't try
> to pre-allocate an skb.
> 
> The normal close path in tls_sk_proto_close() handles cleanup by calling
> tls_sw_strparser_done() (which calls tls_strp_done()) after dropping
> the socket lock, because tls_strp_done() does cancel_work_sync() and
> the strparser work handler takes the socket lock.
> 
> Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> ---
> CC: john.fastabend@gmail.com
> CC: sd@queasysnail.net
> ---
>   net/tls/tls.h      | 1 +
>   net/tls/tls_strp.c | 6 ++++++
>   net/tls/tls_sw.c   | 4 ++++
>   3 files changed, 11 insertions(+)
> 
> diff --git a/net/tls/tls.h b/net/tls/tls.h
> index e8f81a006520..12f44cb649c9 100644
> --- a/net/tls/tls.h
> +++ b/net/tls/tls.h
> @@ -188,6 +188,7 @@ int tls_strp_dev_init(void);
>   void tls_strp_dev_exit(void);
>   
>   void tls_strp_done(struct tls_strparser *strp);
> +void __tls_strp_done(struct tls_strparser *strp);
>   void tls_strp_stop(struct tls_strparser *strp);
>   int tls_strp_init(struct tls_strparser *strp, struct sock *sk);
>   void tls_strp_data_ready(struct tls_strparser *strp);
> diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
> index 98e12f0ff57e..c72e88317627 100644
> --- a/net/tls/tls_strp.c
> +++ b/net/tls/tls_strp.c
> @@ -624,6 +624,12 @@ void tls_strp_done(struct tls_strparser *strp)
>   	WARN_ON(!strp->stopped);
>   
>   	cancel_work_sync(&strp->work);
> +	__tls_strp_done(strp);
> +}
> +
> +/* For setup error paths where the strparser was initialized but never armed. */
> +void __tls_strp_done(struct tls_strparser *strp)
> +{
>   	tls_strp_anchor_free(strp);
>   }
>   
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index 94d2ae0daa8c..798243eabb1f 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -2624,8 +2624,12 @@ void tls_sw_free_ctx_rx(struct tls_context *tls_ctx)
>   void tls_sw_free_resources_rx(struct sock *sk)
>   {
>   	struct tls_context *tls_ctx = tls_get_ctx(sk);
> +	struct tls_sw_context_rx *ctx;
> +
> +	ctx = tls_sw_ctx_rx(tls_ctx);
>   
>   	tls_sw_release_resources_rx(sk);
> +	__tls_strp_done(&ctx->strp);
>   	tls_sw_free_ctx_rx(tls_ctx);
>   }
>   

Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>