[PATCH] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

[PATCH] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

[Muhammad Alifa Ramdhan]

The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to double cleanup of encrypt_pending and the
scatterlist entry.

When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
the cryptd backlog and the async callback tls_encrypt_done() will be
invoked upon completion. That callback unconditionally restores the
scatterlist entry (sge->offset, sge->length) and decrements
ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
error, the synchronous error path in tls_do_encryption() performs the
same cleanup again, double-decrementing encrypt_pending and
double-restoring the scatterlist.

The double-decrement corrupts the encrypt_pending sentinel (initialized
to 1), making tls_encrypt_async_wait() permanently skip the wait for
pending async callbacks. A subsequent sendmsg can then free the
tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
pending, resulting in a use-after-free when the callback fires on the
freed record.

Fix this by skipping the synchronous cleanup when the -EBUSY async
wait returns an error, since the callback has already handled
encrypt_pending and sge restoration.

Fixes: 859054147318 ("net: tls: handle backlogging of crypto requests")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
---
 net/tls/tls_sw.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -584,6 +584,16 @@ static int tls_do_encryption(struct sock *sk,
 	if (rc == -EBUSY) {
 		rc = tls_encrypt_async_wait(ctx);
 		rc = rc ?: -EINPROGRESS;
+		/*
+		 * The async callback tls_encrypt_done() has already
+		 * decremented encrypt_pending and restored the sge on
+		 * both success and error. Skip the synchronous cleanup
+		 * below on error, just remove the record and return.
+		 */
+		if (rc != -EINPROGRESS) {
+			list_del(&rec->list);
+			return rc;
+		}
 	}
 	if (!rc || rc != -EINPROGRESS) {
 		atomic_dec(&ctx->encrypt_pending);
--
2.43.0

Re: [PATCH] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

[Sabrina Dubroca]

2026-04-03, 09:36:17 +0800, Muhammad Alifa Ramdhan wrote:
> The -EBUSY handling in tls_do_encryption(), introduced by commit
> 859054147318 ("net: tls: handle backlogging of crypto requests"), has
> a use-after-free due to double cleanup of encrypt_pending and the
> scatterlist entry.
> 
> When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
> the cryptd backlog and the async callback tls_encrypt_done() will be
> invoked upon completion. That callback unconditionally restores the
> scatterlist entry (sge->offset, sge->length) and decrements
> ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
> error, the synchronous error path in tls_do_encryption() performs the
> same cleanup again, double-decrementing encrypt_pending and
> double-restoring the scatterlist.
> 
> The double-decrement corrupts the encrypt_pending sentinel (initialized
> to 1), making tls_encrypt_async_wait() permanently skip the wait for
> pending async callbacks. A subsequent sendmsg can then free the
> tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
> pending, resulting in a use-after-free when the callback fires on the
> freed record.
> 
> Fix this by skipping the synchronous cleanup when the -EBUSY async
> wait returns an error, since the callback has already handled
> encrypt_pending and sge restoration.
> 
> Fixes: 859054147318 ("net: tls: handle backlogging of crypto requests")
> Cc: stable@vger.kernel.org
> Signed-off-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
> ---
>  net/tls/tls_sw.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)

Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

-- 
Sabrina

Re: [PATCH] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Fri,  3 Apr 2026 09:36:17 +0800 you wrote:
> The -EBUSY handling in tls_do_encryption(), introduced by commit
> 859054147318 ("net: tls: handle backlogging of crypto requests"), has
> a use-after-free due to double cleanup of encrypt_pending and the
> scatterlist entry.
> 
> When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
> the cryptd backlog and the async callback tls_encrypt_done() will be
> invoked upon completion. That callback unconditionally restores the
> scatterlist entry (sge->offset, sge->length) and decrements
> ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
> error, the synchronous error path in tls_do_encryption() performs the
> same cleanup again, double-decrementing encrypt_pending and
> double-restoring the scatterlist.
> 
> [...]

Here is the summary with links:
  - net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
    https://git.kernel.org/netdev/net/c/a9b8b18364ff

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html