tls: restore sk_prot before calling original destructor

[PATCH net] tls: restore sk_prot before calling original destructor

Posted by Geliang Tang 2 days, 15 hours ago

From: Geliang Tang <tanggeliang@kylinos.cn>

When a TLS socket is offloaded to a TOE device, tls_toe_bypass() replaces
sk->sk_prot with a TLS-specific protocol table. On socket destruction,
tls_toe_sk_destruct() calls the original sk_destruct callback
(ctx->sk_destruct), which may rely on the original sk_prot (e.g., for
memory accounting or close handling). Without restoring sk->sk_prot
before calling ctx->sk_destruct, the destructor may access stale or
incorrect protocol functions, leading to use-after-free or kernel panic.

Add WRITE_ONCE(sk->sk_prot, ctx->sk_proto) before invoking
ctx->sk_destruct to restore the original protocol pointer. This mirrors
the restoration already done in tls_sk_proto_close() for the software
and device offload paths.

Fixes: 76f7164d02d4 ("net/tls: free ctx in sock destruct")
Co-developed-by: Gang Yan <yangang@kylinos.cn>
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
Hi,

This bug was identified by Sashiko during my development of "MPTCP KTLS
support" [1]. I am sending this fix separately for now.

Thanks,
-Geliang

[1]
https://patchwork.kernel.org/project/mptcp/cover/cover.1780621326.git.tanggeliang@kylinos.cn/
---
 net/tls/tls_toe.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tls/tls_toe.c b/net/tls/tls_toe.c
index 825669e1ab47..c9c1a0952f4b 100644
--- a/net/tls/tls_toe.c
+++ b/net/tls/tls_toe.c
@@ -48,6 +48,8 @@ static void tls_toe_sk_destruct(struct sock *sk)
 	struct inet_connection_sock *icsk = inet_csk(sk);
 	struct tls_context *ctx = tls_get_ctx(sk);
 
+	WRITE_ONCE(sk->sk_prot, ctx->sk_proto);
+
 	ctx->sk_destruct(sk);
 	/* Free ctx */
 	rcu_assign_pointer(icsk->icsk_ulp_data, NULL);
-- 
2.53.0

Re: [PATCH net] tls: restore sk_prot before calling original destructor

Posted by Geliang Tang an hour ago

On Fri, 2026-06-05 at 20:57 +0800, Geliang Tang wrote:
> From: Geliang Tang <tanggeliang@kylinos.cn>
> 
> When a TLS socket is offloaded to a TOE device, tls_toe_bypass()
> replaces
> sk->sk_prot with a TLS-specific protocol table. On socket
> destruction,
> tls_toe_sk_destruct() calls the original sk_destruct callback
> (ctx->sk_destruct), which may rely on the original sk_prot (e.g., for
> memory accounting or close handling). Without restoring sk->sk_prot
> before calling ctx->sk_destruct, the destructor may access stale or
> incorrect protocol functions, leading to use-after-free or kernel
> panic.
> 
> Add WRITE_ONCE(sk->sk_prot, ctx->sk_proto) before invoking
> ctx->sk_destruct to restore the original protocol pointer. This
> mirrors
> the restoration already done in tls_sk_proto_close() for the software
> and device offload paths.
> 
> Fixes: 76f7164d02d4 ("net/tls: free ctx in sock destruct")

Sorry, this "Fixes" tag is not accurate. sk_proto was only added to
struct tls_context in commit 32857cf57f92, so it would be better to
update the "Fixes" tag as follows:

Fixes: 32857cf57f92 ("net/tls: fix transition through disconnect with
close")

If needed, I can send a v2.

Thanks,
-Geliang

> Co-developed-by: Gang Yan <yangang@kylinos.cn>
> Signed-off-by: Gang Yan <yangang@kylinos.cn>
> Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
> ---
> Hi,
> 
> This bug was identified by Sashiko during my development of "MPTCP
> KTLS
> support" [1]. I am sending this fix separately for now.
> 
> Thanks,
> -Geliang
> 
> [1]
> https://patchwork.kernel.org/project/mptcp/cover/cover.1780621326.git.tanggeliang@kylinos.cn/
> ---
>  net/tls/tls_toe.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/tls/tls_toe.c b/net/tls/tls_toe.c
> index 825669e1ab47..c9c1a0952f4b 100644
> --- a/net/tls/tls_toe.c
> +++ b/net/tls/tls_toe.c
> @@ -48,6 +48,8 @@ static void tls_toe_sk_destruct(struct sock *sk)
>  	struct inet_connection_sock *icsk = inet_csk(sk);
>  	struct tls_context *ctx = tls_get_ctx(sk);
>  
> +	WRITE_ONCE(sk->sk_prot, ctx->sk_proto);
> +
>  	ctx->sk_destruct(sk);
>  	/* Free ctx */
>  	rcu_assign_pointer(icsk->icsk_ulp_data, NULL);

Re: [PATCH net] tls: restore sk_prot before calling original destructor

Posted by MPTCP CI 2 days, 14 hours ago

Hi Geliang,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Success! ✅
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/27017157085

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/854fb4e76a75
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1106620


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)