diff mbox series

[net,1/2] net: tls, fix WARNIING in __sk_msg_free

Message ID 20240110220124.452746-2-john.fastabend@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series tls fixes for SPLICE with more hint | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net
netdev/ynl success SINGLE THREAD; Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1113 this patch: 1113
netdev/cc_maintainers success CCed 0 of 0 maintainers
netdev/build_clang success Errors and warnings before: 1140 this patch: 1140
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1140 this patch: 1140
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

John Fastabend Jan. 10, 2024, 10:01 p.m. UTC
A splice with MSG_SPLICE_PAGES will cause tls code to use the
tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user
provided pages from the msg into the msg_pl. This will loop over the
msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user
can also set the MORE flag to hint stack to delay sending until receiving
more pages and ideally a full buffer.

If the user adds more pages to the msg than can fit in the msg_pl
scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send
the buffer anyways.

What actually happens though is we abort the msg to msg_pl scatterlist
setup and then because we forget to set 'full record' indicating we
can no longer consume data without a send we fallthrough to the 'continue'
path which will check if msg_data_left(msg) has more bytes to send and
then attempts to fit them in the already full msg_pl. Then next
iteration of sender doing send will encounter a full msg_pl and throw
the warning in the syzbot report.

To fix simply check if we have a full_record in splice code path and
if not send the msg regardless of MORE flag.

Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com
Reported-by: Edward Adam Davis <eadavis@qq.com>
Fixes: fe1e81d4f73b ("tls/sw: Support MSG_SPLICE_PAGES")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 net/tls/tls_sw.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Jakub Kicinski Jan. 12, 2024, 1:05 a.m. UTC | #1
On Wed, 10 Jan 2024 14:01:23 -0800 John Fastabend wrote:
> A splice with MSG_SPLICE_PAGES will cause tls code to use the
> tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user
> provided pages from the msg into the msg_pl. This will loop over the
> msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user
> can also set the MORE flag to hint stack to delay sending until receiving
> more pages and ideally a full buffer.
> 
> If the user adds more pages to the msg than can fit in the msg_pl
> scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send
> the buffer anyways.
> 
> What actually happens though is we abort the msg to msg_pl scatterlist
> setup and then because we forget to set 'full record' indicating we
> can no longer consume data without a send we fallthrough to the 'continue'
> path which will check if msg_data_left(msg) has more bytes to send and
> then attempts to fit them in the already full msg_pl. Then next
> iteration of sender doing send will encounter a full msg_pl and throw
> the warning in the syzbot report.
> 
> To fix simply check if we have a full_record in splice code path and
> if not send the msg regardless of MORE flag.

Reviewed-by: Jakub Kicinski <kuba@kernel.org>
diff mbox series

Patch

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index e37b4d2e2acd..31e8a94dfc11 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1052,7 +1052,11 @@  static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
 			if (ret < 0)
 				goto send_end;
 			tls_ctx->pending_open_record_frags = true;
-			if (full_record || eor || sk_msg_full(msg_pl))
+
+			if (sk_msg_full(msg_pl))
+				full_record = true;
+
+			if (full_record || eor)
 				goto copied;
 			continue;
 		}