diff mbox series

[net] net: tls: fix marking packets as decrypted

Message ID 20240530232607.82686-1-kuba@kernel.org (mailing list archive)
State Accepted
Commit a535d59432370343058755100ee75ab03c0e3f91
Delegated to: Netdev Maintainers
Headers show
Series [net] net: tls: fix marking packets as decrypted | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 904 this patch: 904
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 1 maintainers not CCed: dsahern@kernel.org
netdev/build_clang success Errors and warnings before: 906 this patch: 906
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 908 this patch: 908
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 1 this patch: 1
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-06-03--15-00 (tests: 1041)

Commit Message

Jakub Kicinski May 30, 2024, 11:26 p.m. UTC 
For TLS offload we mark packets with skb->decrypted to make sure
they don't escape the host without getting encrypted first.
The crypto state lives in the socket, so it may get detached
by a call to skb_orphan(). As a safety check - the egress path
drops all packets with skb->decrypted and no "crypto-safe" socket.

The skb marking was added to sendpage only (and not sendmsg),
because tls_device injected data into the TCP stack using sendpage.
This special case was missed when sendpage got folded into sendmsg.

Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
CC: dhowells@redhat.com
CC: borisp@nvidia.com
CC: john.fastabend@gmail.com
---
 net/ipv4/tcp.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Jakub Kicinski May 30, 2024, 11:29 p.m. UTC | #1 
On Thu, 30 May 2024 16:26:07 -0700 Jakub Kicinski wrote:
> For TLS offload we mark packets with skb->decrypted to make sure
> they don't escape the host without getting encrypted first.
> The crypto state lives in the socket, so it may get detached
> by a call to skb_orphan(). As a safety check - the egress path
> drops all packets with skb->decrypted and no "crypto-safe" socket.
> 
> The skb marking was added to sendpage only (and not sendmsg),
> because tls_device injected data into the TCP stack using sendpage.
> This special case was missed when sendpage got folded into sendmsg.
> 
> Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Forgot to mention - compile tested only, ENODEV :(
Eric Dumazet May 31, 2024, 8:05 a.m. UTC | #2 
On Fri, May 31, 2024 at 1:29 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 30 May 2024 16:26:07 -0700 Jakub Kicinski wrote:
> > For TLS offload we mark packets with skb->decrypted to make sure
> > they don't escape the host without getting encrypted first.
> > The crypto state lives in the socket, so it may get detached
> > by a call to skb_orphan(). As a safety check - the egress path
> > drops all packets with skb->decrypted and no "crypto-safe" socket.
> >
> > The skb marking was added to sendpage only (and not sendmsg),
> > because tls_device injected data into the TCP stack using sendpage.
> > This special case was missed when sendpage got folded into sendmsg.
> >
> > Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
> > Signed-off-by: Jakub Kicinski <kuba@kernel.org>
>
> Forgot to mention - compile tested only, ENODEV :(

Reviewed-by: Eric Dumazet <edumazet@google.com>

In net-next, we could probably move skb_cmp_decrypted(), skb_is_decrypted(),
skb_copy_decrypted() to a new include file, and define
skb_set_decrypted() helper there.
patchwork-bot+netdevbpf@kernel.org June 4, 2024, 11:20 a.m. UTC | #3 
Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Thu, 30 May 2024 16:26:07 -0700 you wrote:
> For TLS offload we mark packets with skb->decrypted to make sure
> they don't escape the host without getting encrypted first.
> The crypto state lives in the socket, so it may get detached
> by a call to skb_orphan(). As a safety check - the egress path
> drops all packets with skb->decrypted and no "crypto-safe" socket.
> 
> The skb marking was added to sendpage only (and not sendmsg),
> because tls_device injected data into the TCP stack using sendpage.
> This special case was missed when sendpage got folded into sendmsg.
> 
> [...]

Here is the summary with links:
  - [net] net: tls: fix marking packets as decrypted
    https://git.kernel.org/netdev/net/c/a535d5943237

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 681b54e1f3a6..4d8cc2ebb64c 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1165,6 +1165,9 @@  int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
 
 			process_backlog++;
 
+#ifdef CONFIG_SKB_DECRYPTED
+			skb->decrypted = !!(flags & MSG_SENDPAGE_DECRYPTED);
+#endif
 			tcp_skb_entail(sk, skb);
 			copy = size_goal;