Patch "net: tls, fix WARNIING in __sk_msg_free" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    net: tls, fix WARNIING in __sk_msg_free

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-tls-fix-warniing-in-__sk_msg_free.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 19492de3c552887cef0ff926ea771a5119f6eede
Author: John Fastabend <john.fastabend@xxxxxxxxx>
Date:   Fri Jan 12 16:32:57 2024 -0800

    net: tls, fix WARNIING in __sk_msg_free
    
    [ Upstream commit dc9dfc8dc629e42f2234e3327b75324ffc752bc9 ]
    
    A splice with MSG_SPLICE_PAGES will cause tls code to use the
    tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user
    provided pages from the msg into the msg_pl. This will loop over the
    msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user
    can also set the MORE flag to hint stack to delay sending until receiving
    more pages and ideally a full buffer.
    
    If the user adds more pages to the msg than can fit in the msg_pl
    scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send
    the buffer anyways.
    
    What actually happens though is we abort the msg to msg_pl scatterlist
    setup and then because we forget to set 'full record' indicating we
    can no longer consume data without a send we fallthrough to the 'continue'
    path which will check if msg_data_left(msg) has more bytes to send and
    then attempts to fit them in the already full msg_pl. Then next
    iteration of sender doing send will encounter a full msg_pl and throw
    the warning in the syzbot report.
    
    To fix simply check if we have a full_record in splice code path and
    if not send the msg regardless of MORE flag.
    
    Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@xxxxxxxxxxxxxxxxxxxxxxxxx
    Reported-by: Edward Adam Davis <eadavis@xxxxxx>
    Fixes: fe1e81d4f73b ("tls/sw: Support MSG_SPLICE_PAGES")
    Reviewed-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: John Fastabend <john.fastabend@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 27cc0f0a90e1..dba523cdc73d 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1052,7 +1052,11 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
 			if (ret < 0)
 				goto send_end;
 			tls_ctx->pending_open_record_frags = true;
-			if (full_record || eor || sk_msg_full(msg_pl))
+
+			if (sk_msg_full(msg_pl))
+				full_record = true;
+
+			if (full_record || eor)
 				goto copied;
 			continue;
 		}




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux