tls: Stricter error checking in zerocopy sendmsg path (30a7a7b0) · Commits · Kirill Smelkov / linux

Commit 30a7a7b0 authored Jul 12, 2018 by

Dave Watson Committed by Greg Kroah-Hartman Jul 22, 2018

tls: Stricter error checking in zerocopy sendmsg path

commit 32da1221 upstream.

In the zerocopy sendmsg() path, there are error checks to revert
the zerocopy if we get any error code.  syzkaller has discovered
that tls_push_record can return -ECONNRESET, which is fatal, and
happens after the point at which it is safe to revert the iter,
as we've already passed the memory to do_tcp_sendpages.

Previously this code could return -ENOMEM and we would want to
revert the iter, but AFAIK this no longer returns ENOMEM after
a447da7d ("tls: fix waitall behavior in tls_sw_recvmsg"),
so we fail for all error codes.

Reported-by: syzbot+c226690f7b3126c5ee04@syzkaller.appspotmail.com
Reported-by: syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com
Signed-off-by: Dave Watson <davejwatson@fb.com>
Fixes: 3c4d7559 ("tls: kernel TLS support")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent d9bb71d7

Hide whitespace changes

Inline Side-by-side

View file @ 30a7a7b0

...	@@ -449,7 +449,7 @@ int tls_sw_sendmsg(struct sock sk, struct msghdr msg, size_t size)	...	@@ -449,7 +449,7 @@ int tls_sw_sendmsg(struct sock sk, struct msghdr msg, size_t size)
	ret = tls_push_record(sk, msg->msg_flags, record_type);		ret = tls_push_record(sk, msg->msg_flags, record_type);
	if (!ret)		if (!ret)
	continue;		continue;
	if (ret == -EAGAIN)		if (ret < 0)
	goto send_end;		goto send_end;

	copied -= try_to_copy;		copied -= try_to_copy;
...		...

Please register or to comment