Merge branch 'tls-splice-hint-fixes'

John Fastabend says: ==================== tls fixes for SPLICE with more hint Syzbot found a splat where it tried to splice data over a tls socket with the more hint and sending greater than the number of frags that fit in a msg scatterlist. This resulted in an error where we do not correctly send the data when the msg sg is full. The more flag being just a hint not a strict contract. This then results in the syzbot warning on the next send. Edward generated an initial patch for this which checked for a full msg on entry to the sendmsg hook. This fixed the WARNING, but didn't fully resolve the issue because the full msg_pl scatterlist was never sent resulting in a stuck socket. In this series instead avoid the situation by forcing the send on the splice that fills the scatterlist. Also in original thread I mentioned it didn't seem to be enough to simply fix the send on full sg problem. That was incorrect and was really a bug in my test program that was hanging the test program. I had setup a repair socket and wasn't handling it correctly so my tester got stuck. Thanks. Please review. Fix in patch 1 and test in patch 2. v2: use SPLICE_F_ flag names instead of cryptic 0xe ==================== Signed-off-by: David S. Miller <davem@davemloft.net>

Merge branch 'tls-splice-hint-fixes'
John Fastabend says: ==================== tls fixes for SPLICE with more hint Syzbot found a splat where it tried to splice data over a tls socket with the more hint and sending greater than the number of frags that fit in a msg scatterlist. This resulted in an error where we do not correctly send the data when the msg sg is full. The more flag being just a hint not a strict contract. This then results in the syzbot warning on the next send. Edward generated an initial patch for this which checked for a full msg on entry to the sendmsg hook. This fixed the WARNING, but didn't fully resolve the issue because the full msg_pl scatterlist was never sent resulting in a stuck socket. In this series instead avoid the situation by forcing the send on the splice that fills the scatterlist. Also in original thread I mentioned it didn't seem to be enough to simply fix the send on full sg problem. That was incorrect and was really a bug in my test program that was hanging the test program. I had setup a repair socket and wasn't handling it correctly so my tester got stuck. Thanks. Please review. Fix in patch 1 and test in patch 2. v2: use SPLICE_F_ flag names instead of cryptic 0xe ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
5ef7f6b3 · David S. Miller · 894d7508 · 034ea130 · 5ef7f6b3 · 5ef7f6b3
Commit 5ef7f6b3 authored Jan 14, 2024 by David S. Miller
Show whitespace changes
Inline Side-by-side

Showing with 19 additions and 1 deletion

net/tls/tls_sw.c net/tls/tls_sw.c +5 -1

tools/testing/selftests/net/tls.c tools/testing/selftests/net/tls.c +14 -0

No files found.
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1052,7 +1052,11 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
 			if (ret < 0)
 				goto send_end;
 			tls_ctx->pending_open_record_frags = true;
-			if (full_record || eor || sk_msg_full(msg_pl))
+
+			if (sk_msg_full(msg_pl))
+				full_record = true;
+
+			if (full_record || eor)
 				goto copied;
 			continue;
 		}

--- a/tools/testing/selftests/net/tls.c
+++ b/tools/testing/selftests/net/tls.c
@@ -707,6 +707,20 @@ TEST_F(tls, splice_from_pipe)
 	EXPECT_EQ(memcmp(mem_send, mem_recv, send_len), 0);
 }

+TEST_F(tls, splice_more)
+{
+	unsigned int f = SPLICE_F_NONBLOCK | SPLICE_F_MORE | SPLICE_F_GIFT;
+	int send_len = TLS_PAYLOAD_MAX_LEN;
+	char mem_send[TLS_PAYLOAD_MAX_LEN];
+	int i, send_pipe = 1;
+	int p[2];
+
+	ASSERT_GE(pipe(p), 0);
+	EXPECT_GE(write(p[1], mem_send, send_len), 0);
+	for (i = 0; i < 32; i++)
+		EXPECT_EQ(splice(p[0], NULL, self->fd, NULL, send_pipe, f), 1);
+}
+
 TEST_F(tls, splice_from_pipe2)
 {
 	int send_len = 16000;