All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net v2 0/2] tls fixes for SPLICE with more hint
@ 2024-01-13  0:32 John Fastabend
  2024-01-13  0:32 ` [PATCH net v2 1/2] net: tls, fix WARNIING in __sk_msg_free John Fastabend
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: John Fastabend @ 2024-01-13  0:32 UTC (permalink / raw)
  To: netdev, eadavis, kuba; +Cc: john.fastabend, bpf, borisp

Syzbot found a splat where it tried to splice data over a tls socket
with the more hint and sending greater than the number of frags that
fit in a msg scatterlist. This resulted in an error where we do not
correctly send the data when the msg sg is full. The more flag being
just a hint not a strict contract. This then results in the syzbot
warning on the next send.

Edward generated an initial patch for this which checked for a full
msg on entry to the sendmsg hook.  This fixed the WARNING, but didn't
fully resolve the issue because the full msg_pl scatterlist was never
sent resulting in a stuck socket. In this series instead avoid the
situation by forcing the send on the splice that fills the scatterlist.

Also in original thread I mentioned it didn't seem to be enough to
simply fix the send on full sg problem. That was incorrect and was
really a bug in my test program that was hanging the test program.
I had setup a repair socket and wasn't handling it correctly so my
tester got stuck.

Thanks. Please review. Fix in patch 1 and test in patch 2.

v2: use SPLICE_F_ flag names instead of cryptic 0xe

John Fastabend (2):
  net: tls, fix WARNIING in __sk_msg_free
  net: tls, add test to capture error on large splice

 net/tls/tls_sw.c                  |  6 +++++-
 tools/testing/selftests/net/tls.c | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

-- 
2.33.0


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH net v2 1/2] net: tls, fix WARNIING in __sk_msg_free
  2024-01-13  0:32 [PATCH net v2 0/2] tls fixes for SPLICE with more hint John Fastabend
@ 2024-01-13  0:32 ` John Fastabend
  2024-01-13  0:32 ` [PATCH net v2 2/2] net: tls, add test to capture error on large splice John Fastabend
  2024-01-14 12:20 ` [PATCH net v2 0/2] tls fixes for SPLICE with more hint patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: John Fastabend @ 2024-01-13  0:32 UTC (permalink / raw)
  To: netdev, eadavis, kuba; +Cc: john.fastabend, bpf, borisp

A splice with MSG_SPLICE_PAGES will cause tls code to use the
tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user
provided pages from the msg into the msg_pl. This will loop over the
msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user
can also set the MORE flag to hint stack to delay sending until receiving
more pages and ideally a full buffer.

If the user adds more pages to the msg than can fit in the msg_pl
scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send
the buffer anyways.

What actually happens though is we abort the msg to msg_pl scatterlist
setup and then because we forget to set 'full record' indicating we
can no longer consume data without a send we fallthrough to the 'continue'
path which will check if msg_data_left(msg) has more bytes to send and
then attempts to fit them in the already full msg_pl. Then next
iteration of sender doing send will encounter a full msg_pl and throw
the warning in the syzbot report.

To fix simply check if we have a full_record in splice code path and
if not send the msg regardless of MORE flag.

Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com
Reported-by: Edward Adam Davis <eadavis@qq.com>
Fixes: fe1e81d4f73b ("tls/sw: Support MSG_SPLICE_PAGES")
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 net/tls/tls_sw.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index e37b4d2e2acd..31e8a94dfc11 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1052,7 +1052,11 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
 			if (ret < 0)
 				goto send_end;
 			tls_ctx->pending_open_record_frags = true;
-			if (full_record || eor || sk_msg_full(msg_pl))
+
+			if (sk_msg_full(msg_pl))
+				full_record = true;
+
+			if (full_record || eor)
 				goto copied;
 			continue;
 		}
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH net v2 2/2] net: tls, add test to capture error on large splice
  2024-01-13  0:32 [PATCH net v2 0/2] tls fixes for SPLICE with more hint John Fastabend
  2024-01-13  0:32 ` [PATCH net v2 1/2] net: tls, fix WARNIING in __sk_msg_free John Fastabend
@ 2024-01-13  0:32 ` John Fastabend
  2024-01-13  2:45   ` Jakub Kicinski
  2024-01-14 12:20 ` [PATCH net v2 0/2] tls fixes for SPLICE with more hint patchwork-bot+netdevbpf
  2 siblings, 1 reply; 5+ messages in thread
From: John Fastabend @ 2024-01-13  0:32 UTC (permalink / raw)
  To: netdev, eadavis, kuba; +Cc: john.fastabend, bpf, borisp

syzbot found an error with how splice() is handled with a msg greater
than 32. This was fixed in previous patch, but lets add a test for
it to ensure it continues to work.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 tools/testing/selftests/net/tls.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
index 464853a7f982..7799e042a971 100644
--- a/tools/testing/selftests/net/tls.c
+++ b/tools/testing/selftests/net/tls.c
@@ -707,6 +707,20 @@ TEST_F(tls, splice_from_pipe)
 	EXPECT_EQ(memcmp(mem_send, mem_recv, send_len), 0);
 }
 
+TEST_F(tls, splice_more)
+{
+	unsigned int f = SPLICE_F_NONBLOCK | SPLICE_F_MORE | SPLICE_F_GIFT;
+	int send_len = TLS_PAYLOAD_MAX_LEN;
+	char mem_send[TLS_PAYLOAD_MAX_LEN];
+	int i, send_pipe = 1;
+	int p[2];
+
+	ASSERT_GE(pipe(p), 0);
+	EXPECT_GE(write(p[1], mem_send, send_len), 0);
+	for (i = 0; i < 32; i++)
+		EXPECT_EQ(splice(p[0], NULL, self->fd, NULL, send_pipe, f), 1);
+}
+
 TEST_F(tls, splice_from_pipe2)
 {
 	int send_len = 16000;
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH net v2 2/2] net: tls, add test to capture error on large splice
  2024-01-13  0:32 ` [PATCH net v2 2/2] net: tls, add test to capture error on large splice John Fastabend
@ 2024-01-13  2:45   ` Jakub Kicinski
  0 siblings, 0 replies; 5+ messages in thread
From: Jakub Kicinski @ 2024-01-13  2:45 UTC (permalink / raw)
  To: John Fastabend; +Cc: netdev, eadavis, bpf, borisp

On Fri, 12 Jan 2024 16:32:58 -0800 John Fastabend wrote:
> syzbot found an error with how splice() is handled with a msg greater
> than 32. This was fixed in previous patch, but lets add a test for
> it to ensure it continues to work.
> 
> Signed-off-by: John Fastabend <john.fastabend@gmail.com>

Reviewed-by: Jakub Kicinski <kuba@kernel.org>

tnx!

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH net v2 0/2] tls fixes for SPLICE with more hint
  2024-01-13  0:32 [PATCH net v2 0/2] tls fixes for SPLICE with more hint John Fastabend
  2024-01-13  0:32 ` [PATCH net v2 1/2] net: tls, fix WARNIING in __sk_msg_free John Fastabend
  2024-01-13  0:32 ` [PATCH net v2 2/2] net: tls, add test to capture error on large splice John Fastabend
@ 2024-01-14 12:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-01-14 12:20 UTC (permalink / raw)
  To: John Fastabend; +Cc: netdev, eadavis, kuba, bpf, borisp

Hello:

This series was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Fri, 12 Jan 2024 16:32:56 -0800 you wrote:
> Syzbot found a splat where it tried to splice data over a tls socket
> with the more hint and sending greater than the number of frags that
> fit in a msg scatterlist. This resulted in an error where we do not
> correctly send the data when the msg sg is full. The more flag being
> just a hint not a strict contract. This then results in the syzbot
> warning on the next send.
> 
> [...]

Here is the summary with links:
  - [net,v2,1/2] net: tls, fix WARNIING in __sk_msg_free
    https://git.kernel.org/netdev/net/c/dc9dfc8dc629
  - [net,v2,2/2] net: tls, add test to capture error on large splice
    https://git.kernel.org/netdev/net/c/034ea1305e65

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-01-14 12:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-13  0:32 [PATCH net v2 0/2] tls fixes for SPLICE with more hint John Fastabend
2024-01-13  0:32 ` [PATCH net v2 1/2] net: tls, fix WARNIING in __sk_msg_free John Fastabend
2024-01-13  0:32 ` [PATCH net v2 2/2] net: tls, add test to capture error on large splice John Fastabend
2024-01-13  2:45   ` Jakub Kicinski
2024-01-14 12:20 ` [PATCH net v2 0/2] tls fixes for SPLICE with more hint patchwork-bot+netdevbpf

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.