From: Jakub Kicinski <jakub.kicinski@netronome.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Subject: Re: various TLS bug fixes...
Date: Tue, 20 Aug 2019 17:24:11 -0700 [thread overview]
Message-ID: <20190820172411.70250551@cakuba.netronome.com> (raw)
In-Reply-To: <20190820.160517.617004656524634921.davem@davemloft.net>
On Tue, 20 Aug 2019 16:05:17 -0700 (PDT), David Miller wrote:
> Jakub,
>
> I just did a batch of networking -stable submissions, however I ran
> into some troubles with the various TLS backports.
Yes, the TLS back ports are a little messy :S
> I was able to backport commit 414776621d10 ("net/tls: prevent
> skb_orphan() from leaking TLS plain text with offload") to v5.2
> but not to v4.19
We can probably leave that out of v4.19. The only practical scenario
where the issue occurs to my knowledge is if admin configured TC
redirect, or netem in the setup. Let me know if you'd rather we did the
backport, I'm not 100% sure the risk/benefit ratio is favourable.
> I was not able to backport neither d85f01775850 ("net: tls, fix
> sk_write_space NULL write when tx disabled") nor commit 57c722e932cf
> ("net/tls: swap sk_write_space on close") to any release. It seems
> like there are a bunch of dependencies and perhaps other fixes.
Right, those should still be applicable but John and I rejigged
the close path quite a bit. I think the back port would be this:
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 4c0ac79f82d4..3288bdff9889 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -301,6 +301,8 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
#else
{
#endif
+ if (sk->sk_write_space == tls_write_space)
+ sk->sk_write_space = ctx->sk_write_space;
tls_ctx_free(ctx);
ctx = NULL;
}
> I suspect you've triaged through this already on your side for other
> reasons, so perhaps you could help come up with a sane set of TLS
> bug fix backports that would be appropriate for -stable?
I'm planning to spend tomorrow working exactly on v4.19 backport.
I have internal reports of openssl failing on v4.19 while v4.20
works fine.. Hopefully I'll be able to figure that one out, test the
above and see if there are any other missing fixes.
Is it okay if I come back to this tomorrow?
next prev parent reply other threads:[~2019-08-21 0:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-20 23:05 various TLS bug fixes David Miller
2019-08-21 0:24 ` Jakub Kicinski [this message]
2019-08-21 5:18 ` John Fastabend
2019-08-21 6:51 ` Jakub Kicinski
2019-08-21 18:03 ` Jakub Kicinski
2019-08-21 22:55 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190820172411.70250551@cakuba.netronome.com \
--to=jakub.kicinski@netronome.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).