netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* various TLS bug fixes...
@ 2019-08-20 23:05 David Miller
  2019-08-21  0:24 ` Jakub Kicinski
  0 siblings, 1 reply; 6+ messages in thread
From: David Miller @ 2019-08-20 23:05 UTC (permalink / raw)
  To: netdev; +Cc: jakub.kicinski


Jakub,

I just did a batch of networking -stable submissions, however I ran
into some troubles with the various TLS backports.

I was able to backport commit 414776621d10 ("net/tls: prevent
skb_orphan() from leaking TLS plain text with offload") to v5.2
but not to v4.19

I was not able to backport neither d85f01775850 ("net: tls, fix
sk_write_space NULL write when tx disabled") nor commit 57c722e932cf
("net/tls: swap sk_write_space on close") to any release.  It seems
like there are a bunch of dependencies and perhaps other fixes.

I suspect you've triaged through this already on your side for other
reasons, so perhaps you could help come up with a sane set of TLS
bug fix backports that would be appropriate for -stable?

Thanks!


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: various TLS bug fixes...
  2019-08-20 23:05 various TLS bug fixes David Miller
@ 2019-08-21  0:24 ` Jakub Kicinski
  2019-08-21  5:18   ` John Fastabend
  0 siblings, 1 reply; 6+ messages in thread
From: Jakub Kicinski @ 2019-08-21  0:24 UTC (permalink / raw)
  To: David Miller; +Cc: netdev

On Tue, 20 Aug 2019 16:05:17 -0700 (PDT), David Miller wrote:
> Jakub,
> 
> I just did a batch of networking -stable submissions, however I ran
> into some troubles with the various TLS backports.

Yes, the TLS back ports are a little messy :S

> I was able to backport commit 414776621d10 ("net/tls: prevent
> skb_orphan() from leaking TLS plain text with offload") to v5.2
> but not to v4.19

We can probably leave that out of v4.19. The only practical scenario
where the issue occurs to my knowledge is if admin configured TC
redirect, or netem in the setup. Let me know if you'd rather we did the
backport, I'm not 100% sure the risk/benefit ratio is favourable.

> I was not able to backport neither d85f01775850 ("net: tls, fix
> sk_write_space NULL write when tx disabled") nor commit 57c722e932cf
> ("net/tls: swap sk_write_space on close") to any release.  It seems
> like there are a bunch of dependencies and perhaps other fixes.

Right, those should still be applicable but John and I rejigged 
the close path quite a bit. I think the back port would be this:

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 4c0ac79f82d4..3288bdff9889 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -301,6 +301,8 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
 #else
        {
 #endif
+               if (sk->sk_write_space == tls_write_space)
+                       sk->sk_write_space = ctx->sk_write_space;
                tls_ctx_free(ctx);
                ctx = NULL;
        }

> I suspect you've triaged through this already on your side for other
> reasons, so perhaps you could help come up with a sane set of TLS
> bug fix backports that would be appropriate for -stable?

I'm planning to spend tomorrow working exactly on v4.19 backport. 
I have internal reports of openssl failing on v4.19 while v4.20 
works fine.. Hopefully I'll be able to figure that one out, test the
above and see if there are any other missing fixes.

Is it okay if I come back to this tomorrow?

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: various TLS bug fixes...
  2019-08-21  0:24 ` Jakub Kicinski
@ 2019-08-21  5:18   ` John Fastabend
  2019-08-21  6:51     ` Jakub Kicinski
  0 siblings, 1 reply; 6+ messages in thread
From: John Fastabend @ 2019-08-21  5:18 UTC (permalink / raw)
  To: Jakub Kicinski, David Miller; +Cc: netdev

Jakub Kicinski wrote:
> On Tue, 20 Aug 2019 16:05:17 -0700 (PDT), David Miller wrote:
> > Jakub,
> > 
> > I just did a batch of networking -stable submissions, however I ran
> > into some troubles with the various TLS backports.
> 
> Yes, the TLS back ports are a little messy :S
> 
> > I was able to backport commit 414776621d10 ("net/tls: prevent
> > skb_orphan() from leaking TLS plain text with offload") to v5.2
> > but not to v4.19
> 
> We can probably leave that out of v4.19. The only practical scenario
> where the issue occurs to my knowledge is if admin configured TC
> redirect, or netem in the setup. Let me know if you'd rather we did the
> backport, I'm not 100% sure the risk/benefit ratio is favourable.
> 
> > I was not able to backport neither d85f01775850 ("net: tls, fix
> > sk_write_space NULL write when tx disabled") nor commit 57c722e932cf
> > ("net/tls: swap sk_write_space on close") to any release.  It seems
> > like there are a bunch of dependencies and perhaps other fixes.
> 
> Right, those should still be applicable but John and I rejigged 
> the close path quite a bit. I think the back port would be this:

Looks correct to me but would need to double check as well.

> 
> diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> index 4c0ac79f82d4..3288bdff9889 100644
> --- a/net/tls/tls_main.c
> +++ b/net/tls/tls_main.c
> @@ -301,6 +301,8 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
>  #else
>         {
>  #endif
> +               if (sk->sk_write_space == tls_write_space)
> +                       sk->sk_write_space = ctx->sk_write_space;
>                 tls_ctx_free(ctx);
>                 ctx = NULL;
>         }
> 
> > I suspect you've triaged through this already on your side for other
> > reasons, so perhaps you could help come up with a sane set of TLS
> > bug fix backports that would be appropriate for -stable?
> 
> I'm planning to spend tomorrow working exactly on v4.19 backport. 
> I have internal reports of openssl failing on v4.19 while v4.20 
> works fine.. Hopefully I'll be able to figure that one out, test the
> above and see if there are any other missing fixes.
> 
> Is it okay if I come back to this tomorrow?

Is the failure with hw offload or sw case? If its sendpage related
looks like we also need to push the following patch back to 4.19,

commit 648ee6cea7dde4a5cdf817e5d964fd60b22006a4
Author: John Fastabend <john.fastabend@gmail.com>
Date:   Wed Jun 12 17:23:57 2019 +0000

    net: tls, correctly account for copied bytes with multiple sk_msgs

If you have more details I can also spend some cycles looking into it.

.John

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: various TLS bug fixes...
  2019-08-21  5:18   ` John Fastabend
@ 2019-08-21  6:51     ` Jakub Kicinski
  2019-08-21 18:03       ` Jakub Kicinski
  0 siblings, 1 reply; 6+ messages in thread
From: Jakub Kicinski @ 2019-08-21  6:51 UTC (permalink / raw)
  To: John Fastabend; +Cc: David Miller, netdev

On Tue, 20 Aug 2019 22:18:30 -0700, John Fastabend wrote:
> > > I suspect you've triaged through this already on your side for other
> > > reasons, so perhaps you could help come up with a sane set of TLS
> > > bug fix backports that would be appropriate for -stable?  
> > 
> > I'm planning to spend tomorrow working exactly on v4.19 backport. 
> > I have internal reports of openssl failing on v4.19 while v4.20 
> > works fine.. Hopefully I'll be able to figure that one out, test the
> > above and see if there are any other missing fixes.
> > 
> > Is it okay if I come back to this tomorrow?  
> 
> Is the failure with hw offload or sw case? 

SW case, strangely enough. Large file transfer, I think with openssl
client..

> If its sendpage related looks like we also need to push the following
> patch back to 4.19,
>
> commit 648ee6cea7dde4a5cdf817e5d964fd60b22006a4
> Author: John Fastabend <john.fastabend@gmail.com>
> Date:   Wed Jun 12 17:23:57 2019 +0000
> 
>     net: tls, correctly account for copied bytes with multiple sk_msgs

I had a quick look at that, but the commit in Fixes is not in v4.19.

> If you have more details I can also spend some cycles looking into it.

Awesome, I'll let you know what the details are as soon as I get them.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: various TLS bug fixes...
  2019-08-21  6:51     ` Jakub Kicinski
@ 2019-08-21 18:03       ` Jakub Kicinski
  2019-08-21 22:55         ` Jakub Kicinski
  0 siblings, 1 reply; 6+ messages in thread
From: Jakub Kicinski @ 2019-08-21 18:03 UTC (permalink / raw)
  To: John Fastabend; +Cc: David Miller, netdev

On Tue, 20 Aug 2019 23:51:12 -0700, Jakub Kicinski wrote:
> > If you have more details I can also spend some cycles looking into it.  
> 
> Awesome, I'll let you know what the details are as soon as I get them.

Just a quick update on that.

The test case is nginx running with ktls offload.

The client (hurl or openssl client) requests a file of ~2M, but only
44K ever gets across (not even sure which side sees an error at this
point, outputs are pretty quiet).

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: various TLS bug fixes...
  2019-08-21 18:03       ` Jakub Kicinski
@ 2019-08-21 22:55         ` Jakub Kicinski
  0 siblings, 0 replies; 6+ messages in thread
From: Jakub Kicinski @ 2019-08-21 22:55 UTC (permalink / raw)
  To: John Fastabend; +Cc: David Miller, netdev

On Wed, 21 Aug 2019 11:03:46 -0700, Jakub Kicinski wrote:
> On Tue, 20 Aug 2019 23:51:12 -0700, Jakub Kicinski wrote:
> > > If you have more details I can also spend some cycles looking into it.    
> > 
> > Awesome, I'll let you know what the details are as soon as I get them.  
> 
> Just a quick update on that.
> 
> The test case is nginx running with ktls offload.
> 
> The client (hurl or openssl client) requests a file of ~2M, but only
> 44K ever gets across (not even sure which side sees an error at this
> point, outputs are pretty quiet).

I had a look, it's this:

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 6848a8196711..8a05e4bf1c58 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -370,7 +370,8 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
 
        lock_sock(sk);
 
-       if (tls_complete_pending_work(sk, tls_ctx, msg->msg_flags, &timeo))
+       ret = tls_complete_pending_work(sk, tls_ctx, msg->msg_flags, &timeo);
+       if (ret)
                goto send_end;
 
        if (unlikely(msg->msg_controllen)) {

Which is commit 150085791afb ("net/tls: Fixed return value when
tls_complete_pending_work() fails"). 

I also tried to test what we described previously for sk_write_space
and it seems to work okay (although TBH I'm not sure my testing is 100%
here, I can't reliably trigger that race in the first place).

^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-08-21 22:55 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-20 23:05 various TLS bug fixes David Miller
2019-08-21  0:24 ` Jakub Kicinski
2019-08-21  5:18   ` John Fastabend
2019-08-21  6:51     ` Jakub Kicinski
2019-08-21 18:03       ` Jakub Kicinski
2019-08-21 22:55         ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).