From: sashiko-bot@kernel.org
To: "Jakub Kicinski" <kuba@kernel.org>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH net v2 2/4] net: tls: prevent chain-after-chain in plain text SG
Date: Wed, 13 May 2026 00:10:11 +0000 [thread overview]
Message-ID: <20260513001011.AE1E0C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260511174920.433155-3-kuba@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] The patch fails to handle empty TLS records (size == 0, start == end) when a BPF program pops all data, leading to a chain-after-chain kernel panic or premature scatterlist termination.
--
commit a19dc6e44cc96cee4ac7cb297275155ee108e228
Author: Jakub Kicinski <kuba@kernel.org>
net: tls: prevent chain-after-chain in plain text SG
This commit adjusts the scatterlist chaining logic in tls_push_record() to
prevent an illegal chain-after-chain configuration when end = 0.
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index 2608b0c01849f..3bfdaf5e64f50 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -789,21 +789,33 @@ static int tls_push_record(struct sock *sk, int flags,
> i = msg_pl->sg.end;
> sk_msg_iter_var_prev(i);
Does this code handle the case where a BPF program pops all data and leaves
an empty record where msg_pl->sg.size == 0 and start == end?
[ ... ]
> + if (i < msg_pl->sg.start)
> + sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
> + msg_pl->sg.data);
If start == end == 0, i wraps to NR_MSG_FRAG_IDS - 1. The condition
i < msg_pl->sg.start evaluates to false, skipping the wrap link.
> rec->content_type = record_type;
> if (prot->version == TLS_1_3_VERSION) {
> /* Add content type to end of message. No padding added */
> sg_set_buf(&rec->sg_content_type, &rec->content_type, 1);
> sg_mark_end(&rec->sg_content_type);
> - sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1,
> - &rec->sg_content_type);
> + sg_chain(msg_pl->sg.data, i + 2, &rec->sg_content_type);
In the start == end == 0 scenario, the content type link is placed at
data[NR_MSG_FRAG_IDS].
If start == end > 0 (for example, start = 5 and end = 5), i becomes 4.
The condition i < msg_pl->sg.start is true, so the wrap link is created.
Here, msg_pl->sg.data is chained at i + 2 (which is 6, meaning data[5])
to rec->sg_content_type.
> } else {
> sg_mark_end(sk_msg_elem(msg_pl, i));
> }
>
> - if (msg_pl->sg.end < msg_pl->sg.start)
> - sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data),
> - msg_pl->sg.data);
> -
> i = msg_pl->sg.start;
> sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
When start == end == 0, sg_aead_in chains to data[0]. Since the list starting
at data[0] never links to data[NR_MSG_FRAG_IDS], the scatterlist iterator
might hit a premature SG_END at data[0] instead of finding the content type
link. Can this cause the crypto API to fail because the expected cryptlen
is not satisfied?
When start == end > 0 (e.g., 5), sg_aead_in is chained to msg_pl->sg.data[5].
Since data[5] is already a chain link to rec->sg_content_type, doesn't this
result in an illegal chain-after-chain configuration that the scatterlist API
cannot resolve?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511174920.433155-1-kuba@kernel.org?part=2
next prev parent reply other threads:[~2026-05-13 0:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 17:49 [PATCH net v2 0/4] net: tls: net: tls: fix a few random bugs Jakub Kicinski
2026-05-11 17:49 ` [PATCH net v2 1/4] net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring Jakub Kicinski
2026-05-12 10:21 ` Sabrina Dubroca
2026-05-11 17:49 ` [PATCH net v2 2/4] net: tls: prevent chain-after-chain in plain text SG Jakub Kicinski
2026-05-12 11:09 ` Sabrina Dubroca
2026-05-12 16:03 ` Jakub Kicinski
2026-05-12 22:30 ` Sabrina Dubroca
2026-05-13 0:14 ` Jakub Kicinski
2026-05-13 0:10 ` sashiko-bot [this message]
2026-05-11 17:49 ` [PATCH net v2 3/4] net: tls: fix use-after-free in tls_sw_sendmsg_locked after bpf verdict Jakub Kicinski
2026-05-12 9:47 ` Jiayuan Chen
2026-05-12 16:04 ` Jakub Kicinski
2026-05-13 0:39 ` sashiko-bot
2026-05-11 17:49 ` [PATCH net v2 4/4] net: tls: remove bad rollback and UAF on ENOSPC Jakub Kicinski
2026-05-13 1:39 ` sashiko-bot
2026-05-14 11:18 ` Paolo Abeni
2026-05-14 12:55 ` Sabrina Dubroca
2026-05-14 14:55 ` Jakub Kicinski
2026-05-14 15:05 ` Sabrina Dubroca
2026-05-14 15:09 ` Jakub Kicinski
2026-05-12 9:28 ` [PATCH net v2 0/4] net: tls: net: tls: fix a few random bugs Jakub Sitnicki
2026-05-12 9:37 ` Sabrina Dubroca
2026-05-14 11:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513001011.AE1E0C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kuba@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.