RE: [PATCH] tls: fix WARNING in __sk_msg_free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: John Fastabend <john.fastabend@gmail.com>
To: Edward Adam Davis <eadavis@qq.com>,
	 syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com
Cc: andrii@kernel.org,  ast@kernel.org,  borisp@nvidia.com,
	 bpf@vger.kernel.org,  daniel@iogearbox.net,
	 davem@davemloft.net,  dhowells@redhat.com,  edumazet@google.com,
	 jakub@cloudflare.com,  john.fastabend@gmail.com,
	 kuba@kernel.org,  linux-kernel@vger.kernel.org,
	 netdev@vger.kernel.org,  pabeni@redhat.com,
	 syzkaller-bugs@googlegroups.com
Subject: RE: [PATCH] tls: fix WARNING in __sk_msg_free
Date: Tue, 09 Jan 2024 15:22:39 -0800	[thread overview]
Message-ID: <659dd53f1652b_2796120896@john.notmuch> (raw)
In-Reply-To: <tencent_146C309740E8F6ECD2CC5C7ADA6E202D450A@qq.com>

Edward Adam Davis wrote:
> Syzbot constructed 32 scatterlists, and the data members in struct sk_msg_sg 
> can only store a maximum of MAX_MSG_FRAGS scatterlists.
> However, the value of MAX_MSG_FRAGS=CONFIG_MAX_SKB_FRAG is less than 32, which
> leads to the warning reported here.
> 
> Prevent similar issues from occurring by checking whether sg.end is greater 
> than MAX_MSG_FRAGS.
> 
> Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  net/tls/tls_sw.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index e37b4d2e2acd..68dbe821f61d 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -1016,6 +1016,8 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
>  
>  		msg_pl = &rec->msg_plaintext;
>  		msg_en = &rec->msg_encrypted;
> +		if (msg_pl->sg.end >= MAX_MSG_FRAGS)
> +			return -EINVAL;
>  
>  		orig_size = msg_pl->sg.size;
>  		full_record = false;
> -- 
> 2.43.0
> 

I'll test this in a bit, but I suspect this error is because even
if the msg_pl is full (the sg.end == MAX_MSG_FRAGS) the code is
missing a full_record=true set to force the loop to do the send
and abort. My opinion is we should never iterated the loop if the
msg_pl was full.

I think something like this is actually needed.

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index e37b4d2e2acd..9cfa6f8d51e3 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1052,8 +1052,10 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
                        if (ret < 0)
                                goto send_end;
                        tls_ctx->pending_open_record_frags = true;
-                       if (full_record || eor || sk_msg_full(msg_pl))
+                       if (full_record || eor || sk_msg_full(msg_pl)) {
+                               full_record = true;
                                goto copied;
+                       }
                        continue;
                }

next prev parent reply	other threads:[~2024-01-09 23:22 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-05 17:32 [syzbot] [bpf?] [net?] WARNING in __sk_msg_free syzbot
2024-01-09  5:34 ` Edward Adam Davis
2024-01-09 18:17   ` syzbot
2024-01-09  9:32 ` [PATCH] tls: fix " Edward Adam Davis
2024-01-09 23:22   ` John Fastabend [this message]
2024-01-10  7:53     ` John Fastabend

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e37b4d2e2ac dfblob:9cfa6f8d51e )
 OR (
bs:"RE: [PATCH] tls: fix WARNING in __sk_msg_free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=659dd53f1652b_2796120896@john.notmuch \
    --to=john.fastabend@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=borisp@nvidia.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=eadavis@qq.com \
    --cc=edumazet@google.com \
    --cc=jakub@cloudflare.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.