* [PATCH net] net: tls: fix marking packets as decrypted
@ 2024-05-30 23:26 Jakub Kicinski
2024-05-30 23:29 ` Jakub Kicinski
2024-06-04 11:20 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 4+ messages in thread
From: Jakub Kicinski @ 2024-05-30 23:26 UTC (permalink / raw)
To: davem
Cc: netdev, edumazet, pabeni, sd, Jakub Kicinski, dhowells, borisp,
john.fastabend
For TLS offload we mark packets with skb->decrypted to make sure
they don't escape the host without getting encrypted first.
The crypto state lives in the socket, so it may get detached
by a call to skb_orphan(). As a safety check - the egress path
drops all packets with skb->decrypted and no "crypto-safe" socket.
The skb marking was added to sendpage only (and not sendmsg),
because tls_device injected data into the TCP stack using sendpage.
This special case was missed when sendpage got folded into sendmsg.
Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
CC: dhowells@redhat.com
CC: borisp@nvidia.com
CC: john.fastabend@gmail.com
---
net/ipv4/tcp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 681b54e1f3a6..4d8cc2ebb64c 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1165,6 +1165,9 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
process_backlog++;
+#ifdef CONFIG_SKB_DECRYPTED
+ skb->decrypted = !!(flags & MSG_SENDPAGE_DECRYPTED);
+#endif
tcp_skb_entail(sk, skb);
copy = size_goal;
--
2.45.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH net] net: tls: fix marking packets as decrypted
2024-05-30 23:26 [PATCH net] net: tls: fix marking packets as decrypted Jakub Kicinski
@ 2024-05-30 23:29 ` Jakub Kicinski
2024-05-31 8:05 ` Eric Dumazet
2024-06-04 11:20 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2024-05-30 23:29 UTC (permalink / raw)
To: davem; +Cc: netdev, edumazet, pabeni, sd, dhowells, borisp, john.fastabend
On Thu, 30 May 2024 16:26:07 -0700 Jakub Kicinski wrote:
> For TLS offload we mark packets with skb->decrypted to make sure
> they don't escape the host without getting encrypted first.
> The crypto state lives in the socket, so it may get detached
> by a call to skb_orphan(). As a safety check - the egress path
> drops all packets with skb->decrypted and no "crypto-safe" socket.
>
> The skb marking was added to sendpage only (and not sendmsg),
> because tls_device injected data into the TCP stack using sendpage.
> This special case was missed when sendpage got folded into sendmsg.
>
> Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Forgot to mention - compile tested only, ENODEV :(
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH net] net: tls: fix marking packets as decrypted
2024-05-30 23:29 ` Jakub Kicinski
@ 2024-05-31 8:05 ` Eric Dumazet
0 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2024-05-31 8:05 UTC (permalink / raw)
To: Jakub Kicinski
Cc: davem, netdev, pabeni, sd, dhowells, borisp, john.fastabend
On Fri, May 31, 2024 at 1:29 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 30 May 2024 16:26:07 -0700 Jakub Kicinski wrote:
> > For TLS offload we mark packets with skb->decrypted to make sure
> > they don't escape the host without getting encrypted first.
> > The crypto state lives in the socket, so it may get detached
> > by a call to skb_orphan(). As a safety check - the egress path
> > drops all packets with skb->decrypted and no "crypto-safe" socket.
> >
> > The skb marking was added to sendpage only (and not sendmsg),
> > because tls_device injected data into the TCP stack using sendpage.
> > This special case was missed when sendpage got folded into sendmsg.
> >
> > Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
> > Signed-off-by: Jakub Kicinski <kuba@kernel.org>
>
> Forgot to mention - compile tested only, ENODEV :(
Reviewed-by: Eric Dumazet <edumazet@google.com>
In net-next, we could probably move skb_cmp_decrypted(), skb_is_decrypted(),
skb_copy_decrypted() to a new include file, and define
skb_set_decrypted() helper there.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] net: tls: fix marking packets as decrypted
2024-05-30 23:26 [PATCH net] net: tls: fix marking packets as decrypted Jakub Kicinski
2024-05-30 23:29 ` Jakub Kicinski
@ 2024-06-04 11:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-06-04 11:20 UTC (permalink / raw)
To: Jakub Kicinski
Cc: davem, netdev, edumazet, pabeni, sd, dhowells, borisp,
john.fastabend
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Thu, 30 May 2024 16:26:07 -0700 you wrote:
> For TLS offload we mark packets with skb->decrypted to make sure
> they don't escape the host without getting encrypted first.
> The crypto state lives in the socket, so it may get detached
> by a call to skb_orphan(). As a safety check - the egress path
> drops all packets with skb->decrypted and no "crypto-safe" socket.
>
> The skb marking was added to sendpage only (and not sendmsg),
> because tls_device injected data into the TCP stack using sendpage.
> This special case was missed when sendpage got folded into sendmsg.
>
> [...]
Here is the summary with links:
- [net] net: tls: fix marking packets as decrypted
https://git.kernel.org/netdev/net/c/a535d5943237
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-04 11:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-30 23:26 [PATCH net] net: tls: fix marking packets as decrypted Jakub Kicinski
2024-05-30 23:29 ` Jakub Kicinski
2024-05-31 8:05 ` Eric Dumazet
2024-06-04 11:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).