Netdev List
 help / color / mirror / Atom feed
* [PATCH net] net/tls: Consume empty data records in tls_sw_read_sock()
@ 2026-06-30 19:15 Chuck Lever
  2026-07-02 18:05 ` Sabrina Dubroca
  0 siblings, 1 reply; 4+ messages in thread
From: Chuck Lever @ 2026-06-30 19:15 UTC (permalink / raw)
  To: john.fastabend, kuba, sd; +Cc: davem, edumazet, pabeni, horms, netdev

A peer may send a zero-length TLS application_data record; TLS 1.3
explicitly permits these as a traffic-analysis countermeasure (RFC
8446, Section 5.1). After decryption such a record has full_len ==
0. tls_sw_read_sock() hands it to the read_actor, which has no
payload to consume and returns zero. The loop treats a zero return
as backpressure (used <= 0), requeues the skb at the head of
rx_list, and stops. rx_list is serviced head-first on the next
call, so the empty record is dequeued, fails the same way, and is
requeued again; every later record on the connection is blocked
behind it.

tls_sw_recvmsg() does not stall on this: a zero-length data record
copies nothing and falls through to consume_skb(). Mirror that in
the read_sock() path by recognizing an empty data record before
the actor runs, consuming it, and continuing.

Fixes: 662fbcec32f4 ("net/tls: implement ->read_sock()")
Signed-off-by: Chuck Lever <cel@kernel.org>
---
 net/tls/tls_sw.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 9324e4ed20a3..d4afc90fd796 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2115,6 +2115,17 @@ int tls_sw_read_sock(struct sock *sk, read_descriptor_t *desc,
 			goto read_sock_requeue;
 		}
 
+		/* An empty data record (legal in TLS 1.3) gives a zero
+		 * read_actor return, indistinguishable from the consumer
+		 * stalling; the used <= 0 path would requeue it at the
+		 * head of rx_list and block all later records. Consume it
+		 * here instead.
+		 */
+		if (rxm->full_len == 0) {
+			consume_skb(skb);
+			continue;
+		}
+
 		used = read_actor(desc, skb, rxm->offset, rxm->full_len);
 		if (used <= 0) {
 			if (!copied)
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net/tls: Consume empty data records in tls_sw_read_sock()
  2026-06-30 19:15 [PATCH net] net/tls: Consume empty data records in tls_sw_read_sock() Chuck Lever
@ 2026-07-02 18:05 ` Sabrina Dubroca
  2026-07-02 19:52   ` Chuck Lever
  0 siblings, 1 reply; 4+ messages in thread
From: Sabrina Dubroca @ 2026-07-02 18:05 UTC (permalink / raw)
  To: Chuck Lever; +Cc: john.fastabend, kuba, davem, edumazet, pabeni, horms, netdev

2026-06-30, 15:15:51 -0400, Chuck Lever wrote:
> A peer may send a zero-length TLS application_data record; TLS 1.3
> explicitly permits these as a traffic-analysis countermeasure (RFC
> 8446, Section 5.1). After decryption such a record has full_len ==
> 0. tls_sw_read_sock() hands it to the read_actor, which has no
> payload to consume and returns zero. The loop treats a zero return
> as backpressure (used <= 0), requeues the skb at the head of
> rx_list, and stops. rx_list is serviced head-first on the next
> call, so the empty record is dequeued, fails the same way, and is
> requeued again; every later record on the connection is blocked
> behind it.
> 
> tls_sw_recvmsg() does not stall on this: a zero-length data record
> copies nothing and falls through to consume_skb(). Mirror that in
> the read_sock() path by recognizing an empty data record before
> the actor runs, consuming it, and continuing.
> 
> Fixes: 662fbcec32f4 ("net/tls: implement ->read_sock()")
> Signed-off-by: Chuck Lever <cel@kernel.org>
> ---
>  net/tls/tls_sw.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)

Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

I think tls_sw_splice_read() suffers from a similar issue (returning 0
even though more data may be available). Sashiko agrees, and also
found a few more pre-existing issues.

-- 
Sabrina

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net/tls: Consume empty data records in tls_sw_read_sock()
  2026-07-02 18:05 ` Sabrina Dubroca
@ 2026-07-02 19:52   ` Chuck Lever
  2026-07-02 21:50     ` Sabrina Dubroca
  0 siblings, 1 reply; 4+ messages in thread
From: Chuck Lever @ 2026-07-02 19:52 UTC (permalink / raw)
  To: Sabrina Dubroca
  Cc: john.fastabend, Jakub Kicinski, davem, edumazet, Paolo Abeni,
	Simon Horman, netdev



On Thu, Jul 2, 2026, at 2:05 PM, Sabrina Dubroca wrote:
> 2026-06-30, 15:15:51 -0400, Chuck Lever wrote:
>> A peer may send a zero-length TLS application_data record; TLS 1.3
>> explicitly permits these as a traffic-analysis countermeasure (RFC
>> 8446, Section 5.1). After decryption such a record has full_len ==
>> 0. tls_sw_read_sock() hands it to the read_actor, which has no
>> payload to consume and returns zero. The loop treats a zero return
>> as backpressure (used <= 0), requeues the skb at the head of
>> rx_list, and stops. rx_list is serviced head-first on the next
>> call, so the empty record is dequeued, fails the same way, and is
>> requeued again; every later record on the connection is blocked
>> behind it.
>> 
>> tls_sw_recvmsg() does not stall on this: a zero-length data record
>> copies nothing and falls through to consume_skb(). Mirror that in
>> the read_sock() path by recognizing an empty data record before
>> the actor runs, consuming it, and continuing.
>> 
>> Fixes: 662fbcec32f4 ("net/tls: implement ->read_sock()")
>> Signed-off-by: Chuck Lever <cel@kernel.org>
>> ---
>>  net/tls/tls_sw.c | 11 +++++++++++
>>  1 file changed, 11 insertions(+)
>
> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
>
> I think tls_sw_splice_read() suffers from a similar issue (returning 0
> even though more data may be available). Sashiko agrees, and also
> found a few more pre-existing issues.

Do you want a v2 series with those issues addressed?


-- 
Chuck Lever

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net/tls: Consume empty data records in tls_sw_read_sock()
  2026-07-02 19:52   ` Chuck Lever
@ 2026-07-02 21:50     ` Sabrina Dubroca
  0 siblings, 0 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2026-07-02 21:50 UTC (permalink / raw)
  To: Chuck Lever
  Cc: john.fastabend, Jakub Kicinski, davem, edumazet, Paolo Abeni,
	Simon Horman, netdev

2026-07-02, 15:52:49 -0400, Chuck Lever wrote:
> 
> 
> On Thu, Jul 2, 2026, at 2:05 PM, Sabrina Dubroca wrote:
> > 2026-06-30, 15:15:51 -0400, Chuck Lever wrote:
> >> A peer may send a zero-length TLS application_data record; TLS 1.3
> >> explicitly permits these as a traffic-analysis countermeasure (RFC
> >> 8446, Section 5.1). After decryption such a record has full_len ==
> >> 0. tls_sw_read_sock() hands it to the read_actor, which has no
> >> payload to consume and returns zero. The loop treats a zero return
> >> as backpressure (used <= 0), requeues the skb at the head of
> >> rx_list, and stops. rx_list is serviced head-first on the next
> >> call, so the empty record is dequeued, fails the same way, and is
> >> requeued again; every later record on the connection is blocked
> >> behind it.
> >> 
> >> tls_sw_recvmsg() does not stall on this: a zero-length data record
> >> copies nothing and falls through to consume_skb(). Mirror that in
> >> the read_sock() path by recognizing an empty data record before
> >> the actor runs, consuming it, and continuing.
> >> 
> >> Fixes: 662fbcec32f4 ("net/tls: implement ->read_sock()")
> >> Signed-off-by: Chuck Lever <cel@kernel.org>
> >> ---
> >>  net/tls/tls_sw.c | 11 +++++++++++
> >>  1 file changed, 11 insertions(+)
> >
> > Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
> >
> > I think tls_sw_splice_read() suffers from a similar issue (returning 0
> > even though more data may be available). Sashiko agrees, and also
> > found a few more pre-existing issues.
> 
> Do you want a v2 series with those issues addressed?

I'd be ok with this patch going in on its own, and the other issues
being addressed separately. If you have time to look into those,
that'd be great.

-- 
Sabrina

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-02 21:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 19:15 [PATCH net] net/tls: Consume empty data records in tls_sw_read_sock() Chuck Lever
2026-07-02 18:05 ` Sabrina Dubroca
2026-07-02 19:52   ` Chuck Lever
2026-07-02 21:50     ` Sabrina Dubroca

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox