Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp821647rdd; Tue, 9 Jan 2024 23:53:44 -0800 (PST) X-Google-Smtp-Source: AGHT+IHeocB+5Tc4YxqxKsEmGTQ0D8MZ1YLl5J0tSLxsPaVN91n8iSF2MG2/etht9H1ld2TiIE2t X-Received: by 2002:a05:620a:b16:b0:783:28f2:4e42 with SMTP id t22-20020a05620a0b1600b0078328f24e42mr640926qkg.135.1704873224563; Tue, 09 Jan 2024 23:53:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704873224; cv=none; d=google.com; s=arc-20160816; b=NricwMxj1uOWoskNLi3CSzzInJD+oCc8V//5dA11+MBXSZkYVDuDXlRSJxJlkxUjEG efJI0JkAqj7GGE2BNgrLMKe3W1aI95YgJpxgT1GNSH6qgGlNPXpDF7l+8i+oMNwQcLpw GHhoDw73F4ZDg/ylMdNXhJeTRDzcX3lUp+5DgUH/DpzFq3b4DoJunhuBm9vL1e6iqz71 pxG/5YBLLia+HIpLuOUtRAsj6jsyaOTGd6cdNL+xNEy+w32FykvMbD3cMwsXYVNieefq 6xNKYLGjQ/udI/vA08Pkjlys3vrz/CFJKPiJqdSgTEhwA43XpIoxGOL01Z+f5oBIXNDk IN/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:subject:references:in-reply-to :message-id:cc:to:from:date:dkim-signature; bh=DlVkfwSR0KhVQsqSLqhfZx1Bsn/0daw+ebFcj5qo+4s=; fh=j3LTrMM1YG7Tg9l1JEQXnx0/XvRbe0tHsFFBaWh4nRo=; b=sZ99TTKurnOK40gM9h50m3CoiWo9yaiR8D4ch5UU9vQ7WC5/VJYTjnKrH88GJMJw5L P+1qzegj7UEymiT8IMs36sXQFd79Q4VhnHtmrrmx0aFAxfR/UESSzr3/eyObwgR5Jl5i nUnlk8hOo2ddsRcfAo5JTEfBt0uTZDkfA4OXrA1R6jf2Or+QWks6cNWjaALXVO7k1dQ8 51f0LV/DBxbcPa05F+gKlPuacKwWpyWbuU9qhH7Ii4dTUn0yzuE8GdGdJoTOlkETv0Ov in4hAXp9OHkX1aUhj2Zjk7NjxwLTpBw0LGlcDz1cu+nJ6VT2AjjZ8LhlrtF9KP0LCt+6 KbQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gPEoc4Nm; spf=pass (google.com: domain of linux-kernel+bounces-21804-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21804-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id r3-20020a05620a298300b0078335afe244si843404qkp.374.2024.01.09.23.53.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jan 2024 23:53:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-21804-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gPEoc4Nm; spf=pass (google.com: domain of linux-kernel+bounces-21804-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21804-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 53E131C2123E for ; Wed, 10 Jan 2024 07:53:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 30E313D0C5; Wed, 10 Jan 2024 07:53:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gPEoc4Nm" Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1273C3E460; Wed, 10 Jan 2024 07:53:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-6db0c49e93eso1286106b3a.1; Tue, 09 Jan 2024 23:53:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704873211; x=1705478011; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=DlVkfwSR0KhVQsqSLqhfZx1Bsn/0daw+ebFcj5qo+4s=; b=gPEoc4NmfrP5CJJDz4T0d0LEDfhfQiBtGMmTQ2Uv9kUEbzE2TO3cYAhclCbBTIe8YL wN/VPJoHz0NQ6RtElvF7ajaIpFe/NLbvs8/xi2/0CZyIsvn9LCqxsTYfhsrmlnjWthwf gmkqPozUxl6FOmq597M9AW/Be7/w+iTQzCzYYMfyyHWwS1KSNd5FMom5L75kccdmAkiX qgL1pOgQUTib358g1jDKFd81lTYsvTI548uwQF1b9ZnKCMSFpTYm0opwo6prMTFFysUJ PrxVPq3uoETu9a1KNQTs+H084vFa+h9nZpVxfkSkuwKzF9FsfoYuiNo1MVxVwOsvj7JN l9cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704873211; x=1705478011; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DlVkfwSR0KhVQsqSLqhfZx1Bsn/0daw+ebFcj5qo+4s=; b=VcItm9MmmEBYAPtsEGT+GRiYLasHaT7cUSe6feizm3j1EW1zMQQejBHHidTaCvY32C vq/M6atc/b9vH43/qOsB992xOl7TdID9LSPxsV+uDos8NcmSgxrOTh+KaH5fxSDW/8Dd EhCJXKXXmVHHA0R71O4+NDgsR/qmN1PdVhVDxLAn5WEuNM4UhayRvDKxvaaPh7A/F2eY UgxVxlqEfMAwazU0nuBn7hfmUA7HuplZDJXwaFB4PTgPZqPRGAClAdD2uEn9qyqjWo6W njrZvxk9bJXLAhFslMsIHXmM0anj8Ai1GMVZLn7Ksd3npkxfPGeSGB3Y522sIPYXVYya IsEw== X-Gm-Message-State: AOJu0YwhiM8p0BjzACGu9PtUi4yKXjrBRZsZQ88sOh6VZ7QZJC6xtIfB fK2fREbPfG46BVsstD4YEMA= X-Received: by 2002:a05:6a20:7883:b0:199:76d8:402d with SMTP id d3-20020a056a20788300b0019976d8402dmr508563pzg.111.1704873211316; Tue, 09 Jan 2024 23:53:31 -0800 (PST) Received: from localhost ([98.97.113.214]) by smtp.gmail.com with ESMTPSA id f12-20020a17090274cc00b001d4301325a6sm2974264plt.247.2024.01.09.23.53.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jan 2024 23:53:29 -0800 (PST) Date: Tue, 09 Jan 2024 23:53:28 -0800 From: John Fastabend To: John Fastabend , Edward Adam Davis , syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com Cc: andrii@kernel.org, ast@kernel.org, borisp@nvidia.com, bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net, dhowells@redhat.com, edumazet@google.com, jakub@cloudflare.com, john.fastabend@gmail.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, syzkaller-bugs@googlegroups.com Message-ID: <659e4cf817b78_60d7a208c3@john.notmuch> In-Reply-To: <659dd53f1652b_2796120896@john.notmuch> References: <000000000000aa2f41060e363b2b@google.com> <659dd53f1652b_2796120896@john.notmuch> Subject: RE: [PATCH] tls: fix WARNING in __sk_msg_free Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit John Fastabend wrote: > Edward Adam Davis wrote: > > Syzbot constructed 32 scatterlists, and the data members in struct sk_msg_sg > > can only store a maximum of MAX_MSG_FRAGS scatterlists. > > However, the value of MAX_MSG_FRAGS=CONFIG_MAX_SKB_FRAG is less than 32, which > > leads to the warning reported here. > > > > Prevent similar issues from occurring by checking whether sg.end is greater > > than MAX_MSG_FRAGS. > > > > Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com > > Signed-off-by: Edward Adam Davis > > --- > > net/tls/tls_sw.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c > > index e37b4d2e2acd..68dbe821f61d 100644 > > --- a/net/tls/tls_sw.c > > +++ b/net/tls/tls_sw.c > > @@ -1016,6 +1016,8 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, > > > > msg_pl = &rec->msg_plaintext; > > msg_en = &rec->msg_encrypted; > > + if (msg_pl->sg.end >= MAX_MSG_FRAGS) > > + return -EINVAL; > > > > orig_size = msg_pl->sg.size; > > full_record = false; > > -- > > 2.43.0 > > > > I'll test this in a bit, but I suspect this error is because even > if the msg_pl is full (the sg.end == MAX_MSG_FRAGS) the code is > missing a full_record=true set to force the loop to do the send > and abort. My opinion is we should never iterated the loop if the > msg_pl was full. > > I think something like this is actually needed. > > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c > index e37b4d2e2acd..9cfa6f8d51e3 100644 > --- a/net/tls/tls_sw.c > +++ b/net/tls/tls_sw.c > @@ -1052,8 +1052,10 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, > if (ret < 0) > goto send_end; > tls_ctx->pending_open_record_frags = true; > - if (full_record || eor || sk_msg_full(msg_pl)) > + if (full_record || eor || sk_msg_full(msg_pl)) { > + full_record = true; > goto copied; > + } > continue; > } Actually, it needs a bit more than above. That will fix the warning, but it returns an error on when it should flush the full_record in some cases. I'll send a fix shortly.