queue-5.1/net-tls-correctly-account-for-copied-bytes-with-multiple-sk_msgs.patch

   1 From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
   2 From: John Fastabend <john.fastabend@gmail.com>
   3 Date: Wed, 12 Jun 2019 17:23:57 +0000
   4 Subject: net: tls, correctly account for copied bytes with multiple sk_msgs
   5
   6 From: John Fastabend <john.fastabend@gmail.com>
   7
   8 [ Upstream commit 648ee6cea7dde4a5cdf817e5d964fd60b22006a4 ]
   9
  10 tls_sw_do_sendpage needs to return the total number of bytes sent
  11 regardless of how many sk_msgs are allocated. Unfortunately, copied
  12 (the value we return up the stack) is zero'd before each new sk_msg
  13 is allocated so we only return the copied size of the last sk_msg used.
  14
  15 The caller (splice, etc.) of sendpage will then believe only part
  16 of its data was sent and send the missing chunks again. However,
  17 because the data actually was sent the receiver will get multiple
  18 copies of the same data.
  19
  20 To reproduce this do multiple sendfile calls with a length close to
  21 the max record size. This will in turn call splice/sendpage, sendpage
  22 may use multiple sk_msg in this case and then returns the incorrect
  23 number of bytes. This will cause splice to resend creating duplicate
  24 data on the receiver. Andre created a C program that can easily
  25 generate this case so we will push a similar selftest for this to
  26 bpf-next shortly.
  27
  28 The fix is to _not_ zero the copied field so that the total sent
  29 bytes is returned.
  30
  31 Reported-by: Steinar H. Gunderson <steinar+kernel@gunderson.no>
  32 Reported-by: Andre Tomt <andre@tomt.net>
  33 Tested-by: Andre Tomt <andre@tomt.net>
  34 Fixes: d829e9c4112b ("tls: convert to generic sk_msg interface")
  35 Signed-off-by: John Fastabend <john.fastabend@gmail.com>
  36 Signed-off-by: David S. Miller <davem@davemloft.net>
  37 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  38 ---
  39  net/tls/tls_sw.c |    1 -
  40  1 file changed, 1 deletion(-)
  41
  42 --- a/net/tls/tls_sw.c
  43 +++ b/net/tls/tls_sw.c
  44 @@ -1128,7 +1128,6 @@ static int tls_sw_do_sendpage(struct soc
  45
  46                 full_record = false;
  47                 record_room = TLS_MAX_PAYLOAD_SIZE - msg_pl->sg.size;
  48 -               copied = 0;
  49                 copy = size;
  50                 if (copy >= record_room) {
  51                         copy = record_room;