git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jakub Kicinski <kuba@kernel.org>
	Mon, 11 May 2026 17:49:18 +0000 (10:49 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 1 Jun 2026 15:46:29 +0000 (17:46 +0200)
commit	929b1548e63ac72e104c07d8ee8cbbeeba2fa89a
tree	d44c19b67eec749bc5e250478f28dad456c6b784	tree \| snapshot
parent	66339b71f105e6f83e0da3b9583d95077534fe1d	commit \| diff

net: tls: prevent chain-after-chain in plain text SG

[ Upstream commit ff26a0e8377dec07e4a7230db7675bed1b9a6d03 ]

Sashiko points out that if end = 0 (start != 0) the current
code will create a chain link to content type right after
the wrap link:

  This would create a chain where the wrap link points directly
  to another chain link. The scatterlist API sg_next iterator
  does not recursively resolve consecutive chain links.

meaning this is illegal input to crypto.

The wrapping link is unnecessary if end = 0. end is the entry after
the last one used so end = 0 means there's nothing pushed after
the wrap:

   end         start            i
    v            v              v
  [   ]...[   ][ d ][ d ][ d ][ d ][rsv for wrap]

Skip the wrapping in this case.

TLS 1.3 can use the "wrapping slot" for it's chaining if end = 0.
This avoids the chain-after-chain.

Move the wrap chaining before marking END and chaining off content
type, that feels like more logical ordering to me, but should not
matter from functional perspective.

Reported-by: Sashiko <sashiko-bot@kernel.org>
Fixes: 9aaaa56845a0 ("bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Link: https://patch.msgid.link/20260511174920.433155-3-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>