diff options
author | Jakub Kicinski <kuba@kernel.org> | 2024-05-31 02:26:07 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-06-21 15:38:16 +0300 |
commit | 50569d12945f86fa4b321c4b1c3005874dbaa0f1 (patch) | |
tree | 363132889c11ea75df75970966c61b91162a23e2 | |
parent | f8dd092e8b47dc43c1b0e136bb1926f9f75ac528 (diff) | |
download | linux-50569d12945f86fa4b321c4b1c3005874dbaa0f1.tar.xz |
net: tls: fix marking packets as decrypted
[ Upstream commit a535d59432370343058755100ee75ab03c0e3f91 ]
For TLS offload we mark packets with skb->decrypted to make sure
they don't escape the host without getting encrypted first.
The crypto state lives in the socket, so it may get detached
by a call to skb_orphan(). As a safety check - the egress path
drops all packets with skb->decrypted and no "crypto-safe" socket.
The skb marking was added to sendpage only (and not sendmsg),
because tls_device injected data into the TCP stack using sendpage.
This special case was missed when sendpage got folded into sendmsg.
Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240530232607.82686-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | net/ipv4/tcp.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 7bf774bdb938..a9b33135513d 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1158,6 +1158,9 @@ new_segment: process_backlog++; +#ifdef CONFIG_SKB_DECRYPTED + skb->decrypted = !!(flags & MSG_SENDPAGE_DECRYPTED); +#endif tcp_skb_entail(sk, skb); copy = size_goal; |