As explained in commit 54a3ecaeeeae ("bpf: fix ktls panic with sockmap") once we call BPF there's no way for us to rollback the iter and copy data, since BPF may have modified the message. This is regardless of whether BPF set up cork or not. Remove the attempt to roll back iter completely. This removes a UAF since BPF may have modified msg_pl and rec, so these pointers were stale. Note that I'm entirely unsure what the expected behavior is here for BPF. Feels like this path must not be exercised by normal applications / existing deployments in the first place. Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") Signed-off-by: Jakub Kicinski --- net/tls/tls_sw.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 360f71fd7884..22b77840e35a 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1164,11 +1164,8 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, else if (ret == -ENOMEM) goto wait_for_memory; else if (ctx->open_rec && ret == -ENOSPC) { - if (msg_pl->cork_bytes) { - ret = 0; - goto send_end; - } - goto rollback_iter; + ret = 0; + goto send_end; } else if (ret != -EAGAIN) goto send_end; } @@ -1180,11 +1177,6 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, } continue; -rollback_iter: - copied -= try_to_copy; - sk_msg_sg_copy_clear(msg_pl, first); - iov_iter_revert(&msg->msg_iter, - msg_pl->sg.size - orig_size); fallback_to_reg_send: sk_msg_trim(sk, msg_pl, orig_size); } -- 2.54.0