Re: [PATCH net v3] net: tls: use sync AEAD for sk_msg BPF sockets

Next message: Damien Le Moal: "Re: [PATCH] block: blk-zoned: fix zwplug refcount leak on write error path"
Previous message: David Woodhouse: "[RFC PATCH 4/8] KVM: x86: Use ktime_get_snapshot_id() for master clock"
In reply to: Jiayuan Chen: "Re: [PATCH net v3] net: tls: use sync AEAD for sk_msg BPF sockets"
Next in thread: Jiayuan Chen: "Re: [PATCH net v3] net: tls: use sync AEAD for sk_msg BPF sockets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Tue May 26 2026 - 19:14:49 EST

On Tue, 26 May 2026 14:44:24 +0800 Jiayuan Chen wrote:
> If async_capable is set to 1, the zerocopy path in tls_sw_sendmsg() is
> skipped.
> Unfortunately ktls with bpf_msg_pop_data() does not work correctly under
> this
> copy path.
>
> tls_clone_plaintext_msg() aliases msg_pl onto msg_en's plaintext area
> (in-place encryption).
>
> BPF runs bpf_msg_pop_data(msg, 0, 2). This shifts msg_pl's SG entry
> forward by 2 bytes.
> The two SGs now point to the same page at different offsets. Physical
> memory overlaps but the start of
> address differ.

Ugh, do you mean that the memcopy path is broken? There are other
conditions under which we may fall into it than just !async_capable :(
Small send with MSG_MORE is probably the easiest?

So we need to fix that one way or the other.

> I think selecting a sync provider via mask = CRYPTO_ALG_ASYNC is
> sufficient to
> remove the -EINPROGRESS return path.
>
> May be time to remove skmsg from ktls? (disable by default first,
> re-enable via a new ktls module_param?)

Yes, we asked John F off-list to get his attention and I think there's
only a vague plan to start using kTLS + sockmap, no current user
(sorry if I misread / misremembered).

module params aren't a great API. If we want to deprecate it let's just
remove the integration in net-next. You have my vote..