Re: [syzbot] [net?] WARNING in tls_err_abort

Next message: Yosry Ahmed: "[PATCH 0/3] KVM: nVMX: A few TLB flushing fixes"
Previous message: Doug Anderson: "Re: [PATCH] db: fix memory leak in kdb_setenv() when environment is full"
In reply to: Jakub Kicinski: "Re: [syzbot] [net?] WARNING in tls_err_abort"
Next in thread: Sabrina Dubroca: "Re: [syzbot] [net?] WARNING in tls_err_abort"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sabrina Dubroca

Date: Tue Jun 16 2026 - 17:46:47 EST

2026-06-16, 14:23:59 -0700, Jakub Kicinski wrote:
> On Tue, 16 Jun 2026 23:00:54 +0200 Sabrina Dubroca wrote:
> > 2026-06-16, 08:28:16 -0700, Jakub Kicinski wrote:
> > > On Tue, 16 Jun 2026 17:19:22 +0200 Sabrina Dubroca wrote:
> > > > I suspect err==0, and sock_error() consumed sk_err in between (the
> > > > alternative would be err > 0).
> > > >
> > > > Something like this?
> > >
> > > Makes sense, but what's eating sk_err?
> >
> > The 2 remaining sock_error() in tls_rx_rec_wait()? [1]
>
> How did that elude my grep..

:)

> > > Don't we depend on it being set
> > > to avoid further state transitions once we hit a crypto error?
> >
> > I kind of thought so too.
>
> In which case the question is whether we should try to remove
> the sock_error() instead? (stating the obvious I guess)

That would make sense, but we can't prevent sock_error() being called
from some helper.

The only relevant one for ktls at the moment seems to be
sk_stream_error(), and I think via sk_stream_wait_memory() we can hit
that EPIPE.

tls_sw_sendmsg_locked has
...
end:
ret = sk_stream_error(sk, msg->msg_flags, ret);
return copied > 0 ? copied : ret;

int sk_stream_error(struct sock *sk, int flags, int err)
{
if (err == -EPIPE)
err = sock_error(sk) ? : -EPIPE;
...

--
Sabrina