From owner-dev-commits-src-branches@freebsd.org  Mon Aug 30 23:13:16 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B37BE660320;
 Mon, 30 Aug 2021 23:13:16 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Gz5hr4Ndxz3DYw;
 Mon, 30 Aug 2021 23:13:16 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7E7F0266E2;
 Mon, 30 Aug 2021 23:13:16 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 17UNDGn7076578;
 Mon, 30 Aug 2021 23:13:16 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 17UNDG7V076577;
 Mon, 30 Aug 2021 23:13:16 GMT (envelope-from git)
Date: Mon, 30 Aug 2021 23:13:16 GMT
Message-Id: <202108302313.17UNDG7V076577@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: dd9f588238e3 - stable/13 - ktls: Don't mark existing received
 mbufs notready for TOE TLS.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: dd9f588238e35e6887eeaa10f10e2be9666ed60d
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2021 23:13:16 -0000

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=dd9f588238e35e6887eeaa10f10e2be9666ed60d

commit dd9f588238e35e6887eeaa10f10e2be9666ed60d
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-06-15 17:36:57 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-08-30 22:09:50 +0000

    ktls: Don't mark existing received mbufs notready for TOE TLS.
    
    The TOE driver might receive decrypted TLS records that are enqueued
    to the socket buffer after ktls_try_toe() returns and before
    ktls_enable_rx() locks the receive buffer to call sb_mark_notready().
    In that case, sb_mark_notready() would incorrectly treat the decrypted
    TLS record as an encrypted record and schedule it for decryption.
    This always resulted in the connection being dropped as the data in
    the control message did not look like a valid TLS header.
    
    To fix, don't try to handle software decryption of existing buffers in
    the socket buffer for TOE TLS in ktls_enable_rx().  If a TOE TLS
    driver needs to decrypt existing data in the socket buffer, the driver
    will need to manage that in its tod_alloc_tls_session method.
    
    Sponsored by:   Chelsio Communications
    
    (cherry picked from commit faf0224ff27b93b743d50b3830bf5ce345b67e94)
---
 sys/kern/uipc_ktls.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 0f5cc7c1b28f..21e2386ac2bf 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -1043,8 +1043,10 @@ ktls_enable_rx(struct socket *so, struct tls_enable *en)
 	so->so_rcv.sb_flags |= SB_TLS_RX;
 
 	/* Mark existing data as not ready until it can be decrypted. */
-	sb_mark_notready(&so->so_rcv);
-	ktls_check_rx(&so->so_rcv);
+	if (tls->mode != TCP_TLS_MODE_TOE) {
+		sb_mark_notready(&so->so_rcv);
+		ktls_check_rx(&so->so_rcv);
+	}
 	SOCKBUF_UNLOCK(&so->so_rcv);
 
 	counter_u64_add(ktls_offload_total, 1);