When BPF sk_msg apply_bytes splits an open kTLS TX record and the selected AEAD provider completes asynchronously, tls_push_record() currently returns -EINPROGRESS before reattaching the split remainder. The peer can receive a truncated stream and the detached tls_rec remainder is leaked.
Patch 1 keeps the split remainder rooted before returning -EINPROGRESS, continues the BPF verdict drain loop after queueing an async record, and waits for already-queued async encryption if a later verdict iteration must return a hard error. That last part addresses the return-value masking issue reported by Sashiko on v1. Patch 2 adds a selftest covering the sync and async providers for the split-record path. v2 also checks the BPF program fd before attaching the selftest program. This report and patch were prepared with AI assistance. The generated analysis was checked against the current source, the reproducer was run against vulnerable and fixed kernels, and the fix was runtime-validated on QEMU/KVM with a KASAN+LOCKDEP-instrumented kernel against net base 5db89c995. The pass-then-drop BPF probe that exercises Finding 1's failure mode ran clean (no KASAN report, no lockdep splat). v1: https://lore.kernel.org/all/[email protected]/ Sashiko review: https://sashiko.dev/#/patchset/[email protected] John Fastabend reply on v1 (confirmed Sashiko's return-value masking finding is a legitimate concern; this v2 is the response): https://lore.kernel.org/all/huduxtn6parzgiaf5cyiyrrvjjvx6jsdedowvrd4nkwmuyeind@j6migjgofh2i/ Changes since v1: - Preserve the later hard error from bpf_exec_tx_verdict() after waiting for any earlier async encryption queued in the same verdict drain loop. - Flush completed async records after that local wait. - Check bpf_program__fd() before bpf_prog_attach() in the selftest. - Leave the __SK_REDIRECT socket-lock-drop finding out of this series; it appears pre-existing and should be handled separately if maintainers want to pursue it. Christopher Lusk (2): net: tls: preserve split open record on async encrypt selftests: net: add kTLS async split record regression net/tls/tls_sw.c | 40 +- tools/testing/selftests/net/Makefile | 5 + .../selftests/net/ktls_async_split.bpf.c | 24 ++ .../testing/selftests/net/ktls_async_split.c | 393 ++++++++++++++++++ 4 files changed, 454 insertions(+), 8 deletions(-) create mode 100644 tools/testing/selftests/net/ktls_async_split.bpf.c create mode 100644 tools/testing/selftests/net/ktls_async_split.c -- 2.54.0
