net: tls: fix async BPF split record loss

[PATCH net 0/2] net: tls: fix async BPF split record loss

Christopher Lusk posted 2 patches 1 week, 2 days ago

Download series mbox

net/tls/tls_sw.c                              |  29 +-
tools/testing/selftests/net/Makefile          |   5 +
.../selftests/net/ktls_async_split.bpf.c      |  24 ++
.../testing/selftests/net/ktls_async_split.c  | 391 ++++++++++++++++++
4 files changed, 441 insertions(+), 8 deletions(-)
create mode 100644 tools/testing/selftests/net/ktls_async_split.bpf.c
create mode 100644 tools/testing/selftests/net/ktls_async_split.c

Expand all Fold all

[PATCH net 0/2] net: tls: fix async BPF split record loss

Posted by Christopher Lusk 1 week, 2 days ago

This fixes a kTLS TX bug in the BPF sk_msg apply_bytes path when the
selected AEAD provider completes asynchronously.

tls_push_record() can split ctx->open_rec into the record being encrypted
and a remainder record. If tls_do_encryption() returns -EINPROGRESS, the
current code returns before reattaching the remainder. The peer observes a
truncated stream, and the orphaned tls_rec is leaked.

Patch 1 keeps the split remainder rooted on the async path and lets the BPF
verdict loop continue draining queued records while preserving the async
return signal. Patch 2 adds a regression selftest which compares the sync
and async providers for the same BPF apply_bytes split-record stream.

The selftest fails on the vulnerable tree with the async provider receiving
12916 bytes instead of 17312. It passes with this series:

  TAP version 13
  1..2
  ok 1 sync provider transmits split record
  ok 2 async provider transmits split record

This work is LLM-assisted. The static-analysis variant hunt and
async-boundary state-retention class sweep that surfaced this
candidate site at net/tls/tls_sw.c were performed using Codex
(gpt-5.5); the writeup, patch refinement, and this cover letter
were performed using Claude (claude-opus-4-7). Hardware validation
(QEMU/KVM kernel run, deterministic 17312 vs 12916 sync/async
byte-count delta, lifetime-probe linear-leak scaling) and operator
review at every external gate were human-driven. Methodology
context at https://northecho.dev/posts/codex-vs-claude-code-vuln-research/.

Sent to the public list per the security-bugs.rst exception for
findings trivial to discover via automated tooling, as interpreted
by the kernel security team for LLM-assisted reports (Willy Tarreau,
2026-05-14, IVPU thread).

Christopher Lusk (2):
  net: tls: preserve split open record on async encrypt
  selftests: net: add kTLS async split record regression

 net/tls/tls_sw.c                              |  29 +-
 tools/testing/selftests/net/Makefile          |   5 +
 .../selftests/net/ktls_async_split.bpf.c      |  24 ++
 .../testing/selftests/net/ktls_async_split.c  | 391 ++++++++++++++++++
 4 files changed, 441 insertions(+), 8 deletions(-)
 create mode 100644 tools/testing/selftests/net/ktls_async_split.bpf.c
 create mode 100644 tools/testing/selftests/net/ktls_async_split.c

-- 
2.54.0