On Fri, May 31, 2024 at 1:29 AM Jakub Kicinski [off-list ref] wrote:

On Thu, 30 May 2024 16:26:07 -0700 Jakub Kicinski wrote:

quoted

For TLS offload we mark packets with skb->decrypted to make sure
they don't escape the host without getting encrypted first.
The crypto state lives in the socket, so it may get detached
by a call to skb_orphan(). As a safety check - the egress path
drops all packets with skb->decrypted and no "crypto-safe" socket.

The skb marking was added to sendpage only (and not sendmsg),
because tls_device injected data into the TCP stack using sendpage.
This special case was missed when sendpage got folded into sendmsg.

Fixes: c5c37af6ecad ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Forgot to mention - compile tested only, ENODEV :(

Reviewed-by: Eric Dumazet <edumazet@google.com>

In net-next, we could probably move skb_cmp_decrypted(), skb_is_decrypted(),
skb_copy_decrypted() to a new include file, and define
skb_set_decrypted() helper there.