path: root/net/tls
diff options
authorJakub Kicinski <>2022-02-02 14:20:31 -0800
committerDavid S. Miller <>2022-02-04 10:14:07 +0000
commitb93235e68921b9acd38ee309953a3a9808105289 (patch)
tree48d9273feaf831aaa0b4f3393c199a049505b1f6 /net/tls
parent6ff6064605e96db40c7e95c4924518028cd827bf (diff)
tls: cap the output scatter list to something reasonable
TLS recvmsg() passes user pages as destination for decrypt. The decrypt operation is repeated record by record, each record being 16kB, max. TLS allocates an sg_table and uses iov_iter_get_pages() to populate it with enough pages to fit the decrypted record. Even though we decrypt a single message at a time we size the sg_table based on the entire length of the iovec. This leads to unnecessarily large allocations, risking triggering OOM conditions. Use iov_iter_truncate() / iov_iter_reexpand() to construct a "capped" version of iov_iter_npages(). Alternatively we could parametrize iov_iter_npages() to take the size as arg instead of using i->count, or do something else.. Signed-off-by: Jakub Kicinski <> Signed-off-by: David S. Miller <>
Diffstat (limited to 'net/tls')
1 files changed, 2 insertions, 1 deletions
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index efc84845bb6b..0024a692f0f8 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1433,7 +1433,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
if (*zc && (out_iov || out_sg)) {
if (out_iov)
- n_sgout = iov_iter_npages(out_iov, INT_MAX) + 1;
+ n_sgout = 1 +
+ iov_iter_npages_cap(out_iov, INT_MAX, data_len);
n_sgout = sg_nents(out_sg);
n_sgin = skb_nsg(skb, rxm->offset + prot->prepend_size,