[RFC 4/4] nvme/target/tcp: set max record size in the tls context

Hannes Reinecke hare at suse.de
Tue Jul 29 01:16:48 PDT 2025 

On 7/29/25 04:41, Wilfred Mallawa wrote:
> From: Wilfred Mallawa <wilfred.mallawa at wdc.com>
> 
> During a tls handshake, a host may specify the tls record size limit
> using the tls "record_size_limit" extension. Currently, the NVMe target
> driver does not specify this value to the tls layer.
> 
> This patch adds support for setting the tls record size limit into the
> tls context, such that outgoing records may not exceed this limit
> specified by the endpoint.
> 
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa at wdc.com>
> ---
>   drivers/nvme/target/tcp.c | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
> 
> diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
> index 60e308401a54..f2ab473ea5de 100644
> --- a/drivers/nvme/target/tcp.c
> +++ b/drivers/nvme/target/tcp.c
> @@ -1784,6 +1784,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
>   					size_t tls_record_size_limit)
>   {
>   	struct nvmet_tcp_queue *queue = data;
> +	struct tls_context *tls_ctx = tls_get_ctx(queue->sock->sk);
>   
>   	pr_debug("queue %d: TLS handshake done, key %x, status %d\n",
>   		 queue->idx, peerid, status);
> @@ -1795,6 +1796,17 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
>   	if (!status) {
>   		queue->tls_pskid = peerid;
>   		queue->state = NVMET_TCP_Q_CONNECTING;
> +
> +		/* Endpoint has specified a maximum tls record size limit */
> +		if (tls_record_size_limit > TLS_MAX_PAYLOAD_SIZE) {
> +			pr_err("queue %d: invalid tls max record size limit: %zu\n",
> +			       queue->idx, tls_record_size_limit);
> +			queue->state = NVMET_TCP_Q_FAILED;
> +		} else if (tls_record_size_limit > 0) {
> +			tls_ctx->tls_record_size_limit = (u32)tls_record_size_limit;
> +			pr_debug("queue %d: host specified tls max record size %u\n",
> +				 queue->idx, tls_ctx->tls_record_size_limit);
> +		}
>   	} else
>   		queue->state = NVMET_TCP_Q_FAILED;
>   	spin_unlock_bh(&queue->state_lock);
> @@ -1808,6 +1820,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, int status,
>   		nvmet_tcp_schedule_release_queue(queue);
>   	else
>   		nvmet_tcp_set_queue_sock(queue);
> +
>   	kref_put(&queue->kref, nvmet_tcp_release_queue);
>   }
>   
Again, why?

I'd rather have the TLS layer handling that internally.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare at suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

More information about the Linux-nvme mailing list