From f02d9edfb5d695734b8866c81d2da0c7700c8779 Mon Sep 17 00:00:00 2001
From: John Baldwin <jhb@FreeBSD.org>
Date: Thu, 31 Oct 2024 16:32:32 -0400
Subject: [PATCH] ktls: Mark mbufs containing outbound encrypted TLS records
 read-only

Reviewed by:	gallatin, kp
Differential Revision:	https://reviews.freebsd.org/D46784
---
 sys/kern/uipc_ktls.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 1e4a933d4e4f..bf2ff37e3c3a 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -3072,6 +3072,7 @@ ktls_encrypt(struct ktls_wq *wq, struct mbuf *top)
 
 		if ((m->m_epg_flags & EPG_FLAG_ANON) == 0)
 			ktls_finish_nonanon(m, &state);
+		m->m_flags |= M_RDONLY;
 
 		npages += m->m_epg_nrdy;
 
@@ -3110,6 +3111,7 @@ ktls_encrypt_cb(struct ktls_ocf_encrypt_state *state, int error)
 
 	if ((m->m_epg_flags & EPG_FLAG_ANON) == 0)
 		ktls_finish_nonanon(m, state);
+	m->m_flags |= M_RDONLY;
 
 	so = state->so;
 	free(state, M_KTLS);