+++ /dev/null
-From foo@baz Fri 31 May 2019 03:21:27 PM PDT
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-Date: Tue, 21 May 2019 19:02:00 -0700
-Subject: net/tls: avoid NULL-deref on resync during device removal
-
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-
-[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ]
-
-When netdev with active kTLS sockets in unregistered
-notifier callback walks the offloaded sockets and
-cleans up offload state. RX data may still be processed,
-however, and if resync was requested prior to device
-removal we would hit a NULL pointer dereference on
-ctx->netdev use.
-
-Make sure resync is under the device offload lock
-and NULL-check the netdev pointer.
-
-This should be safe, because the pointer is set to
-NULL either in the netdev notifier (under said lock)
-or when socket is completely dead and no resync can
-happen.
-
-The other access to ctx->netdev in tls_validate_xmit_skb()
-does not dereference the pointer, it just checks it against
-other device pointer, so it should be pretty safe (perhaps
-we can add a READ_ONCE/WRITE_ONCE there, if paranoid).
-
-Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
-Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
-Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/tls/tls_device.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/tls/tls_device.c
-+++ b/net/tls/tls_device.c
-@@ -548,8 +548,8 @@ static int tls_device_push_pending_recor
- void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
- {
- struct tls_context *tls_ctx = tls_get_ctx(sk);
-- struct net_device *netdev = tls_ctx->netdev;
- struct tls_offload_context_rx *rx_ctx;
-+ struct net_device *netdev;
- u32 is_req_pending;
- s64 resync_req;
- u32 req_seq;
-@@ -563,10 +563,15 @@ void handle_device_resync(struct sock *s
- is_req_pending = resync_req;
-
- if (unlikely(is_req_pending) && req_seq == seq &&
-- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0))
-- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk,
-- seq + TLS_HEADER_SIZE - 1,
-- rcd_sn);
-+ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) {
-+ seq += TLS_HEADER_SIZE - 1;
-+ down_read(&device_offload_lock);
-+ netdev = tls_ctx->netdev;
-+ if (netdev)
-+ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq,
-+ rcd_sn);
-+ up_read(&device_offload_lock);
-+ }
- }
-
- static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
-@@ -979,7 +979,8 @@ static int tls_dev_event(struct notifier
+@@ -974,7 +974,8 @@ static int tls_dev_event(struct notifier
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
-@@ -921,12 +921,6 @@ void tls_device_offload_cleanup_rx(struc
+@@ -916,12 +916,6 @@ void tls_device_offload_cleanup_rx(struc
if (!netdev)
goto out;
net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch
net-stmmac-dma-channel-control-register-need-to-be-init-first.patch
bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch
-net-tls-avoid-null-deref-on-resync-during-device-removal.patch
net-tls-fix-state-removal-with-feature-flags-off.patch
net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
+++ /dev/null
-From foo@baz Fri 31 May 2019 03:16:57 PM PDT
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-Date: Tue, 21 May 2019 19:02:00 -0700
-Subject: net/tls: avoid NULL-deref on resync during device removal
-
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-
-[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ]
-
-When netdev with active kTLS sockets in unregistered
-notifier callback walks the offloaded sockets and
-cleans up offload state. RX data may still be processed,
-however, and if resync was requested prior to device
-removal we would hit a NULL pointer dereference on
-ctx->netdev use.
-
-Make sure resync is under the device offload lock
-and NULL-check the netdev pointer.
-
-This should be safe, because the pointer is set to
-NULL either in the netdev notifier (under said lock)
-or when socket is completely dead and no resync can
-happen.
-
-The other access to ctx->netdev in tls_validate_xmit_skb()
-does not dereference the pointer, it just checks it against
-other device pointer, so it should be pretty safe (perhaps
-we can add a READ_ONCE/WRITE_ONCE there, if paranoid).
-
-Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
-Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
-Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/tls/tls_device.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/tls/tls_device.c
-+++ b/net/tls/tls_device.c
-@@ -555,8 +555,8 @@ static int tls_device_push_pending_recor
- void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
- {
- struct tls_context *tls_ctx = tls_get_ctx(sk);
-- struct net_device *netdev = tls_ctx->netdev;
- struct tls_offload_context_rx *rx_ctx;
-+ struct net_device *netdev;
- u32 is_req_pending;
- s64 resync_req;
- u32 req_seq;
-@@ -570,10 +570,15 @@ void handle_device_resync(struct sock *s
- is_req_pending = resync_req;
-
- if (unlikely(is_req_pending) && req_seq == seq &&
-- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0))
-- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk,
-- seq + TLS_HEADER_SIZE - 1,
-- rcd_sn);
-+ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) {
-+ seq += TLS_HEADER_SIZE - 1;
-+ down_read(&device_offload_lock);
-+ netdev = tls_ctx->netdev;
-+ if (netdev)
-+ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq,
-+ rcd_sn);
-+ up_read(&device_offload_lock);
-+ }
- }
-
- static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
-@@ -986,7 +986,8 @@ static int tls_dev_event(struct notifier
+@@ -981,7 +981,8 @@ static int tls_dev_event(struct notifier
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
-@@ -928,12 +928,6 @@ void tls_device_offload_cleanup_rx(struc
+@@ -923,12 +923,6 @@ void tls_device_offload_cleanup_rx(struc
if (!netdev)
goto out;
bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch
bnxt_en-fix-possible-bug-condition-when-calling-pci_disable_msix.patch
bnxt_en-reduce-memory-usage-when-running-in-kdump-kernel.patch
-net-tls-avoid-null-deref-on-resync-during-device-removal.patch
net-tls-fix-state-removal-with-feature-flags-off.patch
net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch
+++ /dev/null
-From foo@baz Fri 31 May 2019 03:16:39 PM PDT
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-Date: Tue, 21 May 2019 19:02:00 -0700
-Subject: net/tls: avoid NULL-deref on resync during device removal
-
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-
-[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ]
-
-When netdev with active kTLS sockets in unregistered
-notifier callback walks the offloaded sockets and
-cleans up offload state. RX data may still be processed,
-however, and if resync was requested prior to device
-removal we would hit a NULL pointer dereference on
-ctx->netdev use.
-
-Make sure resync is under the device offload lock
-and NULL-check the netdev pointer.
-
-This should be safe, because the pointer is set to
-NULL either in the netdev notifier (under said lock)
-or when socket is completely dead and no resync can
-happen.
-
-The other access to ctx->netdev in tls_validate_xmit_skb()
-does not dereference the pointer, it just checks it against
-other device pointer, so it should be pretty safe (perhaps
-we can add a READ_ONCE/WRITE_ONCE there, if paranoid).
-
-Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
-Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
-Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/tls/tls_device.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/tls/tls_device.c
-+++ b/net/tls/tls_device.c
-@@ -573,8 +573,8 @@ void tls_device_write_space(struct sock
- void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
- {
- struct tls_context *tls_ctx = tls_get_ctx(sk);
-- struct net_device *netdev = tls_ctx->netdev;
- struct tls_offload_context_rx *rx_ctx;
-+ struct net_device *netdev;
- u32 is_req_pending;
- s64 resync_req;
- u32 req_seq;
-@@ -588,10 +588,15 @@ void handle_device_resync(struct sock *s
- is_req_pending = resync_req;
-
- if (unlikely(is_req_pending) && req_seq == seq &&
-- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0))
-- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk,
-- seq + TLS_HEADER_SIZE - 1,
-- rcd_sn);
-+ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) {
-+ seq += TLS_HEADER_SIZE - 1;
-+ down_read(&device_offload_lock);
-+ netdev = tls_ctx->netdev;
-+ if (netdev)
-+ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq,
-+ rcd_sn);
-+ up_read(&device_offload_lock);
-+ }
- }
-
- static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
-@@ -1006,7 +1006,8 @@ static int tls_dev_event(struct notifier
+@@ -1001,7 +1001,8 @@ static int tls_dev_event(struct notifier
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
-@@ -948,12 +948,6 @@ void tls_device_offload_cleanup_rx(struc
+@@ -943,12 +943,6 @@ void tls_device_offload_cleanup_rx(struc
if (!netdev)
goto out;
selftests-tls-test-for-lowat-overshoot-with-multiple-records.patch
net-tls-fix-no-wakeup-on-partial-reads.patch
selftests-tls-add-test-for-sleeping-even-though-there-is-data.patch
-net-tls-avoid-null-deref-on-resync-during-device-removal.patch
net-tls-fix-state-removal-with-feature-flags-off.patch
net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
