]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
drop net-tls-avoid-null-deref-on-resync-during-device-removal.patch from 5.1, 5.0...
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 1 Jun 2019 00:17:36 +0000 (17:17 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 1 Jun 2019 00:17:36 +0000 (17:17 -0700)
12 files changed:
queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch [deleted file]
queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch
queue-4.19/series
queue-5.0/net-tls-avoid-null-deref-on-resync-during-device-removal.patch [deleted file]
queue-5.0/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
queue-5.0/net-tls-fix-state-removal-with-feature-flags-off.patch
queue-5.0/series
queue-5.1/net-tls-avoid-null-deref-on-resync-during-device-removal.patch [deleted file]
queue-5.1/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
queue-5.1/net-tls-fix-state-removal-with-feature-flags-off.patch
queue-5.1/series

diff --git a/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch b/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch
deleted file mode 100644 (file)
index 0679860..0000000
+++ /dev/null
@@ -1,70 +0,0 @@
-From foo@baz Fri 31 May 2019 03:21:27 PM PDT
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-Date: Tue, 21 May 2019 19:02:00 -0700
-Subject: net/tls: avoid NULL-deref on resync during device removal
-
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-
-[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ]
-
-When netdev with active kTLS sockets in unregistered
-notifier callback walks the offloaded sockets and
-cleans up offload state.  RX data may still be processed,
-however, and if resync was requested prior to device
-removal we would hit a NULL pointer dereference on
-ctx->netdev use.
-
-Make sure resync is under the device offload lock
-and NULL-check the netdev pointer.
-
-This should be safe, because the pointer is set to
-NULL either in the netdev notifier (under said lock)
-or when socket is completely dead and no resync can
-happen.
-
-The other access to ctx->netdev in tls_validate_xmit_skb()
-does not dereference the pointer, it just checks it against
-other device pointer, so it should be pretty safe (perhaps
-we can add a READ_ONCE/WRITE_ONCE there, if paranoid).
-
-Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
-Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
-Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/tls/tls_device.c |   15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/tls/tls_device.c
-+++ b/net/tls/tls_device.c
-@@ -548,8 +548,8 @@ static int tls_device_push_pending_recor
- void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
- {
-       struct tls_context *tls_ctx = tls_get_ctx(sk);
--      struct net_device *netdev = tls_ctx->netdev;
-       struct tls_offload_context_rx *rx_ctx;
-+      struct net_device *netdev;
-       u32 is_req_pending;
-       s64 resync_req;
-       u32 req_seq;
-@@ -563,10 +563,15 @@ void handle_device_resync(struct sock *s
-       is_req_pending = resync_req;
-       if (unlikely(is_req_pending) && req_seq == seq &&
--          atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0))
--              netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk,
--                                                    seq + TLS_HEADER_SIZE - 1,
--                                                    rcd_sn);
-+          atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) {
-+              seq += TLS_HEADER_SIZE - 1;
-+              down_read(&device_offload_lock);
-+              netdev = tls_ctx->netdev;
-+              if (netdev)
-+                      netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq,
-+                                                            rcd_sn);
-+              up_read(&device_offload_lock);
-+      }
- }
- static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
index a28a633060728979428886edaa6f4ff6a88c3124..8897a513f2f99c913022a1b3009d3c7c91927ee4 100644 (file)
@@ -25,7 +25,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
 --- a/net/tls/tls_device.c
 +++ b/net/tls/tls_device.c
-@@ -979,7 +979,8 @@ static int tls_dev_event(struct notifier
+@@ -974,7 +974,8 @@ static int tls_dev_event(struct notifier
  {
        struct net_device *dev = netdev_notifier_info_to_dev(ptr);
  
index b8bbc501cb8a005fc251439f339e7aa7e5562286..cfb1d4b8eb8a223ea3e7fde2c8d427fef31092ca 100644 (file)
@@ -45,7 +45,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
 --- a/net/tls/tls_device.c
 +++ b/net/tls/tls_device.c
-@@ -921,12 +921,6 @@ void tls_device_offload_cleanup_rx(struc
+@@ -916,12 +916,6 @@ void tls_device_offload_cleanup_rx(struc
        if (!netdev)
                goto out;
  
index 0250de052bc883dabde06732d37007f50312853a..f954e12e35e7bfbd1adebe1b98fb8f1fbc73ebb9 100644 (file)
@@ -21,6 +21,5 @@ net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch
 net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch
 net-stmmac-dma-channel-control-register-need-to-be-init-first.patch
 bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch
-net-tls-avoid-null-deref-on-resync-during-device-removal.patch
 net-tls-fix-state-removal-with-feature-flags-off.patch
 net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
diff --git a/queue-5.0/net-tls-avoid-null-deref-on-resync-during-device-removal.patch b/queue-5.0/net-tls-avoid-null-deref-on-resync-during-device-removal.patch
deleted file mode 100644 (file)
index 1e32088..0000000
+++ /dev/null
@@ -1,70 +0,0 @@
-From foo@baz Fri 31 May 2019 03:16:57 PM PDT
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-Date: Tue, 21 May 2019 19:02:00 -0700
-Subject: net/tls: avoid NULL-deref on resync during device removal
-
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-
-[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ]
-
-When netdev with active kTLS sockets in unregistered
-notifier callback walks the offloaded sockets and
-cleans up offload state.  RX data may still be processed,
-however, and if resync was requested prior to device
-removal we would hit a NULL pointer dereference on
-ctx->netdev use.
-
-Make sure resync is under the device offload lock
-and NULL-check the netdev pointer.
-
-This should be safe, because the pointer is set to
-NULL either in the netdev notifier (under said lock)
-or when socket is completely dead and no resync can
-happen.
-
-The other access to ctx->netdev in tls_validate_xmit_skb()
-does not dereference the pointer, it just checks it against
-other device pointer, so it should be pretty safe (perhaps
-we can add a READ_ONCE/WRITE_ONCE there, if paranoid).
-
-Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
-Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
-Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/tls/tls_device.c |   15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/tls/tls_device.c
-+++ b/net/tls/tls_device.c
-@@ -555,8 +555,8 @@ static int tls_device_push_pending_recor
- void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
- {
-       struct tls_context *tls_ctx = tls_get_ctx(sk);
--      struct net_device *netdev = tls_ctx->netdev;
-       struct tls_offload_context_rx *rx_ctx;
-+      struct net_device *netdev;
-       u32 is_req_pending;
-       s64 resync_req;
-       u32 req_seq;
-@@ -570,10 +570,15 @@ void handle_device_resync(struct sock *s
-       is_req_pending = resync_req;
-       if (unlikely(is_req_pending) && req_seq == seq &&
--          atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0))
--              netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk,
--                                                    seq + TLS_HEADER_SIZE - 1,
--                                                    rcd_sn);
-+          atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) {
-+              seq += TLS_HEADER_SIZE - 1;
-+              down_read(&device_offload_lock);
-+              netdev = tls_ctx->netdev;
-+              if (netdev)
-+                      netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq,
-+                                                            rcd_sn);
-+              up_read(&device_offload_lock);
-+      }
- }
- static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
index 525266f119104fd2463c2916f59306f96c82b07f..aca62de2cf85bd3545ec06e9d6b526f751b30179 100644 (file)
@@ -25,7 +25,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
 --- a/net/tls/tls_device.c
 +++ b/net/tls/tls_device.c
-@@ -986,7 +986,8 @@ static int tls_dev_event(struct notifier
+@@ -981,7 +981,8 @@ static int tls_dev_event(struct notifier
  {
        struct net_device *dev = netdev_notifier_info_to_dev(ptr);
  
index 6f77c6fb4544e484bbad11d4c1ec4e199c18fb77..80b96241a1d9182cf721032225459db87fd63a79 100644 (file)
@@ -45,7 +45,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
 --- a/net/tls/tls_device.c
 +++ b/net/tls/tls_device.c
-@@ -928,12 +928,6 @@ void tls_device_offload_cleanup_rx(struc
+@@ -923,12 +923,6 @@ void tls_device_offload_cleanup_rx(struc
        if (!netdev)
                goto out;
  
index bfc8b05ff00c75ebf09c02d8892066359a4007d7..14691fd95ca4177af197a621ef65247fa0461e79 100644 (file)
@@ -26,7 +26,6 @@ net-stmmac-dma-channel-control-register-need-to-be-init-first.patch
 bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch
 bnxt_en-fix-possible-bug-condition-when-calling-pci_disable_msix.patch
 bnxt_en-reduce-memory-usage-when-running-in-kdump-kernel.patch
-net-tls-avoid-null-deref-on-resync-during-device-removal.patch
 net-tls-fix-state-removal-with-feature-flags-off.patch
 net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
 cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch
diff --git a/queue-5.1/net-tls-avoid-null-deref-on-resync-during-device-removal.patch b/queue-5.1/net-tls-avoid-null-deref-on-resync-during-device-removal.patch
deleted file mode 100644 (file)
index 86f4e25..0000000
+++ /dev/null
@@ -1,70 +0,0 @@
-From foo@baz Fri 31 May 2019 03:16:39 PM PDT
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-Date: Tue, 21 May 2019 19:02:00 -0700
-Subject: net/tls: avoid NULL-deref on resync during device removal
-
-From: Jakub Kicinski <jakub.kicinski@netronome.com>
-
-[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ]
-
-When netdev with active kTLS sockets in unregistered
-notifier callback walks the offloaded sockets and
-cleans up offload state.  RX data may still be processed,
-however, and if resync was requested prior to device
-removal we would hit a NULL pointer dereference on
-ctx->netdev use.
-
-Make sure resync is under the device offload lock
-and NULL-check the netdev pointer.
-
-This should be safe, because the pointer is set to
-NULL either in the netdev notifier (under said lock)
-or when socket is completely dead and no resync can
-happen.
-
-The other access to ctx->netdev in tls_validate_xmit_skb()
-does not dereference the pointer, it just checks it against
-other device pointer, so it should be pretty safe (perhaps
-we can add a READ_ONCE/WRITE_ONCE there, if paranoid).
-
-Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
-Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
-Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/tls/tls_device.c |   15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/tls/tls_device.c
-+++ b/net/tls/tls_device.c
-@@ -573,8 +573,8 @@ void tls_device_write_space(struct sock
- void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
- {
-       struct tls_context *tls_ctx = tls_get_ctx(sk);
--      struct net_device *netdev = tls_ctx->netdev;
-       struct tls_offload_context_rx *rx_ctx;
-+      struct net_device *netdev;
-       u32 is_req_pending;
-       s64 resync_req;
-       u32 req_seq;
-@@ -588,10 +588,15 @@ void handle_device_resync(struct sock *s
-       is_req_pending = resync_req;
-       if (unlikely(is_req_pending) && req_seq == seq &&
--          atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0))
--              netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk,
--                                                    seq + TLS_HEADER_SIZE - 1,
--                                                    rcd_sn);
-+          atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) {
-+              seq += TLS_HEADER_SIZE - 1;
-+              down_read(&device_offload_lock);
-+              netdev = tls_ctx->netdev;
-+              if (netdev)
-+                      netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq,
-+                                                            rcd_sn);
-+              up_read(&device_offload_lock);
-+      }
- }
- static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
index c462e371077e392243d168b87fd371256e872d97..40f442507cedc8b71d1232b6f8e8489c36256eed 100644 (file)
@@ -25,7 +25,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
 --- a/net/tls/tls_device.c
 +++ b/net/tls/tls_device.c
-@@ -1006,7 +1006,8 @@ static int tls_dev_event(struct notifier
+@@ -1001,7 +1001,8 @@ static int tls_dev_event(struct notifier
  {
        struct net_device *dev = netdev_notifier_info_to_dev(ptr);
  
index fd2d714fbf96164584e22efd4dd95e7838d63dea..a9f7933230d8e1cb25b913053b09b589c168981d 100644 (file)
@@ -45,7 +45,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
 --- a/net/tls/tls_device.c
 +++ b/net/tls/tls_device.c
-@@ -948,12 +948,6 @@ void tls_device_offload_cleanup_rx(struc
+@@ -943,12 +943,6 @@ void tls_device_offload_cleanup_rx(struc
        if (!netdev)
                goto out;
  
index 7439bdd4c387c0f99dd51c90e29ed9025f0ddf04..6156aff307ee75152a001bdf43a59766f1f199e4 100644 (file)
@@ -31,7 +31,6 @@ net-tls-fix-lowat-calculation-if-some-data-came-from-previous-record.patch
 selftests-tls-test-for-lowat-overshoot-with-multiple-records.patch
 net-tls-fix-no-wakeup-on-partial-reads.patch
 selftests-tls-add-test-for-sleeping-even-though-there-is-data.patch
-net-tls-avoid-null-deref-on-resync-during-device-removal.patch
 net-tls-fix-state-removal-with-feature-flags-off.patch
 net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
 cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch