--- /dev/null
+From 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:12:00 +0000
+Subject: bpf: Sockmap, ensure sock lock held during tear down
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b upstream.
+
+The sock_map_free() and sock_hash_free() paths used to delete sockmap
+and sockhash maps walk the maps and destroy psock and bpf state associated
+with the socks in the map. When done the socks no longer have BPF programs
+attached and will function normally. This can happen while the socks in
+the map are still "live" meaning data may be sent/received during the walk.
+
+Currently, though we don't take the sock_lock when the psock and bpf state
+is removed through this path. Specifically, this means we can be writing
+into the ops structure pointers such as sendmsg, sendpage, recvmsg, etc.
+while they are also being called from the networking side. This is not
+safe, we never used proper READ_ONCE/WRITE_ONCE semantics here if we
+believed it was safe. Further its not clear to me its even a good idea
+to try and do this on "live" sockets while networking side might also
+be using the socket. Instead of trying to reason about using the socks
+from both sides lets realize that every use case I'm aware of rarely
+deletes maps, in fact kubernetes/Cilium case builds map at init and
+never tears it down except on errors. So lets do the simple fix and
+grab sock lock.
+
+This patch wraps sock deletes from maps in sock lock and adds some
+annotations so we catch any other cases easier.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-3-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skmsg.c | 2 ++
+ net/core/sock_map.c | 7 ++++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -594,6 +594,8 @@ EXPORT_SYMBOL_GPL(sk_psock_destroy);
+
+ void sk_psock_drop(struct sock *sk, struct sk_psock *psock)
+ {
++ sock_owned_by_me(sk);
++
+ sk_psock_cork_free(psock);
+ sk_psock_zap_ingress(psock);
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -241,8 +241,11 @@ static void sock_map_free(struct bpf_map
+ struct sock *sk;
+
+ sk = xchg(psk, NULL);
+- if (sk)
++ if (sk) {
++ lock_sock(sk);
+ sock_map_unref(sk, psk);
++ release_sock(sk);
++ }
+ }
+ raw_spin_unlock_bh(&stab->lock);
+ rcu_read_unlock();
+@@ -862,7 +865,9 @@ static void sock_hash_free(struct bpf_ma
+ raw_spin_lock_bh(&bucket->lock);
+ hlist_for_each_entry_safe(elem, node, &bucket->head, node) {
+ hlist_del_rcu(&elem->node);
++ lock_sock(elem->sk);
+ sock_map_unref(elem->sk, elem);
++ release_sock(elem->sk);
+ }
+ raw_spin_unlock_bh(&bucket->lock);
+ }
--- /dev/null
+From 6562e29cf6f0ddd368657d97a8d484ffc30df5ef Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:12:02 +0000
+Subject: bpf: Sockmap, skmsg helper overestimates push, pull, and pop bounds
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 6562e29cf6f0ddd368657d97a8d484ffc30df5ef upstream.
+
+In the push, pull, and pop helpers operating on skmsg objects to make
+data writable or insert/remove data we use this bounds check to ensure
+specified data is valid,
+
+ /* Bounds checks: start and pop must be inside message */
+ if (start >= offset + l || last >= msg->sg.size)
+ return -EINVAL;
+
+The problem here is offset has already included the length of the
+current element the 'l' above. So start could be past the end of
+the scatterlist element in the case where start also points into an
+offset on the last skmsg element.
+
+To fix do the accounting slightly different by adding the length of
+the previous entry to offset at the start of the iteration. And
+ensure its initialized to zero so that the first iteration does
+nothing.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Fixes: 6fff607e2f14b ("bpf: sk_msg program helper bpf_msg_push_data")
+Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-5-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/filter.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2231,10 +2231,10 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
+ /* First find the starting scatterlist element */
+ i = msg->sg.start;
+ do {
++ offset += len;
+ len = sk_msg_elem(msg, i)->length;
+ if (start < offset + len)
+ break;
+- offset += len;
+ sk_msg_iter_var_next(i);
+ } while (i != msg->sg.end);
+
+@@ -2346,7 +2346,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
+ u32, len, u64, flags)
+ {
+ struct scatterlist sge, nsge, nnsge, rsge = {0}, *psge;
+- u32 new, i = 0, l, space, copy = 0, offset = 0;
++ u32 new, i = 0, l = 0, space, copy = 0, offset = 0;
+ u8 *raw, *to, *from;
+ struct page *page;
+
+@@ -2356,11 +2356,11 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
+ /* First find the starting scatterlist element */
+ i = msg->sg.start;
+ do {
++ offset += l;
+ l = sk_msg_elem(msg, i)->length;
+
+ if (start < offset + l)
+ break;
+- offset += l;
+ sk_msg_iter_var_next(i);
+ } while (i != msg->sg.end);
+
+@@ -2506,7 +2506,7 @@ static void sk_msg_shift_right(struct sk
+ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
+ u32, len, u64, flags)
+ {
+- u32 i = 0, l, space, offset = 0;
++ u32 i = 0, l = 0, space, offset = 0;
+ u64 last = start + len;
+ int pop;
+
+@@ -2516,11 +2516,11 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
+ /* First find the starting scatterlist element */
+ i = msg->sg.start;
+ do {
++ offset += l;
+ l = sk_msg_elem(msg, i)->length;
+
+ if (start < offset + l)
+ break;
+- offset += l;
+ sk_msg_iter_var_next(i);
+ } while (i != msg->sg.end);
+
--- /dev/null
+From 4da6a196f93b1af7612340e8c1ad8ce71e18f955 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:11:59 +0000
+Subject: bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 4da6a196f93b1af7612340e8c1ad8ce71e18f955 upstream.
+
+When a sockmap is free'd and a socket in the map is enabled with tls
+we tear down the bpf context on the socket, the psock struct and state,
+and then call tcp_update_ulp(). The tcp_update_ulp() call is to inform
+the tls stack it needs to update its saved sock ops so that when the tls
+socket is later destroyed it doesn't try to call the now destroyed psock
+hooks.
+
+This is about keeping stacked ULPs in good shape so they always have
+the right set of stacked ops.
+
+However, recently unhash() hook was removed from TLS side. But, the
+sockmap/bpf side is not doing any extra work to update the unhash op
+when is torn down instead expecting TLS side to manage it. So both
+TLS and sockmap believe the other side is managing the op and instead
+no one updates the hook so it continues to point at tcp_bpf_unhash().
+When unhash hook is called we call tcp_bpf_unhash() which detects the
+psock has already been destroyed and calls sk->sk_prot_unhash() which
+calls tcp_bpf_unhash() yet again and so on looping and hanging the core.
+
+To fix have sockmap tear down logic fixup the stale pointer.
+
+Fixes: 5d92e631b8be ("net/tls: partially revert fix transition through disconnect with close")
+Reported-by: syzbot+83979935eb6304f8cd46@syzkaller.appspotmail.com
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-2-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/skmsg.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -354,6 +354,7 @@ static inline void sk_psock_update_proto
+ static inline void sk_psock_restore_proto(struct sock *sk,
+ struct sk_psock *psock)
+ {
++ sk->sk_prot->unhash = psock->saved_unhash;
+ sk->sk_write_space = psock->saved_write_space;
+
+ if (psock->sk_proto) {
--- /dev/null
+From 7361d44896ff20d48bdd502d1a0cd66308055d45 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:12:06 +0000
+Subject: bpf: Sockmap/tls, fix pop data with SK_DROP return code
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 7361d44896ff20d48bdd502d1a0cd66308055d45 upstream.
+
+When user returns SK_DROP we need to reset the number of copied bytes
+to indicate to the user the bytes were dropped and not sent. If we
+don't reset the copied arg sendmsg will return as if those bytes were
+copied giving the user a positive return value.
+
+This works as expected today except in the case where the user also
+pops bytes. In the pop case the sg.size is reduced but we don't correctly
+account for this when copied bytes is reset. The popped bytes are not
+accounted for and we return a small positive value potentially confusing
+the user.
+
+The reason this happens is due to a typo where we do the wrong comparison
+when accounting for pop bytes. In this fix notice the if/else is not
+needed and that we have a similar problem if we push data except its not
+visible to the user because if delta is larger the sg.size we return a
+negative value so it appears as an error regardless.
+
+Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-9-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp_bpf.c | 5 +----
+ net/tls/tls_sw.c | 5 +----
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -315,10 +315,7 @@ more_data:
+ */
+ delta = msg->sg.size;
+ psock->eval = sk_psock_msg_verdict(sk, psock, msg);
+- if (msg->sg.size < delta)
+- delta -= msg->sg.size;
+- else
+- delta = 0;
++ delta -= msg->sg.size;
+ }
+
+ if (msg->cork_bytes &&
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -804,10 +804,7 @@ more_data:
+ if (psock->eval == __SK_NONE) {
+ delta = msg->sg.size;
+ psock->eval = sk_psock_msg_verdict(sk, psock, msg);
+- if (delta < msg->sg.size)
+- delta -= msg->sg.size;
+- else
+- delta = 0;
++ delta -= msg->sg.size;
+ }
+ if (msg->cork_bytes && msg->cork_bytes > msg->sg.size &&
+ !enospc && !full_record) {
--- /dev/null
+From cf21e9ba1eb86c9333ca5b05b2f1cc94021bcaef Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:12:03 +0000
+Subject: bpf: Sockmap/tls, msg_push_data may leave end mark in place
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit cf21e9ba1eb86c9333ca5b05b2f1cc94021bcaef upstream.
+
+Leaving an incorrect end mark in place when passing to crypto
+layer will cause crypto layer to stop processing data before
+all data is encrypted. To fix clear the end mark on push
+data instead of expecting users of the helper to clear the
+mark value after the fact.
+
+This happens when we push data into the middle of a skmsg and
+have room for it so we don't do a set of copies that already
+clear the end flag.
+
+Fixes: 6fff607e2f14b ("bpf: sk_msg program helper bpf_msg_push_data")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-6-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/filter.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2415,6 +2415,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
+
+ sk_msg_iter_var_next(i);
+ sg_unmark_end(psge);
++ sg_unmark_end(&rsge);
+ sk_msg_iter_next(msg, end);
+ }
+
--- /dev/null
+From 33bfe20dd7117dd81fd896a53f743a233e1ad64f Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:12:01 +0000
+Subject: bpf: Sockmap/tls, push write_space updates through ulp updates
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 33bfe20dd7117dd81fd896a53f743a233e1ad64f upstream.
+
+When sockmap sock with TLS enabled is removed we cleanup bpf/psock state
+and call tcp_update_ulp() to push updates to TLS ULP on top. However, we
+don't push the write_space callback up and instead simply overwrite the
+op with the psock stored previous op. This may or may not be correct so
+to ensure we don't overwrite the TLS write space hook pass this field to
+the ULP and have it fixup the ctx.
+
+This completes a previous fix that pushed the ops through to the ULP
+but at the time missed doing this for write_space, presumably because
+write_space TLS hook was added around the same time.
+
+Fixes: 95fa145479fbc ("bpf: sockmap/tls, close can race with map free")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-4-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/skmsg.h | 12 ++++++++----
+ include/net/tcp.h | 6 ++++--
+ net/ipv4/tcp_ulp.c | 6 ++++--
+ net/tls/tls_main.c | 10 +++++++---
+ 4 files changed, 23 insertions(+), 11 deletions(-)
+
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -355,17 +355,21 @@ static inline void sk_psock_restore_prot
+ struct sk_psock *psock)
+ {
+ sk->sk_prot->unhash = psock->saved_unhash;
+- sk->sk_write_space = psock->saved_write_space;
+
+ if (psock->sk_proto) {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ bool has_ulp = !!icsk->icsk_ulp_data;
+
+- if (has_ulp)
+- tcp_update_ulp(sk, psock->sk_proto);
+- else
++ if (has_ulp) {
++ tcp_update_ulp(sk, psock->sk_proto,
++ psock->saved_write_space);
++ } else {
+ sk->sk_prot = psock->sk_proto;
++ sk->sk_write_space = psock->saved_write_space;
++ }
+ psock->sk_proto = NULL;
++ } else {
++ sk->sk_write_space = psock->saved_write_space;
+ }
+ }
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2132,7 +2132,8 @@ struct tcp_ulp_ops {
+ /* initialize ulp */
+ int (*init)(struct sock *sk);
+ /* update ulp */
+- void (*update)(struct sock *sk, struct proto *p);
++ void (*update)(struct sock *sk, struct proto *p,
++ void (*write_space)(struct sock *sk));
+ /* cleanup ulp */
+ void (*release)(struct sock *sk);
+ /* diagnostic */
+@@ -2147,7 +2148,8 @@ void tcp_unregister_ulp(struct tcp_ulp_o
+ int tcp_set_ulp(struct sock *sk, const char *name);
+ void tcp_get_available_ulp(char *buf, size_t len);
+ void tcp_cleanup_ulp(struct sock *sk);
+-void tcp_update_ulp(struct sock *sk, struct proto *p);
++void tcp_update_ulp(struct sock *sk, struct proto *p,
++ void (*write_space)(struct sock *sk));
+
+ #define MODULE_ALIAS_TCP_ULP(name) \
+ __MODULE_INFO(alias, alias_userspace, name); \
+--- a/net/ipv4/tcp_ulp.c
++++ b/net/ipv4/tcp_ulp.c
+@@ -96,17 +96,19 @@ void tcp_get_available_ulp(char *buf, si
+ rcu_read_unlock();
+ }
+
+-void tcp_update_ulp(struct sock *sk, struct proto *proto)
++void tcp_update_ulp(struct sock *sk, struct proto *proto,
++ void (*write_space)(struct sock *sk))
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+
+ if (!icsk->icsk_ulp_ops) {
++ sk->sk_write_space = write_space;
+ sk->sk_prot = proto;
+ return;
+ }
+
+ if (icsk->icsk_ulp_ops->update)
+- icsk->icsk_ulp_ops->update(sk, proto);
++ icsk->icsk_ulp_ops->update(sk, proto, write_space);
+ }
+
+ void tcp_cleanup_ulp(struct sock *sk)
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -798,15 +798,19 @@ out:
+ return rc;
+ }
+
+-static void tls_update(struct sock *sk, struct proto *p)
++static void tls_update(struct sock *sk, struct proto *p,
++ void (*write_space)(struct sock *sk))
+ {
+ struct tls_context *ctx;
+
+ ctx = tls_get_ctx(sk);
+- if (likely(ctx))
++ if (likely(ctx)) {
++ ctx->sk_write_space = write_space;
+ ctx->sk_proto = p;
+- else
++ } else {
+ sk->sk_prot = p;
++ sk->sk_write_space = write_space;
++ }
+ }
+
+ static int tls_get_info(const struct sock *sk, struct sk_buff *skb)
--- /dev/null
+From 9aaaa56845a06aeabdd597cbe19492dc01f281ec Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:12:05 +0000
+Subject: bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 9aaaa56845a06aeabdd597cbe19492dc01f281ec upstream.
+
+Its possible through a set of push, pop, apply helper calls to construct
+a skmsg, which is just a ring of scatterlist elements, with the start
+value larger than the end value. For example,
+
+ end start
+ |_0_|_1_| ... |_n_|_n+1_|
+
+Where end points at 1 and start points and n so that valid elements is
+the set {n, n+1, 0, 1}.
+
+Currently, because we don't build the correct chain only {n, n+1} will
+be sent. This adds a check and sg_chain call to correctly submit the
+above to the crypto and tls send path.
+
+Fixes: d3b18ad31f93d ("tls: add bpf support to sk_msg handling")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-8-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tls/tls_sw.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -724,6 +724,12 @@ static int tls_push_record(struct sock *
+ sg_mark_end(sk_msg_elem(msg_pl, i));
+ }
+
++ if (msg_pl->sg.end < msg_pl->sg.start) {
++ sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
++ MAX_SKB_FRAGS - msg_pl->sg.start + 1,
++ msg_pl->sg.data);
++ }
++
+ i = msg_pl->sg.start;
+ sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
+
--- /dev/null
+From d468e4775c1c351616947ba0cccc43273963b9b5 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Sat, 11 Jan 2020 06:12:04 +0000
+Subject: bpf: Sockmap/tls, tls_sw can create a plaintext buf > encrypt buf
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit d468e4775c1c351616947ba0cccc43273963b9b5 upstream.
+
+It is possible to build a plaintext buffer using push helper that is larger
+than the allocated encrypt buffer. When this record is pushed to crypto
+layers this can result in a NULL pointer dereference because the crypto
+API expects the encrypt buffer is large enough to fit the plaintext
+buffer. Kernel splat below.
+
+To resolve catch the cases this can happen and split the buffer into two
+records to send individually. Unfortunately, there is still one case to
+handle where the split creates a zero sized buffer. In this case we merge
+the buffers and unmark the split. This happens when apply is zero and user
+pushed data beyond encrypt buffer. This fixes the original case as well
+because the split allocated an encrypt buffer larger than the plaintext
+buffer and the merge simply moves the pointers around so we now have
+a reference to the new (larger) encrypt buffer.
+
+Perhaps its not ideal but it seems the best solution for a fixes branch
+and avoids handling these two cases, (a) apply that needs split and (b)
+non apply case. The are edge cases anyways so optimizing them seems not
+necessary unless someone wants later in next branches.
+
+[ 306.719107] BUG: kernel NULL pointer dereference, address: 0000000000000008
+[...]
+[ 306.747260] RIP: 0010:scatterwalk_copychunks+0x12f/0x1b0
+[...]
+[ 306.770350] Call Trace:
+[ 306.770956] scatterwalk_map_and_copy+0x6c/0x80
+[ 306.772026] gcm_enc_copy_hash+0x4b/0x50
+[ 306.772925] gcm_hash_crypt_remain_continue+0xef/0x110
+[ 306.774138] gcm_hash_crypt_continue+0xa1/0xb0
+[ 306.775103] ? gcm_hash_crypt_continue+0xa1/0xb0
+[ 306.776103] gcm_hash_assoc_remain_continue+0x94/0xa0
+[ 306.777170] gcm_hash_assoc_continue+0x9d/0xb0
+[ 306.778239] gcm_hash_init_continue+0x8f/0xa0
+[ 306.779121] gcm_hash+0x73/0x80
+[ 306.779762] gcm_encrypt_continue+0x6d/0x80
+[ 306.780582] crypto_gcm_encrypt+0xcb/0xe0
+[ 306.781474] crypto_aead_encrypt+0x1f/0x30
+[ 306.782353] tls_push_record+0x3b9/0xb20 [tls]
+[ 306.783314] ? sk_psock_msg_verdict+0x199/0x300
+[ 306.784287] bpf_exec_tx_verdict+0x3f2/0x680 [tls]
+[ 306.785357] tls_sw_sendmsg+0x4a3/0x6a0 [tls]
+
+test_sockmap test signature to trigger bug,
+
+[TEST]: (1, 1, 1, sendmsg, pass,redir,start 1,end 2,pop (1,2),ktls,):
+
+Fixes: d3b18ad31f93d ("tls: add bpf support to sk_msg handling")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20200111061206.8028-7-john.fastabend@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tls/tls_sw.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -677,12 +677,32 @@ static int tls_push_record(struct sock *
+
+ split_point = msg_pl->apply_bytes;
+ split = split_point && split_point < msg_pl->sg.size;
++ if (unlikely((!split &&
++ msg_pl->sg.size +
++ prot->overhead_size > msg_en->sg.size) ||
++ (split &&
++ split_point +
++ prot->overhead_size > msg_en->sg.size))) {
++ split = true;
++ split_point = msg_en->sg.size;
++ }
+ if (split) {
+ rc = tls_split_open_record(sk, rec, &tmp, msg_pl, msg_en,
+ split_point, prot->overhead_size,
+ &orig_end);
+ if (rc < 0)
+ return rc;
++ /* This can happen if above tls_split_open_record allocates
++ * a single large encryption buffer instead of two smaller
++ * ones. In this case adjust pointers and continue without
++ * split.
++ */
++ if (!msg_pl->sg.size) {
++ tls_merge_open_record(sk, rec, tmp, orig_end);
++ msg_pl = &rec->msg_plaintext;
++ msg_en = &rec->msg_encrypted;
++ split = false;
++ }
+ sk_msg_trim(sk, msg_en, msg_pl->sg.size +
+ prot->overhead_size);
+ }
--- /dev/null
+From 5a128a088a2ab0b5190eeb232b5aa0b1017a0317 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Wed, 8 Jan 2020 12:55:36 +0100
+Subject: cfg80211: fix deadlocks in autodisconnect work
+
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+
+commit 5a128a088a2ab0b5190eeb232b5aa0b1017a0317 upstream.
+
+Use methods which do not try to acquire the wdev lock themselves.
+
+Cc: stable@vger.kernel.org
+Fixes: 37b1c004685a3 ("cfg80211: Support all iftypes in autodisconnect_wk")
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20200108115536.2262-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/sme.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -1307,14 +1307,14 @@ void cfg80211_autodisconnect_wk(struct w
+ if (wdev->conn_owner_nlportid) {
+ switch (wdev->iftype) {
+ case NL80211_IFTYPE_ADHOC:
+- cfg80211_leave_ibss(rdev, wdev->netdev, false);
++ __cfg80211_leave_ibss(rdev, wdev->netdev, false);
+ break;
+ case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
+- cfg80211_stop_ap(rdev, wdev->netdev, false);
++ __cfg80211_stop_ap(rdev, wdev->netdev, false);
+ break;
+ case NL80211_IFTYPE_MESH_POINT:
+- cfg80211_leave_mesh(rdev, wdev->netdev);
++ __cfg80211_leave_mesh(rdev, wdev->netdev);
+ break;
+ case NL80211_IFTYPE_STATION:
+ case NL80211_IFTYPE_P2P_CLIENT:
--- /dev/null
+From df16737d438f534d0cc9948c7c5158f1986c5c87 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 8 Jan 2020 18:06:30 +0100
+Subject: cfg80211: fix memory leak in cfg80211_cqm_rssi_update
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit df16737d438f534d0cc9948c7c5158f1986c5c87 upstream.
+
+The per-tid statistics need to be released after the call to rdev_get_station
+
+Cc: stable@vger.kernel.org
+Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20200108170630.33680-2-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10834,6 +10834,7 @@ static int cfg80211_cqm_rssi_update(stru
+ if (err)
+ return err;
+
++ cfg80211_sinfo_release_content(&sinfo);
+ if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
+ wdev->cqm_config->last_rssi_event_value =
+ (s8) sinfo.rx_beacon_signal_avg;
--- /dev/null
+From 2a279b34169e9bbf7c240691466420aba75b4175 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 8 Jan 2020 18:06:29 +0100
+Subject: cfg80211: fix memory leak in nl80211_probe_mesh_link
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 2a279b34169e9bbf7c240691466420aba75b4175 upstream.
+
+The per-tid statistics need to be released after the call to rdev_get_station
+
+Cc: stable@vger.kernel.org
+Fixes: 5ab92e7fe49a ("cfg80211: add support to probe unexercised mesh link")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20200108170630.33680-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -13787,6 +13787,8 @@ static int nl80211_probe_mesh_link(struc
+ if (err)
+ return err;
+
++ cfg80211_sinfo_release_content(&sinfo);
++
+ return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
+ }
+
--- /dev/null
+From 81c044fc3bdc5b7be967cd3682528ea94b58c06a Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 13 Jan 2020 19:21:07 +0100
+Subject: cfg80211: fix page refcount issue in A-MSDU decap
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 81c044fc3bdc5b7be967cd3682528ea94b58c06a upstream.
+
+The fragments attached to a skb can be part of a compound page. In that case,
+page_ref_inc will increment the refcount for the wrong page. Fix this by
+using get_page instead, which calls page_ref_inc on the compound head and
+also checks for overflow.
+
+Fixes: 2b67f944f88c ("cfg80211: reuse existing page fragments in A-MSDU rx")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20200113182107.20461-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -564,7 +564,7 @@ __frame_add_frag(struct sk_buff *skb, st
+ struct skb_shared_info *sh = skb_shinfo(skb);
+ int page_offset;
+
+- page_ref_inc(page);
++ get_page(page);
+ page_offset = ptr - page_address(page);
+ skb_add_rx_frag(skb, sh->nr_frags, page, page_offset, len, size);
+ }
--- /dev/null
+From 9f42de8d4ec2304f10bbc51dc0484f3503d61196 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Tue, 14 Jan 2020 04:34:35 +0300
+Subject: i2c: tegra: Fix suspending in active runtime PM state
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 9f42de8d4ec2304f10bbc51dc0484f3503d61196 upstream.
+
+I noticed that sometime I2C clock is kept enabled during suspend-resume.
+This happens because runtime PM defers dynamic suspension and thus it may
+happen that runtime PM is in active state when system enters into suspend.
+In particular I2C controller that is used for CPU's DVFS is often kept ON
+during suspend because CPU's voltage scaling happens quite often.
+
+Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
+Cc: <stable@vger.kernel.org> # v5.4+
+Tested-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-tegra.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-tegra.c
++++ b/drivers/i2c/busses/i2c-tegra.c
+@@ -1710,9 +1710,14 @@ static int tegra_i2c_remove(struct platf
+ static int __maybe_unused tegra_i2c_suspend(struct device *dev)
+ {
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
++ int err;
+
+ i2c_mark_adapter_suspended(&i2c_dev->adapter);
+
++ err = pm_runtime_force_suspend(dev);
++ if (err < 0)
++ return err;
++
+ return 0;
+ }
+
+@@ -1733,6 +1738,10 @@ static int __maybe_unused tegra_i2c_resu
+ if (err)
+ return err;
+
++ err = pm_runtime_force_resume(dev);
++ if (err < 0)
++ return err;
++
+ i2c_mark_adapter_resumed(&i2c_dev->adapter);
+
+ return 0;
--- /dev/null
+From 24a49678f5e20f18006e71b90ac1531876b27eb1 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Tue, 14 Jan 2020 04:34:36 +0300
+Subject: i2c: tegra: Properly disable runtime PM on driver's probe error
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 24a49678f5e20f18006e71b90ac1531876b27eb1 upstream.
+
+One of the recent Tegra I2C commits made a change that resumes runtime PM
+during driver's probe, but it missed to put the RPM in a case of error.
+Note that it's not correct to use pm_runtime_status_suspended because it
+breaks RPM refcounting.
+
+Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
+Cc: <stable@vger.kernel.org> # v5.4+
+Tested-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-tegra.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-tegra.c
++++ b/drivers/i2c/busses/i2c-tegra.c
+@@ -1608,14 +1608,18 @@ static int tegra_i2c_probe(struct platfo
+ }
+
+ pm_runtime_enable(&pdev->dev);
+- if (!pm_runtime_enabled(&pdev->dev))
++ if (!pm_runtime_enabled(&pdev->dev)) {
+ ret = tegra_i2c_runtime_resume(&pdev->dev);
+- else
++ if (ret < 0) {
++ dev_err(&pdev->dev, "runtime resume failed\n");
++ goto unprepare_div_clk;
++ }
++ } else {
+ ret = pm_runtime_get_sync(i2c_dev->dev);
+-
+- if (ret < 0) {
+- dev_err(&pdev->dev, "runtime resume failed\n");
+- goto unprepare_div_clk;
++ if (ret < 0) {
++ dev_err(&pdev->dev, "runtime resume failed\n");
++ goto disable_rpm;
++ }
+ }
+
+ if (i2c_dev->is_multimaster_mode) {
+@@ -1623,7 +1627,7 @@ static int tegra_i2c_probe(struct platfo
+ if (ret < 0) {
+ dev_err(i2c_dev->dev, "div_clk enable failed %d\n",
+ ret);
+- goto disable_rpm;
++ goto put_rpm;
+ }
+ }
+
+@@ -1671,11 +1675,16 @@ disable_div_clk:
+ if (i2c_dev->is_multimaster_mode)
+ clk_disable(i2c_dev->div_clk);
+
+-disable_rpm:
+- pm_runtime_disable(&pdev->dev);
+- if (!pm_runtime_status_suspended(&pdev->dev))
++put_rpm:
++ if (pm_runtime_enabled(&pdev->dev))
++ pm_runtime_put_sync(&pdev->dev);
++ else
+ tegra_i2c_runtime_suspend(&pdev->dev);
+
++disable_rpm:
++ if (pm_runtime_enabled(&pdev->dev))
++ pm_runtime_disable(&pdev->dev);
++
+ unprepare_div_clk:
+ clk_unprepare(i2c_dev->div_clk);
+
block-fix-the-type-of-sts-in-bsg_queue_rq.patch
drm-amd-display-reorder-detect_edp_sink_caps-before-.patch
bpf-fix-incorrect-verifier-simulation-of-arsh-under-alu32.patch
+bpf-sockmap-tls-during-free-we-may-call-tcp_bpf_unhash-in-loop.patch
+bpf-sockmap-ensure-sock-lock-held-during-tear-down.patch
+bpf-sockmap-tls-push-write_space-updates-through-ulp-updates.patch
+bpf-sockmap-skmsg-helper-overestimates-push-pull-and-pop-bounds.patch
+bpf-sockmap-tls-msg_push_data-may-leave-end-mark-in-place.patch
+bpf-sockmap-tls-tls_sw-can-create-a-plaintext-buf-encrypt-buf.patch
+bpf-sockmap-tls-skmsg-can-have-wrapped-skmsg-that-needs-extra-chaining.patch
+bpf-sockmap-tls-fix-pop-data-with-sk_drop-return-code.patch
+i2c-tegra-fix-suspending-in-active-runtime-pm-state.patch
+i2c-tegra-properly-disable-runtime-pm-on-driver-s-probe-error.patch
+cfg80211-fix-deadlocks-in-autodisconnect-work.patch
+cfg80211-fix-memory-leak-in-nl80211_probe_mesh_link.patch
+cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch
+cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
