From 2ef2e8ded59129d271d8b751da9bef2681e235d3 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Mar 2024 14:41:39 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	net-tls-fix-async-vs-nic-crypto-offload.patch
	revert-tls-rx-move-counting-tlsdecrypterrors-for-sync.patch
---
 ...-tls-fix-async-vs-nic-crypto-offload.patch | 43 ++++++++++++++
 ...e-counting-tlsdecrypterrors-for-sync.patch | 59 +++++++++++++++++++
 queue-5.15/series                             |  2 +
 3 files changed, 104 insertions(+)
 create mode 100644 queue-5.15/net-tls-fix-async-vs-nic-crypto-offload.patch
 create mode 100644 queue-5.15/revert-tls-rx-move-counting-tlsdecrypterrors-for-sync.patch

diff --git a/queue-5.15/net-tls-fix-async-vs-nic-crypto-offload.patch b/queue-5.15/net-tls-fix-async-vs-nic-crypto-offload.patch
new file mode 100644
index 00000000000..2a4f8f4a33c
--- /dev/null
+++ b/queue-5.15/net-tls-fix-async-vs-nic-crypto-offload.patch
@@ -0,0 +1,43 @@
+From c706b2b5ed74d30436b85cbd8e63e969f6b5873a Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 25 Apr 2022 16:33:09 -0700
+Subject: net: tls: fix async vs NIC crypto offload
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit c706b2b5ed74d30436b85cbd8e63e969f6b5873a upstream.
+
+When NIC takes care of crypto (or the record has already
+been decrypted) we forget to update darg->async. ->async
+is supposed to mean whether record is async capable on
+input and whether record has been queued for async crypto
+on output.
+
+Reported-by: Gal Pressman <gal@nvidia.com>
+Fixes: 3547a1f9d988 ("tls: rx: use async as an in-out argument")
+Tested-by: Gal Pressman <gal@nvidia.com>
+Link: https://lore.kernel.org/r/20220425233309.344858-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1568,6 +1568,7 @@ static int decrypt_skb_update(struct soc
+ 
+ 	if (tlm->decrypted) {
+ 		darg->zc = false;
++		darg->async = false;
+ 		return 0;
+ 	}
+ 
+@@ -1578,6 +1579,7 @@ static int decrypt_skb_update(struct soc
+ 		if (err > 0) {
+ 			tlm->decrypted = 1;
+ 			darg->zc = false;
++			darg->async = false;
+ 			goto decrypt_done;
+ 		}
+ 	}
diff --git a/queue-5.15/revert-tls-rx-move-counting-tlsdecrypterrors-for-sync.patch b/queue-5.15/revert-tls-rx-move-counting-tlsdecrypterrors-for-sync.patch
new file mode 100644
index 00000000000..7f0803cadec
--- /dev/null
+++ b/queue-5.15/revert-tls-rx-move-counting-tlsdecrypterrors-for-sync.patch
@@ -0,0 +1,59 @@
+From a069a90554168ac4cc81af65f000557d2a8a0745 Mon Sep 17 00:00:00 2001
+From: Gal Pressman <gal@nvidia.com>
+Date: Tue, 5 Jul 2022 14:08:37 +0300
+Subject: Revert "tls: rx: move counting TlsDecryptErrors for sync"
+
+From: Gal Pressman <gal@nvidia.com>
+
+commit a069a90554168ac4cc81af65f000557d2a8a0745 upstream.
+
+This reverts commit 284b4d93daee56dff3e10029ddf2e03227f50dbf.
+When using TLS device offload and coming from tls_device_reencrypt()
+flow, -EBADMSG error in tls_do_decryption() should not be counted
+towards the TLSTlsDecryptError counter.
+
+Move the counter increase back to the decrypt_internal() call site in
+decrypt_skb_update().
+This also fixes an issue where:
+	if (n_sgin < 1)
+		return -EBADMSG;
+
+Errors in decrypt_internal() were not counted after the cited patch.
+
+Fixes: 284b4d93daee ("tls: rx: move counting TlsDecryptErrors for sync")
+Cc: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -278,9 +278,6 @@ static int tls_do_decryption(struct sock
+ 	}
+ 	darg->async = false;
+ 
+-	if (ret == -EBADMSG)
+-		TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR);
+-
+ 	return ret;
+ }
+ 
+@@ -1585,8 +1582,11 @@ static int decrypt_skb_update(struct soc
+ 	}
+ 
+ 	err = decrypt_internal(sk, skb, dest, NULL, darg);
+-	if (err < 0)
++	if (err < 0) {
++		if (err == -EBADMSG)
++			TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR);
+ 		return err;
++	}
+ 	if (darg->async)
+ 		goto decrypt_next;
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index 17af970ba05..b0e6cdfec4a 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -80,3 +80,5 @@ revert-interconnect-teach-lockdep-about-icc_bw_lock-order.patch
 bpf-add-bpf_fib_lookup_skip_neigh-for-bpf_fib_lookup.patch
 bpf-add-table-id-to-bpf_fib_lookup-bpf-helper.patch
 bpf-derive-source-ip-addr-via-bpf_-_fib_lookup.patch
+net-tls-fix-async-vs-nic-crypto-offload.patch
+revert-tls-rx-move-counting-tlsdecrypterrors-for-sync.patch
-- 
2.47.3