From cd0103213abd176226020b49e2087d8b4d329735 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 31 May 2019 17:17:36 -0700 Subject: [PATCH] drop net-tls-avoid-null-deref-on-resync-during-device-removal.patch from 5.1, 5.0, and 4.19 --- ...eref-on-resync-during-device-removal.patch | 70 ------------------- ...dev-notifications-if-no-tls-features.patch | 2 +- ...state-removal-with-feature-flags-off.patch | 2 +- queue-4.19/series | 1 - ...eref-on-resync-during-device-removal.patch | 70 ------------------- ...dev-notifications-if-no-tls-features.patch | 2 +- ...state-removal-with-feature-flags-off.patch | 2 +- queue-5.0/series | 1 - ...eref-on-resync-during-device-removal.patch | 70 ------------------- ...dev-notifications-if-no-tls-features.patch | 2 +- ...state-removal-with-feature-flags-off.patch | 2 +- queue-5.1/series | 1 - 12 files changed, 6 insertions(+), 219 deletions(-) delete mode 100644 queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch delete mode 100644 queue-5.0/net-tls-avoid-null-deref-on-resync-during-device-removal.patch delete mode 100644 queue-5.1/net-tls-avoid-null-deref-on-resync-during-device-removal.patch diff --git a/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch b/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch deleted file mode 100644 index 0679860ecd3..00000000000 --- a/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Fri 31 May 2019 03:21:27 PM PDT -From: Jakub Kicinski -Date: Tue, 21 May 2019 19:02:00 -0700 -Subject: net/tls: avoid NULL-deref on resync during device removal - -From: Jakub Kicinski - -[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ] - -When netdev with active kTLS sockets in unregistered -notifier callback walks the offloaded sockets and -cleans up offload state. RX data may still be processed, -however, and if resync was requested prior to device -removal we would hit a NULL pointer dereference on -ctx->netdev use. - -Make sure resync is under the device offload lock -and NULL-check the netdev pointer. - -This should be safe, because the pointer is set to -NULL either in the netdev notifier (under said lock) -or when socket is completely dead and no resync can -happen. - -The other access to ctx->netdev in tls_validate_xmit_skb() -does not dereference the pointer, it just checks it against -other device pointer, so it should be pretty safe (perhaps -we can add a READ_ONCE/WRITE_ONCE there, if paranoid). - -Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") -Signed-off-by: Jakub Kicinski -Reviewed-by: Dirk van der Merwe -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/tls/tls_device.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -548,8 +548,8 @@ static int tls_device_push_pending_recor - void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn) - { - struct tls_context *tls_ctx = tls_get_ctx(sk); -- struct net_device *netdev = tls_ctx->netdev; - struct tls_offload_context_rx *rx_ctx; -+ struct net_device *netdev; - u32 is_req_pending; - s64 resync_req; - u32 req_seq; -@@ -563,10 +563,15 @@ void handle_device_resync(struct sock *s - is_req_pending = resync_req; - - if (unlikely(is_req_pending) && req_seq == seq && -- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) -- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, -- seq + TLS_HEADER_SIZE - 1, -- rcd_sn); -+ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) { -+ seq += TLS_HEADER_SIZE - 1; -+ down_read(&device_offload_lock); -+ netdev = tls_ctx->netdev; -+ if (netdev) -+ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq, -+ rcd_sn); -+ up_read(&device_offload_lock); -+ } - } - - static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) diff --git a/queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch b/queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch index a28a6330607..8897a513f2f 100644 --- a/queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch +++ b/queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch @@ -25,7 +25,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c -@@ -979,7 +979,8 @@ static int tls_dev_event(struct notifier +@@ -974,7 +974,8 @@ static int tls_dev_event(struct notifier { struct net_device *dev = netdev_notifier_info_to_dev(ptr); diff --git a/queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch b/queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch index b8bbc501cb8..cfb1d4b8eb8 100644 --- a/queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch +++ b/queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch @@ -45,7 +45,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c -@@ -921,12 +921,6 @@ void tls_device_offload_cleanup_rx(struc +@@ -916,12 +916,6 @@ void tls_device_offload_cleanup_rx(struc if (!netdev) goto out; diff --git a/queue-4.19/series b/queue-4.19/series index 0250de052bc..f954e12e35e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -21,6 +21,5 @@ net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch net-stmmac-dma-channel-control-register-need-to-be-init-first.patch bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch -net-tls-avoid-null-deref-on-resync-during-device-removal.patch net-tls-fix-state-removal-with-feature-flags-off.patch net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch diff --git a/queue-5.0/net-tls-avoid-null-deref-on-resync-during-device-removal.patch b/queue-5.0/net-tls-avoid-null-deref-on-resync-during-device-removal.patch deleted file mode 100644 index 1e3208822c4..00000000000 --- a/queue-5.0/net-tls-avoid-null-deref-on-resync-during-device-removal.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Fri 31 May 2019 03:16:57 PM PDT -From: Jakub Kicinski -Date: Tue, 21 May 2019 19:02:00 -0700 -Subject: net/tls: avoid NULL-deref on resync during device removal - -From: Jakub Kicinski - -[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ] - -When netdev with active kTLS sockets in unregistered -notifier callback walks the offloaded sockets and -cleans up offload state. RX data may still be processed, -however, and if resync was requested prior to device -removal we would hit a NULL pointer dereference on -ctx->netdev use. - -Make sure resync is under the device offload lock -and NULL-check the netdev pointer. - -This should be safe, because the pointer is set to -NULL either in the netdev notifier (under said lock) -or when socket is completely dead and no resync can -happen. - -The other access to ctx->netdev in tls_validate_xmit_skb() -does not dereference the pointer, it just checks it against -other device pointer, so it should be pretty safe (perhaps -we can add a READ_ONCE/WRITE_ONCE there, if paranoid). - -Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") -Signed-off-by: Jakub Kicinski -Reviewed-by: Dirk van der Merwe -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/tls/tls_device.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -555,8 +555,8 @@ static int tls_device_push_pending_recor - void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn) - { - struct tls_context *tls_ctx = tls_get_ctx(sk); -- struct net_device *netdev = tls_ctx->netdev; - struct tls_offload_context_rx *rx_ctx; -+ struct net_device *netdev; - u32 is_req_pending; - s64 resync_req; - u32 req_seq; -@@ -570,10 +570,15 @@ void handle_device_resync(struct sock *s - is_req_pending = resync_req; - - if (unlikely(is_req_pending) && req_seq == seq && -- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) -- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, -- seq + TLS_HEADER_SIZE - 1, -- rcd_sn); -+ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) { -+ seq += TLS_HEADER_SIZE - 1; -+ down_read(&device_offload_lock); -+ netdev = tls_ctx->netdev; -+ if (netdev) -+ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq, -+ rcd_sn); -+ up_read(&device_offload_lock); -+ } - } - - static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) diff --git a/queue-5.0/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch b/queue-5.0/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch index 525266f1191..aca62de2cf8 100644 --- a/queue-5.0/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch +++ b/queue-5.0/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch @@ -25,7 +25,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c -@@ -986,7 +986,8 @@ static int tls_dev_event(struct notifier +@@ -981,7 +981,8 @@ static int tls_dev_event(struct notifier { struct net_device *dev = netdev_notifier_info_to_dev(ptr); diff --git a/queue-5.0/net-tls-fix-state-removal-with-feature-flags-off.patch b/queue-5.0/net-tls-fix-state-removal-with-feature-flags-off.patch index 6f77c6fb454..80b96241a1d 100644 --- a/queue-5.0/net-tls-fix-state-removal-with-feature-flags-off.patch +++ b/queue-5.0/net-tls-fix-state-removal-with-feature-flags-off.patch @@ -45,7 +45,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c -@@ -928,12 +928,6 @@ void tls_device_offload_cleanup_rx(struc +@@ -923,12 +923,6 @@ void tls_device_offload_cleanup_rx(struc if (!netdev) goto out; diff --git a/queue-5.0/series b/queue-5.0/series index bfc8b05ff00..14691fd95ca 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -26,7 +26,6 @@ net-stmmac-dma-channel-control-register-need-to-be-init-first.patch bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch bnxt_en-fix-possible-bug-condition-when-calling-pci_disable_msix.patch bnxt_en-reduce-memory-usage-when-running-in-kdump-kernel.patch -net-tls-avoid-null-deref-on-resync-during-device-removal.patch net-tls-fix-state-removal-with-feature-flags-off.patch net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch diff --git a/queue-5.1/net-tls-avoid-null-deref-on-resync-during-device-removal.patch b/queue-5.1/net-tls-avoid-null-deref-on-resync-during-device-removal.patch deleted file mode 100644 index 86f4e257a51..00000000000 --- a/queue-5.1/net-tls-avoid-null-deref-on-resync-during-device-removal.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Fri 31 May 2019 03:16:39 PM PDT -From: Jakub Kicinski -Date: Tue, 21 May 2019 19:02:00 -0700 -Subject: net/tls: avoid NULL-deref on resync during device removal - -From: Jakub Kicinski - -[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ] - -When netdev with active kTLS sockets in unregistered -notifier callback walks the offloaded sockets and -cleans up offload state. RX data may still be processed, -however, and if resync was requested prior to device -removal we would hit a NULL pointer dereference on -ctx->netdev use. - -Make sure resync is under the device offload lock -and NULL-check the netdev pointer. - -This should be safe, because the pointer is set to -NULL either in the netdev notifier (under said lock) -or when socket is completely dead and no resync can -happen. - -The other access to ctx->netdev in tls_validate_xmit_skb() -does not dereference the pointer, it just checks it against -other device pointer, so it should be pretty safe (perhaps -we can add a READ_ONCE/WRITE_ONCE there, if paranoid). - -Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") -Signed-off-by: Jakub Kicinski -Reviewed-by: Dirk van der Merwe -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/tls/tls_device.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -573,8 +573,8 @@ void tls_device_write_space(struct sock - void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn) - { - struct tls_context *tls_ctx = tls_get_ctx(sk); -- struct net_device *netdev = tls_ctx->netdev; - struct tls_offload_context_rx *rx_ctx; -+ struct net_device *netdev; - u32 is_req_pending; - s64 resync_req; - u32 req_seq; -@@ -588,10 +588,15 @@ void handle_device_resync(struct sock *s - is_req_pending = resync_req; - - if (unlikely(is_req_pending) && req_seq == seq && -- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) -- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, -- seq + TLS_HEADER_SIZE - 1, -- rcd_sn); -+ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) { -+ seq += TLS_HEADER_SIZE - 1; -+ down_read(&device_offload_lock); -+ netdev = tls_ctx->netdev; -+ if (netdev) -+ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq, -+ rcd_sn); -+ up_read(&device_offload_lock); -+ } - } - - static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) diff --git a/queue-5.1/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch b/queue-5.1/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch index c462e371077..40f442507ce 100644 --- a/queue-5.1/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch +++ b/queue-5.1/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch @@ -25,7 +25,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c -@@ -1006,7 +1006,8 @@ static int tls_dev_event(struct notifier +@@ -1001,7 +1001,8 @@ static int tls_dev_event(struct notifier { struct net_device *dev = netdev_notifier_info_to_dev(ptr); diff --git a/queue-5.1/net-tls-fix-state-removal-with-feature-flags-off.patch b/queue-5.1/net-tls-fix-state-removal-with-feature-flags-off.patch index fd2d714fbf9..a9f7933230d 100644 --- a/queue-5.1/net-tls-fix-state-removal-with-feature-flags-off.patch +++ b/queue-5.1/net-tls-fix-state-removal-with-feature-flags-off.patch @@ -45,7 +45,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c -@@ -948,12 +948,6 @@ void tls_device_offload_cleanup_rx(struc +@@ -943,12 +943,6 @@ void tls_device_offload_cleanup_rx(struc if (!netdev) goto out; diff --git a/queue-5.1/series b/queue-5.1/series index 7439bdd4c38..6156aff307e 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -31,7 +31,6 @@ net-tls-fix-lowat-calculation-if-some-data-came-from-previous-record.patch selftests-tls-test-for-lowat-overshoot-with-multiple-records.patch net-tls-fix-no-wakeup-on-partial-reads.patch selftests-tls-add-test-for-sleeping-even-though-there-is-data.patch -net-tls-avoid-null-deref-on-resync-during-device-removal.patch net-tls-fix-state-removal-with-feature-flags-off.patch net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch -- 2.47.2