[thirdparty/kernel/stable-queue.git] / releases / 5.1.7 / net-tls-fix-state-removal-with-feature-flags-off.patch

From foo@baz Fri 31 May 2019 03:16:39 PM PDT
From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Tue, 21 May 2019 19:02:01 -0700
Subject: net/tls: fix state removal with feature flags off

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 3686637e507b48525fcea6fb91e1988bdbc14530 ]

TLS offload drivers shouldn't (and currently don't) block
the TLS offload feature changes based on whether there are
active offloaded connections or not.

This seems to be a good idea, because we want the admin to
be able to disable the TLS offload at any time, and there
is no clean way of disabling it for active connections
(TX side is quite problematic).  So if features are cleared
existing connections will stay offloaded until they close,
and new connections will not attempt offload to a given
device.

However, the offload state removal handling is currently
broken if feature flags get cleared while there are
active TLS offloads.

RX side will completely bail from cleanup, even on normal
remove path, leaving device state dangling, potentially
causing issues when the 5-tuple is reused.  It will also
fail to release the netdev reference.

Remove the RX-side warning message, in next release cycle
it should be printed when features are disabled, rather
than when connection dies, but for that we need a more
efficient method of finding connection of a given netdev
(a'la BPF offload code).

Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tls/tls_device.c |    6 ------
 1 file changed, 6 deletions(-)

--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -943,12 +943,6 @@ void tls_device_offload_cleanup_rx(struc
 	if (!netdev)
 		goto out;
 
-	if (!(netdev->features & NETIF_F_HW_TLS_RX)) {
-		pr_err_ratelimited("%s: device is missing NETIF_F_HW_TLS_RX cap\n",
-				   __func__);
-		goto out;
-	}
-
 	netdev->tlsdev_ops->tls_dev_del(netdev, tls_ctx,
 					TLS_OFFLOAD_CTX_DIR_RX);
Commit	Line	Data
ffc20820 GKH	1	From foo@baz Fri 31 May 2019 03:16:39 PM PDT
	2	From: Jakub Kicinski <jakub.kicinski@netronome.com>
	3	Date: Tue, 21 May 2019 19:02:01 -0700
	4	Subject: net/tls: fix state removal with feature flags off
	5
	6	From: Jakub Kicinski <jakub.kicinski@netronome.com>
	7
	8	[ Upstream commit 3686637e507b48525fcea6fb91e1988bdbc14530 ]
	9
	10	TLS offload drivers shouldn't (and currently don't) block
	11	the TLS offload feature changes based on whether there are
	12	active offloaded connections or not.
	13
	14	This seems to be a good idea, because we want the admin to
	15	be able to disable the TLS offload at any time, and there
	16	is no clean way of disabling it for active connections
	17	(TX side is quite problematic). So if features are cleared
	18	existing connections will stay offloaded until they close,
	19	and new connections will not attempt offload to a given
	20	device.
	21
	22	However, the offload state removal handling is currently
	23	broken if feature flags get cleared while there are
	24	active TLS offloads.
	25
	26	RX side will completely bail from cleanup, even on normal
	27	remove path, leaving device state dangling, potentially
	28	causing issues when the 5-tuple is reused. It will also
	29	fail to release the netdev reference.
	30
	31	Remove the RX-side warning message, in next release cycle
	32	it should be printed when features are disabled, rather
	33	than when connection dies, but for that we need a more
	34	efficient method of finding connection of a given netdev
	35	(a'la BPF offload code).
	36
	37	Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
	38	Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
	39	Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
	40	Signed-off-by: David S. Miller <davem@davemloft.net>
	41	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	42	---
	43	net/tls/tls_device.c \| 6 ------
	44	1 file changed, 6 deletions(-)
	45
	46	--- a/net/tls/tls_device.c
	47	+++ b/net/tls/tls_device.c
cd010321	48	@@ -943,12 +943,6 @@ void tls_device_offload_cleanup_rx(struc
ffc20820 GKH	49	if (!netdev)
	50	goto out;
	51
	52	- if (!(netdev->features & NETIF_F_HW_TLS_RX)) {
	53	- pr_err_ratelimited("%s: device is missing NETIF_F_HW_TLS_RX cap\n",
	54	- __func__);
	55	- goto out;
	56	- }
	57	-
	58	netdev->tlsdev_ops->tls_dev_del(netdev, tls_ctx,
	59	TLS_OFFLOAD_CTX_DIR_RX);
	60