--- /dev/null
+From 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Thu, 21 May 2020 15:11:44 +0300
+Subject: mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+commit 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 upstream.
+
+In case of reload fail, the mlxsw_sp->ports contains a pointer to a
+freed memory (either by reload_down() or reload_up() error path).
+Fix this by initializing the pointer to NULL and checking it before
+dereferencing in split/unsplit/type_set callpaths.
+
+Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload")
+Reported-by: Danielle Ratson <danieller@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 14 ++++++++++++--
+ drivers/net/ethernet/mellanox/mlxsw/switchx2.c | 8 ++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -3932,6 +3932,7 @@ static void mlxsw_sp_ports_remove(struct
+ mlxsw_sp_cpu_port_remove(mlxsw_sp);
+ kfree(mlxsw_sp->port_to_module);
+ kfree(mlxsw_sp->ports);
++ mlxsw_sp->ports = NULL;
+ }
+
+ static int mlxsw_sp_ports_create(struct mlxsw_sp *mlxsw_sp)
+@@ -3986,6 +3987,7 @@ err_cpu_port_create:
+ kfree(mlxsw_sp->port_to_module);
+ err_port_to_module_alloc:
+ kfree(mlxsw_sp->ports);
++ mlxsw_sp->ports = NULL;
+ return err;
+ }
+
+@@ -4040,6 +4042,14 @@ static void mlxsw_sp_port_unsplit_create
+ }
+ }
+
++static struct mlxsw_sp_port *
++mlxsw_sp_port_get_by_local_port(struct mlxsw_sp *mlxsw_sp, u8 local_port)
++{
++ if (mlxsw_sp->ports && mlxsw_sp->ports[local_port])
++ return mlxsw_sp->ports[local_port];
++ return NULL;
++}
++
+ static int mlxsw_sp_port_split(struct mlxsw_core *mlxsw_core, u8 local_port,
+ unsigned int count,
+ struct netlink_ext_ack *extack)
+@@ -4058,7 +4068,7 @@ static int mlxsw_sp_port_split(struct ml
+ local_ports_in_1x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_1X);
+ local_ports_in_2x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_2X);
+
+- mlxsw_sp_port = mlxsw_sp->ports[local_port];
++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port);
+ if (!mlxsw_sp_port) {
+ dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n",
+ local_port);
+@@ -4136,7 +4146,7 @@ static int mlxsw_sp_port_unsplit(struct
+ local_ports_in_1x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_1X);
+ local_ports_in_2x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_2X);
+
+- mlxsw_sp_port = mlxsw_sp->ports[local_port];
++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port);
+ if (!mlxsw_sp_port) {
+ dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n",
+ local_port);
+--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
+@@ -1258,6 +1258,7 @@ static void mlxsw_sx_ports_remove(struct
+ if (mlxsw_sx_port_created(mlxsw_sx, i))
+ mlxsw_sx_port_remove(mlxsw_sx, i);
+ kfree(mlxsw_sx->ports);
++ mlxsw_sx->ports = NULL;
+ }
+
+ static int mlxsw_sx_ports_create(struct mlxsw_sx *mlxsw_sx)
+@@ -1292,6 +1293,7 @@ err_port_module_info_get:
+ if (mlxsw_sx_port_created(mlxsw_sx, i))
+ mlxsw_sx_port_remove(mlxsw_sx, i);
+ kfree(mlxsw_sx->ports);
++ mlxsw_sx->ports = NULL;
+ return err;
+ }
+
+@@ -1375,6 +1377,12 @@ static int mlxsw_sx_port_type_set(struct
+ u8 module, width;
+ int err;
+
++ if (!mlxsw_sx->ports || !mlxsw_sx->ports[local_port]) {
++ dev_err(mlxsw_sx->bus_info->dev, "Port number \"%d\" does not exist\n",
++ local_port);
++ return -EINVAL;
++ }
++
+ if (new_type == DEVLINK_PORT_TYPE_AUTO)
+ return -EOPNOTSUPP;
+
--- /dev/null
+From febfd9d3c7f74063e8e630b15413ca91b567f963 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Fri, 22 May 2020 14:07:15 -0500
+Subject: net/mlx4_core: fix a memory leak bug.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit febfd9d3c7f74063e8e630b15413ca91b567f963 upstream.
+
+In function mlx4_opreq_action(), pointer "mailbox" is not released,
+when mlx4_cmd_box() return and error, causing a memory leak bug.
+Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can
+free this pointer.
+
+Fixes: fe6f700d6cbb ("net/mlx4_core: Respond to operation request by firmware")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/fw.c
++++ b/drivers/net/ethernet/mellanox/mlx4/fw.c
+@@ -2734,7 +2734,7 @@ void mlx4_opreq_action(struct work_struc
+ if (err) {
+ mlx4_err(dev, "Failed to retrieve required operation: %d\n",
+ err);
+- return;
++ goto out;
+ }
+ MLX4_GET(modifier, outbox, GET_OP_REQ_MODIFIER_OFFSET);
+ MLX4_GET(token, outbox, GET_OP_REQ_TOKEN_OFFSET);
--- /dev/null
+From 9ca415399dae133b00273a4283ef31d003a6818d Mon Sep 17 00:00:00 2001
+From: Roi Dayan <roid@mellanox.com>
+Date: Thu, 14 May 2020 23:44:38 +0300
+Subject: net/mlx5: Annotate mutex destroy for root ns
+
+From: Roi Dayan <roid@mellanox.com>
+
+commit 9ca415399dae133b00273a4283ef31d003a6818d upstream.
+
+Invoke mutex_destroy() to catch any errors.
+
+Fixes: 2cc43b494a6c ("net/mlx5_core: Managing root flow table")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -417,6 +417,12 @@ static void del_sw_ns(struct fs_node *no
+
+ static void del_sw_prio(struct fs_node *node)
+ {
++ struct mlx5_flow_root_namespace *root_ns;
++ struct mlx5_flow_namespace *ns;
++
++ fs_get_obj(ns, node);
++ root_ns = container_of(ns, struct mlx5_flow_root_namespace, ns);
++ mutex_destroy(&root_ns->chain_lock);
+ kfree(node);
+ }
+
--- /dev/null
+From 5a730153984dd13f82ffae93d7170d76eba204e9 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Fri, 22 May 2020 16:50:27 -0500
+Subject: net: sun: fix missing release regions in cas_init_one().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit 5a730153984dd13f82ffae93d7170d76eba204e9 upstream.
+
+In cas_init_one(), "pdev" is requested by "pci_request_regions", but it
+was not released after a call of the function “pci_write_config_byte”
+failed. Thus replace the jump target “err_write_cacheline” by
+"err_out_free_res".
+
+Fixes: 1f26dac32057 ("[NET]: Add Sun Cassini driver.")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/sun/cassini.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/sun/cassini.c
++++ b/drivers/net/ethernet/sun/cassini.c
+@@ -4971,7 +4971,7 @@ static int cas_init_one(struct pci_dev *
+ cas_cacheline_size)) {
+ dev_err(&pdev->dev, "Could not set PCI cache "
+ "line size\n");
+- goto err_write_cacheline;
++ goto err_out_free_res;
+ }
+ }
+ #endif
+@@ -5144,7 +5144,6 @@ err_out_iounmap:
+ err_out_free_res:
+ pci_release_regions(pdev);
+
+-err_write_cacheline:
+ /* Try to restore it in case the error occurred after we
+ * set it.
+ */
--- /dev/null
+From a7bff11f6f9afa87c25711db8050c9b5324db0e2 Mon Sep 17 00:00:00 2001
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Wed, 20 May 2020 11:41:43 +0300
+Subject: net/tls: fix encryption error checking
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+commit a7bff11f6f9afa87c25711db8050c9b5324db0e2 upstream.
+
+bpf_exec_tx_verdict() can return negative value for copied
+variable. In that case this value will be pushed back to caller
+and the real error code will be lost. Fix it using signed type and
+checking for positive value.
+
+Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error")
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tls/tls_sw.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -781,7 +781,7 @@ static int tls_push_record(struct sock *
+
+ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ bool full_record, u8 record_type,
+- size_t *copied, int flags)
++ ssize_t *copied, int flags)
+ {
+ struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
+@@ -917,7 +917,8 @@ int tls_sw_sendmsg(struct sock *sk, stru
+ unsigned char record_type = TLS_RECORD_TYPE_DATA;
+ bool is_kvec = iov_iter_is_kvec(&msg->msg_iter);
+ bool eor = !(msg->msg_flags & MSG_MORE);
+- size_t try_to_copy, copied = 0;
++ size_t try_to_copy;
++ ssize_t copied = 0;
+ struct sk_msg *msg_pl, *msg_en;
+ struct tls_rec *rec;
+ int required_size;
+@@ -1126,7 +1127,7 @@ send_end:
+
+ release_sock(sk);
+ mutex_unlock(&tls_ctx->tx_lock);
+- return copied ? copied : ret;
++ return copied > 0 ? copied : ret;
+ }
+
+ static int tls_sw_do_sendpage(struct sock *sk, struct page *page,
+@@ -1140,7 +1141,7 @@ static int tls_sw_do_sendpage(struct soc
+ struct sk_msg *msg_pl;
+ struct tls_rec *rec;
+ int num_async = 0;
+- size_t copied = 0;
++ ssize_t copied = 0;
+ bool full_record;
+ int record_room;
+ int ret = 0;
+@@ -1242,7 +1243,7 @@ wait_for_memory:
+ }
+ sendpage_end:
+ ret = sk_stream_error(sk, flags, ret);
+- return copied ? copied : ret;
++ return copied > 0 ? copied : ret;
+ }
+
+ int tls_sw_sendpage_locked(struct sock *sk, struct page *page,
--- /dev/null
+From 635d9398178659d8ddba79dd061f9451cec0b4d1 Mon Sep 17 00:00:00 2001
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Wed, 20 May 2020 11:41:44 +0300
+Subject: net/tls: free record only on encryption error
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+commit 635d9398178659d8ddba79dd061f9451cec0b4d1 upstream.
+
+We cannot free record on any transient error because it leads to
+losing previos data. Check socket error to know whether record must
+be freed or not.
+
+Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error")
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tls/tls_sw.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -797,9 +797,10 @@ static int bpf_exec_tx_verdict(struct sk
+ psock = sk_psock_get(sk);
+ if (!psock || !policy) {
+ err = tls_push_record(sk, flags, record_type);
+- if (err && err != -EINPROGRESS) {
++ if (err && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
++ err = -sk->sk_err;
+ }
+ if (psock)
+ sk_psock_put(sk, psock);
+@@ -825,9 +826,10 @@ more_data:
+ switch (psock->eval) {
+ case __SK_PASS:
+ err = tls_push_record(sk, flags, record_type);
+- if (err && err != -EINPROGRESS) {
++ if (err && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
++ err = -sk->sk_err;
+ goto out_err;
+ }
+ break;
net-mlx5-fix-memory-leak-in-mlx5_events_init.patch
net-mlx5e-update-netdev-txq-on-completions-during-closure.patch
net-mlx5-fix-error-flow-in-case-of-function_setup-failure.patch
+net-mlx5-annotate-mutex-destroy-for-root-ns.patch
+net-tls-fix-encryption-error-checking.patch
+net-tls-free-record-only-on-encryption-error.patch
+net-sun-fix-missing-release-regions-in-cas_init_one.patch
+net-mlx4_core-fix-a-memory-leak-bug.patch
+mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
