--- /dev/null
+From 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Thu, 21 May 2020 15:11:44 +0300
+Subject: mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+commit 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 upstream.
+
+In case of reload fail, the mlxsw_sp->ports contains a pointer to a
+freed memory (either by reload_down() or reload_up() error path).
+Fix this by initializing the pointer to NULL and checking it before
+dereferencing in split/unsplit/type_set callpaths.
+
+Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload")
+Reported-by: Danielle Ratson <danieller@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 14 ++++++++++++--
+ drivers/net/ethernet/mellanox/mlxsw/switchx2.c | 8 ++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -4043,6 +4043,7 @@ static void mlxsw_sp_ports_remove(struct
+ mlxsw_sp_port_remove(mlxsw_sp, i);
+ mlxsw_sp_cpu_port_remove(mlxsw_sp);
+ kfree(mlxsw_sp->ports);
++ mlxsw_sp->ports = NULL;
+ }
+
+ static int mlxsw_sp_ports_create(struct mlxsw_sp *mlxsw_sp)
+@@ -4079,6 +4080,7 @@ err_port_create:
+ mlxsw_sp_cpu_port_remove(mlxsw_sp);
+ err_cpu_port_create:
+ kfree(mlxsw_sp->ports);
++ mlxsw_sp->ports = NULL;
+ return err;
+ }
+
+@@ -4200,6 +4202,14 @@ static int mlxsw_sp_local_ports_offset(s
+ return mlxsw_core_res_get(mlxsw_core, local_ports_in_x_res_id);
+ }
+
++static struct mlxsw_sp_port *
++mlxsw_sp_port_get_by_local_port(struct mlxsw_sp *mlxsw_sp, u8 local_port)
++{
++ if (mlxsw_sp->ports && mlxsw_sp->ports[local_port])
++ return mlxsw_sp->ports[local_port];
++ return NULL;
++}
++
+ static int mlxsw_sp_port_split(struct mlxsw_core *mlxsw_core, u8 local_port,
+ unsigned int count,
+ struct netlink_ext_ack *extack)
+@@ -4213,7 +4223,7 @@ static int mlxsw_sp_port_split(struct ml
+ int i;
+ int err;
+
+- mlxsw_sp_port = mlxsw_sp->ports[local_port];
++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port);
+ if (!mlxsw_sp_port) {
+ dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n",
+ local_port);
+@@ -4308,7 +4318,7 @@ static int mlxsw_sp_port_unsplit(struct
+ int offset;
+ int i;
+
+- mlxsw_sp_port = mlxsw_sp->ports[local_port];
++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port);
+ if (!mlxsw_sp_port) {
+ dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n",
+ local_port);
+--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
+@@ -1259,6 +1259,7 @@ static void mlxsw_sx_ports_remove(struct
+ if (mlxsw_sx_port_created(mlxsw_sx, i))
+ mlxsw_sx_port_remove(mlxsw_sx, i);
+ kfree(mlxsw_sx->ports);
++ mlxsw_sx->ports = NULL;
+ }
+
+ static int mlxsw_sx_ports_create(struct mlxsw_sx *mlxsw_sx)
+@@ -1293,6 +1294,7 @@ err_port_module_info_get:
+ if (mlxsw_sx_port_created(mlxsw_sx, i))
+ mlxsw_sx_port_remove(mlxsw_sx, i);
+ kfree(mlxsw_sx->ports);
++ mlxsw_sx->ports = NULL;
+ return err;
+ }
+
+@@ -1376,6 +1378,12 @@ static int mlxsw_sx_port_type_set(struct
+ u8 module, width;
+ int err;
+
++ if (!mlxsw_sx->ports || !mlxsw_sx->ports[local_port]) {
++ dev_err(mlxsw_sx->bus_info->dev, "Port number \"%d\" does not exist\n",
++ local_port);
++ return -EINVAL;
++ }
++
+ if (new_type == DEVLINK_PORT_TYPE_AUTO)
+ return -EOPNOTSUPP;
+
--- /dev/null
+From febfd9d3c7f74063e8e630b15413ca91b567f963 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Fri, 22 May 2020 14:07:15 -0500
+Subject: net/mlx4_core: fix a memory leak bug.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit febfd9d3c7f74063e8e630b15413ca91b567f963 upstream.
+
+In function mlx4_opreq_action(), pointer "mailbox" is not released,
+when mlx4_cmd_box() return and error, causing a memory leak bug.
+Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can
+free this pointer.
+
+Fixes: fe6f700d6cbb ("net/mlx4_core: Respond to operation request by firmware")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/fw.c
++++ b/drivers/net/ethernet/mellanox/mlx4/fw.c
+@@ -2734,7 +2734,7 @@ void mlx4_opreq_action(struct work_struc
+ if (err) {
+ mlx4_err(dev, "Failed to retrieve required operation: %d\n",
+ err);
+- return;
++ goto out;
+ }
+ MLX4_GET(modifier, outbox, GET_OP_REQ_MODIFIER_OFFSET);
+ MLX4_GET(token, outbox, GET_OP_REQ_TOKEN_OFFSET);
--- /dev/null
+From 9ca415399dae133b00273a4283ef31d003a6818d Mon Sep 17 00:00:00 2001
+From: Roi Dayan <roid@mellanox.com>
+Date: Thu, 14 May 2020 23:44:38 +0300
+Subject: net/mlx5: Annotate mutex destroy for root ns
+
+From: Roi Dayan <roid@mellanox.com>
+
+commit 9ca415399dae133b00273a4283ef31d003a6818d upstream.
+
+Invoke mutex_destroy() to catch any errors.
+
+Fixes: 2cc43b494a6c ("net/mlx5_core: Managing root flow table")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -416,6 +416,12 @@ static void del_sw_ns(struct fs_node *no
+
+ static void del_sw_prio(struct fs_node *node)
+ {
++ struct mlx5_flow_root_namespace *root_ns;
++ struct mlx5_flow_namespace *ns;
++
++ fs_get_obj(ns, node);
++ root_ns = container_of(ns, struct mlx5_flow_root_namespace, ns);
++ mutex_destroy(&root_ns->chain_lock);
+ kfree(node);
+ }
+
--- /dev/null
+From f7936ddd35d8b849daf0372770c7c9dbe7910fca Mon Sep 17 00:00:00 2001
+From: Eran Ben Elisha <eranbe@mellanox.com>
+Date: Thu, 19 Mar 2020 21:43:13 +0200
+Subject: net/mlx5: Avoid processing commands before cmdif is ready
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+commit f7936ddd35d8b849daf0372770c7c9dbe7910fca upstream.
+
+When driver is reloading during recovery flow, it can't get new commands
+till command interface is up again. Otherwise we may get to null pointer
+trying to access non initialized command structures.
+
+Add cmdif state to avoid processing commands while cmdif is not ready.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 10 ++++++++++
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 4 ++++
+ include/linux/mlx5/driver.h | 9 +++++++++
+ 3 files changed, 23 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -923,6 +923,7 @@ static void cmd_work_handler(struct work
+ /* Skip sending command to fw if internal error */
+ if (pci_channel_offline(dev->pdev) ||
+ dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR ||
++ cmd->state != MLX5_CMDIF_STATE_UP ||
+ !opcode_allowed(&dev->cmd, ent->op)) {
+ u8 status = 0;
+ u32 drv_synd;
+@@ -1712,6 +1713,7 @@ static int cmd_exec(struct mlx5_core_dev
+ opcode = MLX5_GET(mbox_in, in, opcode);
+ if (pci_channel_offline(dev->pdev) ||
+ dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR ||
++ dev->cmd.state != MLX5_CMDIF_STATE_UP ||
+ !opcode_allowed(&dev->cmd, opcode)) {
+ err = mlx5_internal_err_ret_value(dev, opcode, &drv_synd, &status);
+ MLX5_SET(mbox_out, out, status, status);
+@@ -1977,6 +1979,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *
+ goto err_free_page;
+ }
+
++ cmd->state = MLX5_CMDIF_STATE_DOWN;
+ cmd->checksum_disabled = 1;
+ cmd->max_reg_cmds = (1 << cmd->log_sz) - 1;
+ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1;
+@@ -2054,3 +2057,10 @@ void mlx5_cmd_cleanup(struct mlx5_core_d
+ dma_pool_destroy(cmd->pool);
+ }
+ EXPORT_SYMBOL(mlx5_cmd_cleanup);
++
++void mlx5_cmd_set_state(struct mlx5_core_dev *dev,
++ enum mlx5_cmdif_state cmdif_state)
++{
++ dev->cmd.state = cmdif_state;
++}
++EXPORT_SYMBOL(mlx5_cmd_set_state);
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -962,6 +962,8 @@ static int mlx5_function_setup(struct ml
+ goto err_cmd_cleanup;
+ }
+
++ mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_UP);
++
+ err = mlx5_core_enable_hca(dev, 0);
+ if (err) {
+ mlx5_core_err(dev, "enable hca failed\n");
+@@ -1023,6 +1025,7 @@ reclaim_boot_pages:
+ err_disable_hca:
+ mlx5_core_disable_hca(dev, 0);
+ err_cmd_cleanup:
++ mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_DOWN);
+ mlx5_cmd_cleanup(dev);
+
+ return err;
+@@ -1040,6 +1043,7 @@ static int mlx5_function_teardown(struct
+ }
+ mlx5_reclaim_startup_pages(dev);
+ mlx5_core_disable_hca(dev, 0);
++ mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_DOWN);
+ mlx5_cmd_cleanup(dev);
+
+ return 0;
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -230,6 +230,12 @@ struct mlx5_bfreg_info {
+ u32 num_dyn_bfregs;
+ };
+
++enum mlx5_cmdif_state {
++ MLX5_CMDIF_STATE_UNINITIALIZED,
++ MLX5_CMDIF_STATE_UP,
++ MLX5_CMDIF_STATE_DOWN,
++};
++
+ struct mlx5_cmd_first {
+ __be32 data[4];
+ };
+@@ -275,6 +281,7 @@ struct mlx5_cmd_stats {
+ struct mlx5_cmd {
+ struct mlx5_nb nb;
+
++ enum mlx5_cmdif_state state;
+ void *cmd_alloc_buf;
+ dma_addr_t alloc_dma;
+ int alloc_size;
+@@ -900,6 +907,8 @@ enum {
+
+ int mlx5_cmd_init(struct mlx5_core_dev *dev);
+ void mlx5_cmd_cleanup(struct mlx5_core_dev *dev);
++void mlx5_cmd_set_state(struct mlx5_core_dev *dev,
++ enum mlx5_cmdif_state cmdif_state);
+ void mlx5_cmd_use_events(struct mlx5_core_dev *dev);
+ void mlx5_cmd_use_polling(struct mlx5_core_dev *dev);
+ void mlx5_cmd_allowed_opcode(struct mlx5_core_dev *dev, u16 opcode);
--- /dev/null
+From bf655ba212dfd10d1c86afeee3f3372dbd731d46 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Fri, 22 May 2020 00:31:23 +0300
+Subject: net: mscc: ocelot: fix address ageing time (again)
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit bf655ba212dfd10d1c86afeee3f3372dbd731d46 upstream.
+
+ocelot_set_ageing_time has 2 callers:
+ - felix_set_ageing_time: from drivers/net/dsa/ocelot/felix.c
+ - ocelot_port_attr_ageing_set: from drivers/net/ethernet/mscc/ocelot.c
+
+The issue described in the fixed commit below actually happened for the
+felix_set_ageing_time code path only, since ocelot_port_attr_ageing_set
+was already dividing by 1000. So to make both paths symmetrical (and to
+fix addresses getting aged way too fast on Ocelot), stop dividing by
+1000 at caller side altogether.
+
+Fixes: c0d7eccbc761 ("net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mscc/ocelot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -1460,7 +1460,7 @@ static void ocelot_port_attr_ageing_set(
+ unsigned long ageing_clock_t)
+ {
+ unsigned long ageing_jiffies = clock_t_to_jiffies(ageing_clock_t);
+- u32 ageing_time = jiffies_to_msecs(ageing_jiffies) / 1000;
++ u32 ageing_time = jiffies_to_msecs(ageing_jiffies);
+
+ ocelot_set_ageing_time(ocelot, ageing_time);
+ }
--- /dev/null
+From a7654211d0ffeaa8eb0545ea00f8445242cbce05 Mon Sep 17 00:00:00 2001
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+Date: Wed, 20 May 2020 17:55:32 +0800
+Subject: net: sgi: ioc3-eth: Fix return value check in ioc3eth_probe()
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+commit a7654211d0ffeaa8eb0545ea00f8445242cbce05 upstream.
+
+In the function devm_platform_ioremap_resource(), if get resource
+failed, the return value is ERR_PTR() not NULL. Thus it must be
+replaced by IS_ERR(), or else it may result in crashes if a critical
+error path is encountered.
+
+Fixes: 0ce5ebd24d25 ("mfd: ioc3: Add driver for SGI IOC3 chip")
+Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/sgi/ioc3-eth.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/sgi/ioc3-eth.c
++++ b/drivers/net/ethernet/sgi/ioc3-eth.c
+@@ -865,14 +865,14 @@ static int ioc3eth_probe(struct platform
+ ip = netdev_priv(dev);
+ ip->dma_dev = pdev->dev.parent;
+ ip->regs = devm_platform_ioremap_resource(pdev, 0);
+- if (!ip->regs) {
+- err = -ENOMEM;
++ if (IS_ERR(ip->regs)) {
++ err = PTR_ERR(ip->regs);
+ goto out_free;
+ }
+
+ ip->ssram = devm_platform_ioremap_resource(pdev, 1);
+- if (!ip->ssram) {
+- err = -ENOMEM;
++ if (IS_ERR(ip->ssram)) {
++ err = PTR_ERR(ip->ssram);
+ goto out_free;
+ }
+
--- /dev/null
+From 5a730153984dd13f82ffae93d7170d76eba204e9 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Fri, 22 May 2020 16:50:27 -0500
+Subject: net: sun: fix missing release regions in cas_init_one().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit 5a730153984dd13f82ffae93d7170d76eba204e9 upstream.
+
+In cas_init_one(), "pdev" is requested by "pci_request_regions", but it
+was not released after a call of the function “pci_write_config_byte”
+failed. Thus replace the jump target “err_write_cacheline” by
+"err_out_free_res".
+
+Fixes: 1f26dac32057 ("[NET]: Add Sun Cassini driver.")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/sun/cassini.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/sun/cassini.c
++++ b/drivers/net/ethernet/sun/cassini.c
+@@ -4971,7 +4971,7 @@ static int cas_init_one(struct pci_dev *
+ cas_cacheline_size)) {
+ dev_err(&pdev->dev, "Could not set PCI cache "
+ "line size\n");
+- goto err_write_cacheline;
++ goto err_out_free_res;
+ }
+ }
+ #endif
+@@ -5144,7 +5144,6 @@ err_out_iounmap:
+ err_out_free_res:
+ pci_release_regions(pdev);
+
+-err_write_cacheline:
+ /* Try to restore it in case the error occurred after we
+ * set it.
+ */
--- /dev/null
+From a7bff11f6f9afa87c25711db8050c9b5324db0e2 Mon Sep 17 00:00:00 2001
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Wed, 20 May 2020 11:41:43 +0300
+Subject: net/tls: fix encryption error checking
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+commit a7bff11f6f9afa87c25711db8050c9b5324db0e2 upstream.
+
+bpf_exec_tx_verdict() can return negative value for copied
+variable. In that case this value will be pushed back to caller
+and the real error code will be lost. Fix it using signed type and
+checking for positive value.
+
+Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error")
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tls/tls_sw.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -784,7 +784,7 @@ static int tls_push_record(struct sock *
+
+ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ bool full_record, u8 record_type,
+- size_t *copied, int flags)
++ ssize_t *copied, int flags)
+ {
+ struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
+@@ -920,7 +920,8 @@ int tls_sw_sendmsg(struct sock *sk, stru
+ unsigned char record_type = TLS_RECORD_TYPE_DATA;
+ bool is_kvec = iov_iter_is_kvec(&msg->msg_iter);
+ bool eor = !(msg->msg_flags & MSG_MORE);
+- size_t try_to_copy, copied = 0;
++ size_t try_to_copy;
++ ssize_t copied = 0;
+ struct sk_msg *msg_pl, *msg_en;
+ struct tls_rec *rec;
+ int required_size;
+@@ -1129,7 +1130,7 @@ send_end:
+
+ release_sock(sk);
+ mutex_unlock(&tls_ctx->tx_lock);
+- return copied ? copied : ret;
++ return copied > 0 ? copied : ret;
+ }
+
+ static int tls_sw_do_sendpage(struct sock *sk, struct page *page,
+@@ -1143,7 +1144,7 @@ static int tls_sw_do_sendpage(struct soc
+ struct sk_msg *msg_pl;
+ struct tls_rec *rec;
+ int num_async = 0;
+- size_t copied = 0;
++ ssize_t copied = 0;
+ bool full_record;
+ int record_room;
+ int ret = 0;
+@@ -1245,7 +1246,7 @@ wait_for_memory:
+ }
+ sendpage_end:
+ ret = sk_stream_error(sk, flags, ret);
+- return copied ? copied : ret;
++ return copied > 0 ? copied : ret;
+ }
+
+ int tls_sw_sendpage_locked(struct sock *sk, struct page *page,
--- /dev/null
+From 635d9398178659d8ddba79dd061f9451cec0b4d1 Mon Sep 17 00:00:00 2001
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Wed, 20 May 2020 11:41:44 +0300
+Subject: net/tls: free record only on encryption error
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+commit 635d9398178659d8ddba79dd061f9451cec0b4d1 upstream.
+
+We cannot free record on any transient error because it leads to
+losing previos data. Check socket error to know whether record must
+be freed or not.
+
+Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error")
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tls/tls_sw.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -800,9 +800,10 @@ static int bpf_exec_tx_verdict(struct sk
+ psock = sk_psock_get(sk);
+ if (!psock || !policy) {
+ err = tls_push_record(sk, flags, record_type);
+- if (err && err != -EINPROGRESS) {
++ if (err && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
++ err = -sk->sk_err;
+ }
+ if (psock)
+ sk_psock_put(sk, psock);
+@@ -828,9 +829,10 @@ more_data:
+ switch (psock->eval) {
+ case __SK_PASS:
+ err = tls_push_record(sk, flags, record_type);
+- if (err && err != -EINPROGRESS) {
++ if (err && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
++ err = -sk->sk_err;
+ goto out_err;
+ }
+ break;
net-mlx5-fix-a-race-when-moving-command-interface-to-events-mode.patch
net-mlx5-fix-cleaning-unmanaged-flow-tables.patch
revert-virtio-balloon-revert-virtio-balloon-switch-back-to-oom-handler-for-virtio_balloon_f_deflate_on_oom.patch
+net-mlx5-avoid-processing-commands-before-cmdif-is-ready.patch
+net-mlx5-annotate-mutex-destroy-for-root-ns.patch
+net-tls-fix-encryption-error-checking.patch
+net-tls-free-record-only-on-encryption-error.patch
+net-sun-fix-missing-release-regions-in-cas_init_one.patch
+net-mlx4_core-fix-a-memory-leak-bug.patch
+net-sgi-ioc3-eth-fix-return-value-check-in-ioc3eth_probe.patch
+mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch
+net-mscc-ocelot-fix-address-ageing-time-again.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
