From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 30 Jul 2022 15:37:18 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v5.4.209~42
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8185f29320cce63ca43a539e35396212a9906086;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	net-tls-remove-the-context-from-the-list-in-tls_device_down.patch
---

diff --git a/queue-5.10/net-tls-remove-the-context-from-the-list-in-tls_device_down.patch b/queue-5.10/net-tls-remove-the-context-from-the-list-in-tls_device_down.patch
new file mode 100644
index 00000000000..4af9b3338cc
--- /dev/null
+++ b/queue-5.10/net-tls-remove-the-context-from-the-list-in-tls_device_down.patch
@@ -0,0 +1,46 @@
+From f6336724a4d4220c89a4ec38bca84b03b178b1a3 Mon Sep 17 00:00:00 2001
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+Date: Thu, 21 Jul 2022 12:11:27 +0300
+Subject: net/tls: Remove the context from the list in tls_device_down
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+commit f6336724a4d4220c89a4ec38bca84b03b178b1a3 upstream.
+
+tls_device_down takes a reference on all contexts it's going to move to
+the degraded state (software fallback). If sk_destruct runs afterwards,
+it can reduce the reference counter back to 1 and return early without
+destroying the context. Then tls_device_down will release the reference
+it took and call tls_device_free_ctx. However, the context will still
+stay in tls_device_down_list forever. The list will contain an item,
+memory for which is released, making a memory corruption possible.
+
+Fix the above bug by properly removing the context from all lists before
+any call to tls_device_free_ctx.
+
+Fixes: 3740651bf7e2 ("tls: Fix context leak on tls_device_down")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -1349,8 +1349,13 @@ static int tls_device_down(struct net_de
+ 		 * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW.
+ 		 * Now release the ref taken above.
+ 		 */
+-		if (refcount_dec_and_test(&ctx->refcount))
++		if (refcount_dec_and_test(&ctx->refcount)) {
++			/* sk_destruct ran after tls_device_down took a ref, and
++			 * it returned early. Complete the destruction here.
++			 */
++			list_del(&ctx->list);
+ 			tls_device_free_ctx(ctx);
++		}
+ 	}
+ 
+ 	up_write(&device_offload_lock);
diff --git a/queue-5.10/series b/queue-5.10/series
index 359b16ee59d..87585babae7 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -20,3 +20,4 @@ tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch
 tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch
 net-ping6-fix-memleak-in-ipv6_renew_options.patch
 ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch
+net-tls-remove-the-context-from-the-list-in-tls_device_down.patch