From: Greg Kroah-Hartman Date: Fri, 29 May 2020 09:35:34 +0000 (+0200) Subject: 5.6-stable patches X-Git-Tag: v4.4.226~55 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f1655891707c0a62412255ca8aa4de720211e421;p=thirdparty%2Fkernel%2Fstable-queue.git 5.6-stable patches added patches: mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch net-mlx4_core-fix-a-memory-leak-bug.patch net-mlx5-annotate-mutex-destroy-for-root-ns.patch net-mlx5-avoid-processing-commands-before-cmdif-is-ready.patch net-mscc-ocelot-fix-address-ageing-time-again.patch net-sgi-ioc3-eth-fix-return-value-check-in-ioc3eth_probe.patch net-sun-fix-missing-release-regions-in-cas_init_one.patch net-tls-fix-encryption-error-checking.patch net-tls-free-record-only-on-encryption-error.patch --- diff --git a/queue-5.6/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch b/queue-5.6/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch new file mode 100644 index 00000000000..e160f22dd1f --- /dev/null +++ b/queue-5.6/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch @@ -0,0 +1,108 @@ +From 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 21 May 2020 15:11:44 +0300 +Subject: mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails + +From: Jiri Pirko + +commit 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 upstream. + +In case of reload fail, the mlxsw_sp->ports contains a pointer to a +freed memory (either by reload_down() or reload_up() error path). +Fix this by initializing the pointer to NULL and checking it before +dereferencing in split/unsplit/type_set callpaths. + +Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload") +Reported-by: Danielle Ratson +Signed-off-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 14 ++++++++++++-- + drivers/net/ethernet/mellanox/mlxsw/switchx2.c | 8 ++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -4043,6 +4043,7 @@ static void mlxsw_sp_ports_remove(struct + mlxsw_sp_port_remove(mlxsw_sp, i); + mlxsw_sp_cpu_port_remove(mlxsw_sp); + kfree(mlxsw_sp->ports); ++ mlxsw_sp->ports = NULL; + } + + static int mlxsw_sp_ports_create(struct mlxsw_sp *mlxsw_sp) +@@ -4079,6 +4080,7 @@ err_port_create: + mlxsw_sp_cpu_port_remove(mlxsw_sp); + err_cpu_port_create: + kfree(mlxsw_sp->ports); ++ mlxsw_sp->ports = NULL; + return err; + } + +@@ -4200,6 +4202,14 @@ static int mlxsw_sp_local_ports_offset(s + return mlxsw_core_res_get(mlxsw_core, local_ports_in_x_res_id); + } + ++static struct mlxsw_sp_port * ++mlxsw_sp_port_get_by_local_port(struct mlxsw_sp *mlxsw_sp, u8 local_port) ++{ ++ if (mlxsw_sp->ports && mlxsw_sp->ports[local_port]) ++ return mlxsw_sp->ports[local_port]; ++ return NULL; ++} ++ + static int mlxsw_sp_port_split(struct mlxsw_core *mlxsw_core, u8 local_port, + unsigned int count, + struct netlink_ext_ack *extack) +@@ -4213,7 +4223,7 @@ static int mlxsw_sp_port_split(struct ml + int i; + int err; + +- mlxsw_sp_port = mlxsw_sp->ports[local_port]; ++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port); + if (!mlxsw_sp_port) { + dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n", + local_port); +@@ -4308,7 +4318,7 @@ static int mlxsw_sp_port_unsplit(struct + int offset; + int i; + +- mlxsw_sp_port = mlxsw_sp->ports[local_port]; ++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port); + if (!mlxsw_sp_port) { + dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n", + local_port); +--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c +@@ -1259,6 +1259,7 @@ static void mlxsw_sx_ports_remove(struct + if (mlxsw_sx_port_created(mlxsw_sx, i)) + mlxsw_sx_port_remove(mlxsw_sx, i); + kfree(mlxsw_sx->ports); ++ mlxsw_sx->ports = NULL; + } + + static int mlxsw_sx_ports_create(struct mlxsw_sx *mlxsw_sx) +@@ -1293,6 +1294,7 @@ err_port_module_info_get: + if (mlxsw_sx_port_created(mlxsw_sx, i)) + mlxsw_sx_port_remove(mlxsw_sx, i); + kfree(mlxsw_sx->ports); ++ mlxsw_sx->ports = NULL; + return err; + } + +@@ -1376,6 +1378,12 @@ static int mlxsw_sx_port_type_set(struct + u8 module, width; + int err; + ++ if (!mlxsw_sx->ports || !mlxsw_sx->ports[local_port]) { ++ dev_err(mlxsw_sx->bus_info->dev, "Port number \"%d\" does not exist\n", ++ local_port); ++ return -EINVAL; ++ } ++ + if (new_type == DEVLINK_PORT_TYPE_AUTO) + return -EOPNOTSUPP; + diff --git a/queue-5.6/net-mlx4_core-fix-a-memory-leak-bug.patch b/queue-5.6/net-mlx4_core-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..a19464684a5 --- /dev/null +++ b/queue-5.6/net-mlx4_core-fix-a-memory-leak-bug.patch @@ -0,0 +1,34 @@ +From febfd9d3c7f74063e8e630b15413ca91b567f963 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Fri, 22 May 2020 14:07:15 -0500 +Subject: net/mlx4_core: fix a memory leak bug. + +From: Qiushi Wu + +commit febfd9d3c7f74063e8e630b15413ca91b567f963 upstream. + +In function mlx4_opreq_action(), pointer "mailbox" is not released, +when mlx4_cmd_box() return and error, causing a memory leak bug. +Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can +free this pointer. + +Fixes: fe6f700d6cbb ("net/mlx4_core: Respond to operation request by firmware") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/fw.c ++++ b/drivers/net/ethernet/mellanox/mlx4/fw.c +@@ -2734,7 +2734,7 @@ void mlx4_opreq_action(struct work_struc + if (err) { + mlx4_err(dev, "Failed to retrieve required operation: %d\n", + err); +- return; ++ goto out; + } + MLX4_GET(modifier, outbox, GET_OP_REQ_MODIFIER_OFFSET); + MLX4_GET(token, outbox, GET_OP_REQ_TOKEN_OFFSET); diff --git a/queue-5.6/net-mlx5-annotate-mutex-destroy-for-root-ns.patch b/queue-5.6/net-mlx5-annotate-mutex-destroy-for-root-ns.patch new file mode 100644 index 00000000000..c21fa54c767 --- /dev/null +++ b/queue-5.6/net-mlx5-annotate-mutex-destroy-for-root-ns.patch @@ -0,0 +1,36 @@ +From 9ca415399dae133b00273a4283ef31d003a6818d Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Thu, 14 May 2020 23:44:38 +0300 +Subject: net/mlx5: Annotate mutex destroy for root ns + +From: Roi Dayan + +commit 9ca415399dae133b00273a4283ef31d003a6818d upstream. + +Invoke mutex_destroy() to catch any errors. + +Fixes: 2cc43b494a6c ("net/mlx5_core: Managing root flow table") +Signed-off-by: Roi Dayan +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -416,6 +416,12 @@ static void del_sw_ns(struct fs_node *no + + static void del_sw_prio(struct fs_node *node) + { ++ struct mlx5_flow_root_namespace *root_ns; ++ struct mlx5_flow_namespace *ns; ++ ++ fs_get_obj(ns, node); ++ root_ns = container_of(ns, struct mlx5_flow_root_namespace, ns); ++ mutex_destroy(&root_ns->chain_lock); + kfree(node); + } + diff --git a/queue-5.6/net-mlx5-avoid-processing-commands-before-cmdif-is-ready.patch b/queue-5.6/net-mlx5-avoid-processing-commands-before-cmdif-is-ready.patch new file mode 100644 index 00000000000..c3d8b32002d --- /dev/null +++ b/queue-5.6/net-mlx5-avoid-processing-commands-before-cmdif-is-ready.patch @@ -0,0 +1,123 @@ +From f7936ddd35d8b849daf0372770c7c9dbe7910fca Mon Sep 17 00:00:00 2001 +From: Eran Ben Elisha +Date: Thu, 19 Mar 2020 21:43:13 +0200 +Subject: net/mlx5: Avoid processing commands before cmdif is ready + +From: Eran Ben Elisha + +commit f7936ddd35d8b849daf0372770c7c9dbe7910fca upstream. + +When driver is reloading during recovery flow, it can't get new commands +till command interface is up again. Otherwise we may get to null pointer +trying to access non initialized command structures. + +Add cmdif state to avoid processing commands while cmdif is not ready. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 10 ++++++++++ + drivers/net/ethernet/mellanox/mlx5/core/main.c | 4 ++++ + include/linux/mlx5/driver.h | 9 +++++++++ + 3 files changed, 23 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -923,6 +923,7 @@ static void cmd_work_handler(struct work + /* Skip sending command to fw if internal error */ + if (pci_channel_offline(dev->pdev) || + dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR || ++ cmd->state != MLX5_CMDIF_STATE_UP || + !opcode_allowed(&dev->cmd, ent->op)) { + u8 status = 0; + u32 drv_synd; +@@ -1712,6 +1713,7 @@ static int cmd_exec(struct mlx5_core_dev + opcode = MLX5_GET(mbox_in, in, opcode); + if (pci_channel_offline(dev->pdev) || + dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR || ++ dev->cmd.state != MLX5_CMDIF_STATE_UP || + !opcode_allowed(&dev->cmd, opcode)) { + err = mlx5_internal_err_ret_value(dev, opcode, &drv_synd, &status); + MLX5_SET(mbox_out, out, status, status); +@@ -1977,6 +1979,7 @@ int mlx5_cmd_init(struct mlx5_core_dev * + goto err_free_page; + } + ++ cmd->state = MLX5_CMDIF_STATE_DOWN; + cmd->checksum_disabled = 1; + cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; + cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; +@@ -2054,3 +2057,10 @@ void mlx5_cmd_cleanup(struct mlx5_core_d + dma_pool_destroy(cmd->pool); + } + EXPORT_SYMBOL(mlx5_cmd_cleanup); ++ ++void mlx5_cmd_set_state(struct mlx5_core_dev *dev, ++ enum mlx5_cmdif_state cmdif_state) ++{ ++ dev->cmd.state = cmdif_state; ++} ++EXPORT_SYMBOL(mlx5_cmd_set_state); +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -962,6 +962,8 @@ static int mlx5_function_setup(struct ml + goto err_cmd_cleanup; + } + ++ mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_UP); ++ + err = mlx5_core_enable_hca(dev, 0); + if (err) { + mlx5_core_err(dev, "enable hca failed\n"); +@@ -1023,6 +1025,7 @@ reclaim_boot_pages: + err_disable_hca: + mlx5_core_disable_hca(dev, 0); + err_cmd_cleanup: ++ mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_DOWN); + mlx5_cmd_cleanup(dev); + + return err; +@@ -1040,6 +1043,7 @@ static int mlx5_function_teardown(struct + } + mlx5_reclaim_startup_pages(dev); + mlx5_core_disable_hca(dev, 0); ++ mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_DOWN); + mlx5_cmd_cleanup(dev); + + return 0; +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -230,6 +230,12 @@ struct mlx5_bfreg_info { + u32 num_dyn_bfregs; + }; + ++enum mlx5_cmdif_state { ++ MLX5_CMDIF_STATE_UNINITIALIZED, ++ MLX5_CMDIF_STATE_UP, ++ MLX5_CMDIF_STATE_DOWN, ++}; ++ + struct mlx5_cmd_first { + __be32 data[4]; + }; +@@ -275,6 +281,7 @@ struct mlx5_cmd_stats { + struct mlx5_cmd { + struct mlx5_nb nb; + ++ enum mlx5_cmdif_state state; + void *cmd_alloc_buf; + dma_addr_t alloc_dma; + int alloc_size; +@@ -900,6 +907,8 @@ enum { + + int mlx5_cmd_init(struct mlx5_core_dev *dev); + void mlx5_cmd_cleanup(struct mlx5_core_dev *dev); ++void mlx5_cmd_set_state(struct mlx5_core_dev *dev, ++ enum mlx5_cmdif_state cmdif_state); + void mlx5_cmd_use_events(struct mlx5_core_dev *dev); + void mlx5_cmd_use_polling(struct mlx5_core_dev *dev); + void mlx5_cmd_allowed_opcode(struct mlx5_core_dev *dev, u16 opcode); diff --git a/queue-5.6/net-mscc-ocelot-fix-address-ageing-time-again.patch b/queue-5.6/net-mscc-ocelot-fix-address-ageing-time-again.patch new file mode 100644 index 00000000000..36ef2928c63 --- /dev/null +++ b/queue-5.6/net-mscc-ocelot-fix-address-ageing-time-again.patch @@ -0,0 +1,39 @@ +From bf655ba212dfd10d1c86afeee3f3372dbd731d46 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Fri, 22 May 2020 00:31:23 +0300 +Subject: net: mscc: ocelot: fix address ageing time (again) + +From: Vladimir Oltean + +commit bf655ba212dfd10d1c86afeee3f3372dbd731d46 upstream. + +ocelot_set_ageing_time has 2 callers: + - felix_set_ageing_time: from drivers/net/dsa/ocelot/felix.c + - ocelot_port_attr_ageing_set: from drivers/net/ethernet/mscc/ocelot.c + +The issue described in the fixed commit below actually happened for the +felix_set_ageing_time code path only, since ocelot_port_attr_ageing_set +was already dividing by 1000. So to make both paths symmetrical (and to +fix addresses getting aged way too fast on Ocelot), stop dividing by +1000 at caller side altogether. + +Fixes: c0d7eccbc761 ("net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mscc/ocelot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -1460,7 +1460,7 @@ static void ocelot_port_attr_ageing_set( + unsigned long ageing_clock_t) + { + unsigned long ageing_jiffies = clock_t_to_jiffies(ageing_clock_t); +- u32 ageing_time = jiffies_to_msecs(ageing_jiffies) / 1000; ++ u32 ageing_time = jiffies_to_msecs(ageing_jiffies); + + ocelot_set_ageing_time(ocelot, ageing_time); + } diff --git a/queue-5.6/net-sgi-ioc3-eth-fix-return-value-check-in-ioc3eth_probe.patch b/queue-5.6/net-sgi-ioc3-eth-fix-return-value-check-in-ioc3eth_probe.patch new file mode 100644 index 00000000000..790a55f1de6 --- /dev/null +++ b/queue-5.6/net-sgi-ioc3-eth-fix-return-value-check-in-ioc3eth_probe.patch @@ -0,0 +1,45 @@ +From a7654211d0ffeaa8eb0545ea00f8445242cbce05 Mon Sep 17 00:00:00 2001 +From: Tang Bin +Date: Wed, 20 May 2020 17:55:32 +0800 +Subject: net: sgi: ioc3-eth: Fix return value check in ioc3eth_probe() + +From: Tang Bin + +commit a7654211d0ffeaa8eb0545ea00f8445242cbce05 upstream. + +In the function devm_platform_ioremap_resource(), if get resource +failed, the return value is ERR_PTR() not NULL. Thus it must be +replaced by IS_ERR(), or else it may result in crashes if a critical +error path is encountered. + +Fixes: 0ce5ebd24d25 ("mfd: ioc3: Add driver for SGI IOC3 chip") +Signed-off-by: Zhang Shengju +Signed-off-by: Tang Bin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/sgi/ioc3-eth.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/sgi/ioc3-eth.c ++++ b/drivers/net/ethernet/sgi/ioc3-eth.c +@@ -865,14 +865,14 @@ static int ioc3eth_probe(struct platform + ip = netdev_priv(dev); + ip->dma_dev = pdev->dev.parent; + ip->regs = devm_platform_ioremap_resource(pdev, 0); +- if (!ip->regs) { +- err = -ENOMEM; ++ if (IS_ERR(ip->regs)) { ++ err = PTR_ERR(ip->regs); + goto out_free; + } + + ip->ssram = devm_platform_ioremap_resource(pdev, 1); +- if (!ip->ssram) { +- err = -ENOMEM; ++ if (IS_ERR(ip->ssram)) { ++ err = PTR_ERR(ip->ssram); + goto out_free; + } + diff --git a/queue-5.6/net-sun-fix-missing-release-regions-in-cas_init_one.patch b/queue-5.6/net-sun-fix-missing-release-regions-in-cas_init_one.patch new file mode 100644 index 00000000000..bc3aeac40dd --- /dev/null +++ b/queue-5.6/net-sun-fix-missing-release-regions-in-cas_init_one.patch @@ -0,0 +1,45 @@ +From 5a730153984dd13f82ffae93d7170d76eba204e9 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Fri, 22 May 2020 16:50:27 -0500 +Subject: net: sun: fix missing release regions in cas_init_one(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qiushi Wu + +commit 5a730153984dd13f82ffae93d7170d76eba204e9 upstream. + +In cas_init_one(), "pdev" is requested by "pci_request_regions", but it +was not released after a call of the function “pci_write_config_byte” +failed. Thus replace the jump target “err_write_cacheline” by +"err_out_free_res". + +Fixes: 1f26dac32057 ("[NET]: Add Sun Cassini driver.") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/sun/cassini.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -4971,7 +4971,7 @@ static int cas_init_one(struct pci_dev * + cas_cacheline_size)) { + dev_err(&pdev->dev, "Could not set PCI cache " + "line size\n"); +- goto err_write_cacheline; ++ goto err_out_free_res; + } + } + #endif +@@ -5144,7 +5144,6 @@ err_out_iounmap: + err_out_free_res: + pci_release_regions(pdev); + +-err_write_cacheline: + /* Try to restore it in case the error occurred after we + * set it. + */ diff --git a/queue-5.6/net-tls-fix-encryption-error-checking.patch b/queue-5.6/net-tls-fix-encryption-error-checking.patch new file mode 100644 index 00000000000..ab95c095073 --- /dev/null +++ b/queue-5.6/net-tls-fix-encryption-error-checking.patch @@ -0,0 +1,72 @@ +From a7bff11f6f9afa87c25711db8050c9b5324db0e2 Mon Sep 17 00:00:00 2001 +From: Vadim Fedorenko +Date: Wed, 20 May 2020 11:41:43 +0300 +Subject: net/tls: fix encryption error checking + +From: Vadim Fedorenko + +commit a7bff11f6f9afa87c25711db8050c9b5324db0e2 upstream. + +bpf_exec_tx_verdict() can return negative value for copied +variable. In that case this value will be pushed back to caller +and the real error code will be lost. Fix it using signed type and +checking for positive value. + +Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error") +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tls/tls_sw.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -784,7 +784,7 @@ static int tls_push_record(struct sock * + + static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + bool full_record, u8 record_type, +- size_t *copied, int flags) ++ ssize_t *copied, int flags) + { + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); +@@ -920,7 +920,8 @@ int tls_sw_sendmsg(struct sock *sk, stru + unsigned char record_type = TLS_RECORD_TYPE_DATA; + bool is_kvec = iov_iter_is_kvec(&msg->msg_iter); + bool eor = !(msg->msg_flags & MSG_MORE); +- size_t try_to_copy, copied = 0; ++ size_t try_to_copy; ++ ssize_t copied = 0; + struct sk_msg *msg_pl, *msg_en; + struct tls_rec *rec; + int required_size; +@@ -1129,7 +1130,7 @@ send_end: + + release_sock(sk); + mutex_unlock(&tls_ctx->tx_lock); +- return copied ? copied : ret; ++ return copied > 0 ? copied : ret; + } + + static int tls_sw_do_sendpage(struct sock *sk, struct page *page, +@@ -1143,7 +1144,7 @@ static int tls_sw_do_sendpage(struct soc + struct sk_msg *msg_pl; + struct tls_rec *rec; + int num_async = 0; +- size_t copied = 0; ++ ssize_t copied = 0; + bool full_record; + int record_room; + int ret = 0; +@@ -1245,7 +1246,7 @@ wait_for_memory: + } + sendpage_end: + ret = sk_stream_error(sk, flags, ret); +- return copied ? copied : ret; ++ return copied > 0 ? copied : ret; + } + + int tls_sw_sendpage_locked(struct sock *sk, struct page *page, diff --git a/queue-5.6/net-tls-free-record-only-on-encryption-error.patch b/queue-5.6/net-tls-free-record-only-on-encryption-error.patch new file mode 100644 index 00000000000..3e9f107cb75 --- /dev/null +++ b/queue-5.6/net-tls-free-record-only-on-encryption-error.patch @@ -0,0 +1,48 @@ +From 635d9398178659d8ddba79dd061f9451cec0b4d1 Mon Sep 17 00:00:00 2001 +From: Vadim Fedorenko +Date: Wed, 20 May 2020 11:41:44 +0300 +Subject: net/tls: free record only on encryption error + +From: Vadim Fedorenko + +commit 635d9398178659d8ddba79dd061f9451cec0b4d1 upstream. + +We cannot free record on any transient error because it leads to +losing previos data. Check socket error to know whether record must +be freed or not. + +Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error") +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tls/tls_sw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -800,9 +800,10 @@ static int bpf_exec_tx_verdict(struct sk + psock = sk_psock_get(sk); + if (!psock || !policy) { + err = tls_push_record(sk, flags, record_type); +- if (err && err != -EINPROGRESS) { ++ if (err && sk->sk_err == EBADMSG) { + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); ++ err = -sk->sk_err; + } + if (psock) + sk_psock_put(sk, psock); +@@ -828,9 +829,10 @@ more_data: + switch (psock->eval) { + case __SK_PASS: + err = tls_push_record(sk, flags, record_type); +- if (err && err != -EINPROGRESS) { ++ if (err && sk->sk_err == EBADMSG) { + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); ++ err = -sk->sk_err; + goto out_err; + } + break; diff --git a/queue-5.6/series b/queue-5.6/series index 3ac89ab89bf..63a564ef135 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -32,3 +32,12 @@ r8169-fix-ocp-access-on-rtl8117.patch net-mlx5-fix-a-race-when-moving-command-interface-to-events-mode.patch net-mlx5-fix-cleaning-unmanaged-flow-tables.patch revert-virtio-balloon-revert-virtio-balloon-switch-back-to-oom-handler-for-virtio_balloon_f_deflate_on_oom.patch +net-mlx5-avoid-processing-commands-before-cmdif-is-ready.patch +net-mlx5-annotate-mutex-destroy-for-root-ns.patch +net-tls-fix-encryption-error-checking.patch +net-tls-free-record-only-on-encryption-error.patch +net-sun-fix-missing-release-regions-in-cas_init_one.patch +net-mlx4_core-fix-a-memory-leak-bug.patch +net-sgi-ioc3-eth-fix-return-value-check-in-ioc3eth_probe.patch +mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch +net-mscc-ocelot-fix-address-ageing-time-again.patch