From 2e89e771b0d3e67939fd0bdea6937122ef7665c5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 29 May 2020 11:35:21 +0200 Subject: [PATCH] 5.4-stable patches added patches: mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch net-mlx4_core-fix-a-memory-leak-bug.patch net-mlx5-annotate-mutex-destroy-for-root-ns.patch net-sun-fix-missing-release-regions-in-cas_init_one.patch net-tls-fix-encryption-error-checking.patch net-tls-free-record-only-on-encryption-error.patch --- ...nsplit-type_set-in-case-reload-fails.patch | 108 ++++++++++++++++++ .../net-mlx4_core-fix-a-memory-leak-bug.patch | 34 ++++++ ...5-annotate-mutex-destroy-for-root-ns.patch | 36 ++++++ ...sing-release-regions-in-cas_init_one.patch | 45 ++++++++ ...et-tls-fix-encryption-error-checking.patch | 72 ++++++++++++ ...free-record-only-on-encryption-error.patch | 48 ++++++++ queue-5.4/series | 6 + 7 files changed, 349 insertions(+) create mode 100644 queue-5.4/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch create mode 100644 queue-5.4/net-mlx4_core-fix-a-memory-leak-bug.patch create mode 100644 queue-5.4/net-mlx5-annotate-mutex-destroy-for-root-ns.patch create mode 100644 queue-5.4/net-sun-fix-missing-release-regions-in-cas_init_one.patch create mode 100644 queue-5.4/net-tls-fix-encryption-error-checking.patch create mode 100644 queue-5.4/net-tls-free-record-only-on-encryption-error.patch diff --git a/queue-5.4/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch b/queue-5.4/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch new file mode 100644 index 00000000000..78f492a1bda --- /dev/null +++ b/queue-5.4/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch @@ -0,0 +1,108 @@ +From 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 21 May 2020 15:11:44 +0300 +Subject: mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails + +From: Jiri Pirko + +commit 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 upstream. + +In case of reload fail, the mlxsw_sp->ports contains a pointer to a +freed memory (either by reload_down() or reload_up() error path). +Fix this by initializing the pointer to NULL and checking it before +dereferencing in split/unsplit/type_set callpaths. + +Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload") +Reported-by: Danielle Ratson +Signed-off-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 14 ++++++++++++-- + drivers/net/ethernet/mellanox/mlxsw/switchx2.c | 8 ++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -3932,6 +3932,7 @@ static void mlxsw_sp_ports_remove(struct + mlxsw_sp_cpu_port_remove(mlxsw_sp); + kfree(mlxsw_sp->port_to_module); + kfree(mlxsw_sp->ports); ++ mlxsw_sp->ports = NULL; + } + + static int mlxsw_sp_ports_create(struct mlxsw_sp *mlxsw_sp) +@@ -3986,6 +3987,7 @@ err_cpu_port_create: + kfree(mlxsw_sp->port_to_module); + err_port_to_module_alloc: + kfree(mlxsw_sp->ports); ++ mlxsw_sp->ports = NULL; + return err; + } + +@@ -4040,6 +4042,14 @@ static void mlxsw_sp_port_unsplit_create + } + } + ++static struct mlxsw_sp_port * ++mlxsw_sp_port_get_by_local_port(struct mlxsw_sp *mlxsw_sp, u8 local_port) ++{ ++ if (mlxsw_sp->ports && mlxsw_sp->ports[local_port]) ++ return mlxsw_sp->ports[local_port]; ++ return NULL; ++} ++ + static int mlxsw_sp_port_split(struct mlxsw_core *mlxsw_core, u8 local_port, + unsigned int count, + struct netlink_ext_ack *extack) +@@ -4058,7 +4068,7 @@ static int mlxsw_sp_port_split(struct ml + local_ports_in_1x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_1X); + local_ports_in_2x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_2X); + +- mlxsw_sp_port = mlxsw_sp->ports[local_port]; ++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port); + if (!mlxsw_sp_port) { + dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n", + local_port); +@@ -4136,7 +4146,7 @@ static int mlxsw_sp_port_unsplit(struct + local_ports_in_1x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_1X); + local_ports_in_2x = MLXSW_CORE_RES_GET(mlxsw_core, LOCAL_PORTS_IN_2X); + +- mlxsw_sp_port = mlxsw_sp->ports[local_port]; ++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port); + if (!mlxsw_sp_port) { + dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n", + local_port); +--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c +@@ -1258,6 +1258,7 @@ static void mlxsw_sx_ports_remove(struct + if (mlxsw_sx_port_created(mlxsw_sx, i)) + mlxsw_sx_port_remove(mlxsw_sx, i); + kfree(mlxsw_sx->ports); ++ mlxsw_sx->ports = NULL; + } + + static int mlxsw_sx_ports_create(struct mlxsw_sx *mlxsw_sx) +@@ -1292,6 +1293,7 @@ err_port_module_info_get: + if (mlxsw_sx_port_created(mlxsw_sx, i)) + mlxsw_sx_port_remove(mlxsw_sx, i); + kfree(mlxsw_sx->ports); ++ mlxsw_sx->ports = NULL; + return err; + } + +@@ -1375,6 +1377,12 @@ static int mlxsw_sx_port_type_set(struct + u8 module, width; + int err; + ++ if (!mlxsw_sx->ports || !mlxsw_sx->ports[local_port]) { ++ dev_err(mlxsw_sx->bus_info->dev, "Port number \"%d\" does not exist\n", ++ local_port); ++ return -EINVAL; ++ } ++ + if (new_type == DEVLINK_PORT_TYPE_AUTO) + return -EOPNOTSUPP; + diff --git a/queue-5.4/net-mlx4_core-fix-a-memory-leak-bug.patch b/queue-5.4/net-mlx4_core-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..a19464684a5 --- /dev/null +++ b/queue-5.4/net-mlx4_core-fix-a-memory-leak-bug.patch @@ -0,0 +1,34 @@ +From febfd9d3c7f74063e8e630b15413ca91b567f963 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Fri, 22 May 2020 14:07:15 -0500 +Subject: net/mlx4_core: fix a memory leak bug. + +From: Qiushi Wu + +commit febfd9d3c7f74063e8e630b15413ca91b567f963 upstream. + +In function mlx4_opreq_action(), pointer "mailbox" is not released, +when mlx4_cmd_box() return and error, causing a memory leak bug. +Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can +free this pointer. + +Fixes: fe6f700d6cbb ("net/mlx4_core: Respond to operation request by firmware") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/fw.c ++++ b/drivers/net/ethernet/mellanox/mlx4/fw.c +@@ -2734,7 +2734,7 @@ void mlx4_opreq_action(struct work_struc + if (err) { + mlx4_err(dev, "Failed to retrieve required operation: %d\n", + err); +- return; ++ goto out; + } + MLX4_GET(modifier, outbox, GET_OP_REQ_MODIFIER_OFFSET); + MLX4_GET(token, outbox, GET_OP_REQ_TOKEN_OFFSET); diff --git a/queue-5.4/net-mlx5-annotate-mutex-destroy-for-root-ns.patch b/queue-5.4/net-mlx5-annotate-mutex-destroy-for-root-ns.patch new file mode 100644 index 00000000000..3a0c73c2800 --- /dev/null +++ b/queue-5.4/net-mlx5-annotate-mutex-destroy-for-root-ns.patch @@ -0,0 +1,36 @@ +From 9ca415399dae133b00273a4283ef31d003a6818d Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Thu, 14 May 2020 23:44:38 +0300 +Subject: net/mlx5: Annotate mutex destroy for root ns + +From: Roi Dayan + +commit 9ca415399dae133b00273a4283ef31d003a6818d upstream. + +Invoke mutex_destroy() to catch any errors. + +Fixes: 2cc43b494a6c ("net/mlx5_core: Managing root flow table") +Signed-off-by: Roi Dayan +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -417,6 +417,12 @@ static void del_sw_ns(struct fs_node *no + + static void del_sw_prio(struct fs_node *node) + { ++ struct mlx5_flow_root_namespace *root_ns; ++ struct mlx5_flow_namespace *ns; ++ ++ fs_get_obj(ns, node); ++ root_ns = container_of(ns, struct mlx5_flow_root_namespace, ns); ++ mutex_destroy(&root_ns->chain_lock); + kfree(node); + } + diff --git a/queue-5.4/net-sun-fix-missing-release-regions-in-cas_init_one.patch b/queue-5.4/net-sun-fix-missing-release-regions-in-cas_init_one.patch new file mode 100644 index 00000000000..bc3aeac40dd --- /dev/null +++ b/queue-5.4/net-sun-fix-missing-release-regions-in-cas_init_one.patch @@ -0,0 +1,45 @@ +From 5a730153984dd13f82ffae93d7170d76eba204e9 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Fri, 22 May 2020 16:50:27 -0500 +Subject: net: sun: fix missing release regions in cas_init_one(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qiushi Wu + +commit 5a730153984dd13f82ffae93d7170d76eba204e9 upstream. + +In cas_init_one(), "pdev" is requested by "pci_request_regions", but it +was not released after a call of the function “pci_write_config_byte” +failed. Thus replace the jump target “err_write_cacheline” by +"err_out_free_res". + +Fixes: 1f26dac32057 ("[NET]: Add Sun Cassini driver.") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/sun/cassini.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -4971,7 +4971,7 @@ static int cas_init_one(struct pci_dev * + cas_cacheline_size)) { + dev_err(&pdev->dev, "Could not set PCI cache " + "line size\n"); +- goto err_write_cacheline; ++ goto err_out_free_res; + } + } + #endif +@@ -5144,7 +5144,6 @@ err_out_iounmap: + err_out_free_res: + pci_release_regions(pdev); + +-err_write_cacheline: + /* Try to restore it in case the error occurred after we + * set it. + */ diff --git a/queue-5.4/net-tls-fix-encryption-error-checking.patch b/queue-5.4/net-tls-fix-encryption-error-checking.patch new file mode 100644 index 00000000000..4035bdbcdcb --- /dev/null +++ b/queue-5.4/net-tls-fix-encryption-error-checking.patch @@ -0,0 +1,72 @@ +From a7bff11f6f9afa87c25711db8050c9b5324db0e2 Mon Sep 17 00:00:00 2001 +From: Vadim Fedorenko +Date: Wed, 20 May 2020 11:41:43 +0300 +Subject: net/tls: fix encryption error checking + +From: Vadim Fedorenko + +commit a7bff11f6f9afa87c25711db8050c9b5324db0e2 upstream. + +bpf_exec_tx_verdict() can return negative value for copied +variable. In that case this value will be pushed back to caller +and the real error code will be lost. Fix it using signed type and +checking for positive value. + +Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error") +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tls/tls_sw.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -781,7 +781,7 @@ static int tls_push_record(struct sock * + + static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + bool full_record, u8 record_type, +- size_t *copied, int flags) ++ ssize_t *copied, int flags) + { + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); +@@ -917,7 +917,8 @@ int tls_sw_sendmsg(struct sock *sk, stru + unsigned char record_type = TLS_RECORD_TYPE_DATA; + bool is_kvec = iov_iter_is_kvec(&msg->msg_iter); + bool eor = !(msg->msg_flags & MSG_MORE); +- size_t try_to_copy, copied = 0; ++ size_t try_to_copy; ++ ssize_t copied = 0; + struct sk_msg *msg_pl, *msg_en; + struct tls_rec *rec; + int required_size; +@@ -1126,7 +1127,7 @@ send_end: + + release_sock(sk); + mutex_unlock(&tls_ctx->tx_lock); +- return copied ? copied : ret; ++ return copied > 0 ? copied : ret; + } + + static int tls_sw_do_sendpage(struct sock *sk, struct page *page, +@@ -1140,7 +1141,7 @@ static int tls_sw_do_sendpage(struct soc + struct sk_msg *msg_pl; + struct tls_rec *rec; + int num_async = 0; +- size_t copied = 0; ++ ssize_t copied = 0; + bool full_record; + int record_room; + int ret = 0; +@@ -1242,7 +1243,7 @@ wait_for_memory: + } + sendpage_end: + ret = sk_stream_error(sk, flags, ret); +- return copied ? copied : ret; ++ return copied > 0 ? copied : ret; + } + + int tls_sw_sendpage_locked(struct sock *sk, struct page *page, diff --git a/queue-5.4/net-tls-free-record-only-on-encryption-error.patch b/queue-5.4/net-tls-free-record-only-on-encryption-error.patch new file mode 100644 index 00000000000..9f5b280a98f --- /dev/null +++ b/queue-5.4/net-tls-free-record-only-on-encryption-error.patch @@ -0,0 +1,48 @@ +From 635d9398178659d8ddba79dd061f9451cec0b4d1 Mon Sep 17 00:00:00 2001 +From: Vadim Fedorenko +Date: Wed, 20 May 2020 11:41:44 +0300 +Subject: net/tls: free record only on encryption error + +From: Vadim Fedorenko + +commit 635d9398178659d8ddba79dd061f9451cec0b4d1 upstream. + +We cannot free record on any transient error because it leads to +losing previos data. Check socket error to know whether record must +be freed or not. + +Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error") +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tls/tls_sw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -797,9 +797,10 @@ static int bpf_exec_tx_verdict(struct sk + psock = sk_psock_get(sk); + if (!psock || !policy) { + err = tls_push_record(sk, flags, record_type); +- if (err && err != -EINPROGRESS) { ++ if (err && sk->sk_err == EBADMSG) { + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); ++ err = -sk->sk_err; + } + if (psock) + sk_psock_put(sk, psock); +@@ -825,9 +826,10 @@ more_data: + switch (psock->eval) { + case __SK_PASS: + err = tls_push_record(sk, flags, record_type); +- if (err && err != -EINPROGRESS) { ++ if (err && sk->sk_err == EBADMSG) { + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); ++ err = -sk->sk_err; + goto out_err; + } + break; diff --git a/queue-5.4/series b/queue-5.4/series index 7c6f768d6ab..a8046a479cb 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -23,3 +23,9 @@ net-mlx5e-fix-inner-tirs-handling.patch net-mlx5-fix-memory-leak-in-mlx5_events_init.patch net-mlx5e-update-netdev-txq-on-completions-during-closure.patch net-mlx5-fix-error-flow-in-case-of-function_setup-failure.patch +net-mlx5-annotate-mutex-destroy-for-root-ns.patch +net-tls-fix-encryption-error-checking.patch +net-tls-free-record-only-on-encryption-error.patch +net-sun-fix-missing-release-regions-in-cas_init_one.patch +net-mlx4_core-fix-a-memory-leak-bug.patch +mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch -- 2.47.3