[5.10,29/66] tls: Fix context leak on tls_device_down

Message ID	20220516193620.257989798@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Maxim Mikityanskiy <maximmi@nvidia.com>, Tariq Toukan <tariqt@nvidia.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.10 29/66] tls: Fix context leak on tls_device_down Date: Mon, 16 May 2022 21:36:29 +0200 Message-Id: <20220516193620.257989798@linuxfoundation.org> In-Reply-To: <20220516193619.400083785@linuxfoundation.org> References: <20220516193619.400083785@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.10,02/66] iwlwifi: iwl-dbg: Use del_timer_sync() before freeing [5.10,03/66] hwmon: (tmp401) Add OF device ID table [5.10,04/66] mac80211: Reset MBSSID parameters upon connection [5.10,05/66] net: Fix features skip in for_each_netdev_feature() [5.10,06/66] net: mscc: ocelot: fix last VCAP IS1/IS2 filter persisting in hardware when deleted [5.10,07/66] net: mscc: ocelot: fix VCAP IS2 filters matching on both lookups [5.10,08/66] net: mscc: ocelot: restrict tc-trap actions to VCAP IS2 lookup 0 [5.10,09/66] net: mscc: ocelot: avoid corrupting hardware counters when moving VCAP filters [5.10,10/66] ipv4: drop dst in multicast routing path [5.10,11/66] drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name() [5.10,12/66] netlink: do not reset transport header in netlink_recvmsg() [5.10,13/66] sfc: Use swap() instead of open coding it [5.10,14/66] net: sfc: fix memory leak due to ptp channel [5.10,15/66] mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection [5.10,16/66] nfs: fix broken handling of the softreval mount option [5.10,17/66] ionic: fix missing pci_release_regions() on error in ionic_probe() [5.10,18/66] dim: initialize all struct fields [5.10,19/66] hwmon: (ltq-cputemp) restrict it to SOC_XWAY [5.10,20/66] selftests: vm: Makefile: rename TARGETS to VMTARGETS [5.10,21/66] s390/ctcm: fix variable dereferenced before check [5.10,22/66] s390/ctcm: fix potential memory leak [5.10,23/66] s390/lcs: fix variable dereferenced before check [5.10,24/66] net/sched: act_pedit: really ensure the skb is writable [5.10,25/66] net: bcmgenet: Check for Wake-on-LAN interrupt probe deferral [5.10,26/66] net: dsa: bcm_sf2: Fix Wake-on-LAN with mac_link_down() [5.10,27/66] net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending [5.10,28/66] net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() [5.10,29/66] tls: Fix context leak on tls_device_down [5.10,30/66] gfs2: Fix filesystem block deallocation for short writes [5.10,31/66] hwmon: (f71882fg) Fix negative temperature [5.10,32/66] ASoC: max98090: Reject invalid values in custom control put() [5.10,33/66] ASoC: max98090: Generate notifications on changes for custom control [5.10,34/66] ASoC: ops: Validate input values in snd_soc_put_volsw_range() [5.10,35/66] s390: disable -Warray-bounds [5.10,36/66] net: emaclite: Dont advertise 1000BASE-T and do auto negotiation [5.10,37/66] net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT [5.10,38/66] tcp: resalt the secret every 10 seconds [5.10,39/66] firmware_loader: use kernel credentials when reading firmware [5.10,40/66] tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() [5.10,41/66] tty: n_gsm: fix mux activation issues in gsm_config() [5.10,42/66] usb: cdc-wdm: fix reading stuck on device close [5.10,43/66] usb: typec: tcpci: Dont skip cleanup in .remove() on error [5.10,44/66] usb: typec: tcpci_mt6360: Update for BMC PHY setting [5.10,45/66] USB: serial: pl2303: add device id for HP LM930 Display [5.10,46/66] USB: serial: qcserial: add support for Sierra Wireless EM7590 [5.10,47/66] USB: serial: option: add Fibocom L610 modem [5.10,48/66] USB: serial: option: add Fibocom MA510 modem [5.10,49/66] slimbus: qcom: Fix IRQ check in qcom_slim_probe [5.10,50/66] serial: 8250_mtk: Fix UART_EFR register address [5.10,51/66] serial: 8250_mtk: Fix register address for XON/XOFF character [5.10,52/66] ceph: fix setting of xattrs on async created inodes [5.10,53/66] drm/nouveau/tegra: Stop using iommu_present() [5.10,54/66] i40e: i40e_main: fix a missing check on list iterator [5.10,55/66] net: atlantic: always deep reset on pm op, fixing up my null deref regression [5.10,56/66] cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() [5.10,57/66] drm/vmwgfx: Initialize drm_mode_fb_cmd2 [5.10,58/66] SUNRPC: Clean up scheduling of autoclose [5.10,59/66] SUNRPC: Prevent immediate close+reconnect [5.10,60/66] SUNRPC: Dont call connect() more than once on a TCP socket [5.10,61/66] SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() [5.10,62/66] net: phy: Fix race condition on link status change [5.10,63/66] arm[64]/memremap: dont abuse pfn_valid() to ensure presence of linear map [5.10,64/66] ping: fix address binding wrt vrf [5.10,65/66] usb: gadget: uvc: rename function to be more consistent [5.10,66/66] usb: gadget: uvc: allow for application to cleanly shutdown

Message ID

20220516193620.257989798@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Maxim Mikityanskiy <maximmi@nvidia.com>,
        Tariq Toukan <tariqt@nvidia.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 29/66] tls: Fix context leak on tls_device_down
Date: Mon, 16 May 2022 21:36:29 +0200
Message-Id: <20220516193620.257989798@linuxfoundation.org>
In-Reply-To: <20220516193619.400083785@linuxfoundation.org>
References: <20220516193619.400083785@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman May 16, 2022, 7:36 p.m. UTC

From: Maxim Mikityanskiy <maximmi@nvidia.com>

[ Upstream commit 3740651bf7e200109dd42d5b2fb22226b26f960a ]

The commit cited below claims to fix a use-after-free condition after
tls_device_down. Apparently, the description wasn't fully accurate. The
context stayed alive, but ctx->netdev became NULL, and the offload was
torn down without a proper fallback, so a bug was present, but a
different kind of bug.

Due to misunderstanding of the issue, the original patch dropped the
refcount_dec_and_test line for the context to avoid the alleged
premature deallocation. That line has to be restored, because it matches
the refcount_inc_not_zero from the same function, otherwise the contexts
that survived tls_device_down are leaked.

This patch fixes the described issue by restoring refcount_dec_and_test.
After this change, there is no leak anymore, and the fallback to
software kTLS still works.

Fixes: c55dcdd435aa ("net/tls: Fix use-after-free after the TLS device goes down and up")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/20220512091830.678684-1-maximmi@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/tls/tls_device.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index 1f56225a10e3..3c82286e5bcc 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -1345,7 +1345,10 @@  static int tls_device_down(struct net_device *netdev)
 
 		/* Device contexts for RX and TX will be freed in on sk_destruct
 		 * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW.
+		 * Now release the ref taken above.
 		 */
+		if (refcount_dec_and_test(&ctx->refcount))
+			tls_device_free_ctx(ctx);
 	}
 
 	up_write(&device_offload_lock);

[5.10,29/66] tls: Fix context leak on tls_device_down

Commit Message

Patch