--- /dev/null
+From foo@baz Tue Nov 23 01:35:28 PM CET 2021
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 20 Nov 2021 13:40:16 +0100
+Subject: batman-adv: Consider fragmentation for needed_headroom
+To: stable@vger.kernel.org
+Cc: b.a.t.m.a.n@lists.open-mesh.org, "Sven Eckelmann" <sven@narfation.org>, "Linus Lüssing" <linus.luessing@c0d3.blue>, "Simon Wunderlich" <sw@simonwunderlich.de>
+Message-ID: <20211120124018.260907-4-sven@narfation.org>
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 4ca23e2c2074465bff55ea14221175fecdf63c5f upstream.
+
+If a batman-adv packets has to be fragmented, then the original batman-adv
+packet header is not stripped away. Instead, only a new header is added in
+front of the packet after it was split.
+
+This size must be considered to avoid cost intensive reallocations during
+the transmission through the various device layers.
+
+Fixes: 7bca68c7844b ("batman-adv: Add lower layer needed_(head|tail)room to own ones")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/hard-interface.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -558,6 +558,9 @@ static void batadv_hardif_recalc_extra_s
+ needed_headroom = lower_headroom + (lower_header_len - ETH_HLEN);
+ needed_headroom += batadv_max_header_len();
+
++ /* fragmentation headers don't strip the unicast/... header */
++ needed_headroom += sizeof(struct batadv_frag_packet);
++
+ soft_iface->needed_headroom = needed_headroom;
+ soft_iface->needed_tailroom = lower_tailroom;
+ }
--- /dev/null
+From foo@baz Tue Nov 23 01:35:28 PM CET 2021
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 20 Nov 2021 13:40:18 +0100
+Subject: batman-adv: Don't always reallocate the fragmentation skb head
+To: stable@vger.kernel.org
+Cc: b.a.t.m.a.n@lists.open-mesh.org, Sven Eckelmann <sven@narfation.org>, Simon Wunderlich <sw@simonwunderlich.de>
+Message-ID: <20211120124018.260907-6-sven@narfation.org>
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 992b03b88e36254e26e9a4977ab948683e21bd9f upstream.
+
+When a packet is fragmented by batman-adv, the original batman-adv header
+is not modified. Only a new fragmentation is inserted between the original
+one and the ethernet header. The code must therefore make sure that it has
+a writable region of this size in the skbuff head.
+
+But it is not useful to always reallocate the skbuff by this size even when
+there would be more than enough headroom still in the skb. The reallocation
+is just to costly during in this codepath.
+
+Fixes: ee75ed88879a ("batman-adv: Fragment and send skbs larger than mtu")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/fragmentation.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -538,13 +538,14 @@ int batadv_frag_send_packet(struct sk_bu
+ frag_header.no++;
+ }
+
+- /* Make room for the fragment header. */
+- if (batadv_skb_head_push(skb, header_size) < 0 ||
+- pskb_expand_head(skb, header_size + ETH_HLEN, 0, GFP_ATOMIC) < 0) {
+- ret = -ENOMEM;
++ /* make sure that there is at least enough head for the fragmentation
++ * and ethernet headers
++ */
++ ret = skb_cow_head(skb, ETH_HLEN + header_size);
++ if (ret < 0)
+ goto put_primary_if;
+- }
+
++ skb_push(skb, header_size);
+ memcpy(skb->data, &frag_header, header_size);
+
+ /* Send the last fragment */
--- /dev/null
+From foo@baz Tue Nov 23 01:35:28 PM CET 2021
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 20 Nov 2021 13:40:15 +0100
+Subject: batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
+To: stable@vger.kernel.org
+Cc: b.a.t.m.a.n@lists.open-mesh.org, "Linus Lüssing" <linus.luessing@c0d3.blue>, "Simon Wunderlich" <sw@simonwunderlich.de>, "Sven Eckelmann" <sven@narfation.org>
+Message-ID: <20211120124018.260907-3-sven@narfation.org>
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+commit 2369e827046920ef0599e6a36b975ac5c0a359c2 upstream.
+
+Scenario:
+* Multicast frame send from BLA backbone gateways (multiple nodes
+ with their bat0 bridged together, with BLA enabled) sharing the same
+ LAN to nodes in the mesh
+
+Issue:
+* Nodes receive the frame multiple times on bat0 from the mesh,
+ once from each foreign BLA backbone gateway which shares the same LAN
+ with another
+
+For multicast frames via batman-adv broadcast packets coming from the
+same BLA backbone but from different backbone gateways duplicates are
+currently detected via a CRC history of previously received packets.
+
+However this CRC so far was not performed for multicast frames received
+via batman-adv unicast packets. Fixing this by appyling the same check
+for such packets, too.
+
+Room for improvements in the future: Ideally we would introduce the
+possibility to not only claim a client, but a complete originator, too.
+This would allow us to only send a multicast-in-unicast packet from a BLA
+backbone gateway claiming the node and by that avoid potential redundant
+transmissions in the first place.
+
+Fixes: fe2da6ff27c7 ("batman-adv: add broadcast duplicate check")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[ bp: 4.14 backported: adjust context, correct fixes line ]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 105 +++++++++++++++++++++++++++------
+ 1 file changed, 88 insertions(+), 17 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1598,13 +1598,16 @@ int batadv_bla_init(struct batadv_priv *
+ }
+
+ /**
+- * batadv_bla_check_bcast_duplist - Check if a frame is in the broadcast dup.
++ * batadv_bla_check_duplist() - Check if a frame is in the broadcast dup.
+ * @bat_priv: the bat priv with all the soft interface information
+- * @skb: contains the bcast_packet to be checked
+- *
+- * check if it is on our broadcast list. Another gateway might
+- * have sent the same packet because it is connected to the same backbone,
+- * so we have to remove this duplicate.
++ * @skb: contains the multicast packet to be checked
++ * @payload_ptr: pointer to position inside the head buffer of the skb
++ * marking the start of the data to be CRC'ed
++ * @orig: originator mac address, NULL if unknown
++ *
++ * Check if it is on our broadcast list. Another gateway might have sent the
++ * same packet because it is connected to the same backbone, so we have to
++ * remove this duplicate.
+ *
+ * This is performed by checking the CRC, which will tell us
+ * with a good chance that it is the same packet. If it is furthermore
+@@ -1613,19 +1616,17 @@ int batadv_bla_init(struct batadv_priv *
+ *
+ * Return: true if a packet is in the duplicate list, false otherwise.
+ */
+-bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
+- struct sk_buff *skb)
++static bool batadv_bla_check_duplist(struct batadv_priv *bat_priv,
++ struct sk_buff *skb, u8 *payload_ptr,
++ const u8 *orig)
+ {
+- int i, curr;
+- __be32 crc;
+- struct batadv_bcast_packet *bcast_packet;
+ struct batadv_bcast_duplist_entry *entry;
+ bool ret = false;
+-
+- bcast_packet = (struct batadv_bcast_packet *)skb->data;
++ int i, curr;
++ __be32 crc;
+
+ /* calculate the crc ... */
+- crc = batadv_skb_crc32(skb, (u8 *)(bcast_packet + 1));
++ crc = batadv_skb_crc32(skb, payload_ptr);
+
+ spin_lock_bh(&bat_priv->bla.bcast_duplist_lock);
+
+@@ -1644,8 +1645,21 @@ bool batadv_bla_check_bcast_duplist(stru
+ if (entry->crc != crc)
+ continue;
+
+- if (batadv_compare_eth(entry->orig, bcast_packet->orig))
+- continue;
++ /* are the originators both known and not anonymous? */
++ if (orig && !is_zero_ether_addr(orig) &&
++ !is_zero_ether_addr(entry->orig)) {
++ /* If known, check if the new frame came from
++ * the same originator:
++ * We are safe to take identical frames from the
++ * same orig, if known, as multiplications in
++ * the mesh are detected via the (orig, seqno) pair.
++ * So we can be a bit more liberal here and allow
++ * identical frames from the same orig which the source
++ * host might have sent multiple times on purpose.
++ */
++ if (batadv_compare_eth(entry->orig, orig))
++ continue;
++ }
+
+ /* this entry seems to match: same crc, not too old,
+ * and from another gw. therefore return true to forbid it.
+@@ -1661,7 +1675,14 @@ bool batadv_bla_check_bcast_duplist(stru
+ entry = &bat_priv->bla.bcast_duplist[curr];
+ entry->crc = crc;
+ entry->entrytime = jiffies;
+- ether_addr_copy(entry->orig, bcast_packet->orig);
++
++ /* known originator */
++ if (orig)
++ ether_addr_copy(entry->orig, orig);
++ /* anonymous originator */
++ else
++ eth_zero_addr(entry->orig);
++
+ bat_priv->bla.bcast_duplist_curr = curr;
+
+ out:
+@@ -1671,6 +1692,48 @@ out:
+ }
+
+ /**
++ * batadv_bla_check_ucast_duplist() - Check if a frame is in the broadcast dup.
++ * @bat_priv: the bat priv with all the soft interface information
++ * @skb: contains the multicast packet to be checked, decapsulated from a
++ * unicast_packet
++ *
++ * Check if it is on our broadcast list. Another gateway might have sent the
++ * same packet because it is connected to the same backbone, so we have to
++ * remove this duplicate.
++ *
++ * Return: true if a packet is in the duplicate list, false otherwise.
++ */
++static bool batadv_bla_check_ucast_duplist(struct batadv_priv *bat_priv,
++ struct sk_buff *skb)
++{
++ return batadv_bla_check_duplist(bat_priv, skb, (u8 *)skb->data, NULL);
++}
++
++/**
++ * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup.
++ * @bat_priv: the bat priv with all the soft interface information
++ * @skb: contains the bcast_packet to be checked
++ *
++ * Check if it is on our broadcast list. Another gateway might have sent the
++ * same packet because it is connected to the same backbone, so we have to
++ * remove this duplicate.
++ *
++ * Return: true if a packet is in the duplicate list, false otherwise.
++ */
++bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
++ struct sk_buff *skb)
++{
++ struct batadv_bcast_packet *bcast_packet;
++ u8 *payload_ptr;
++
++ bcast_packet = (struct batadv_bcast_packet *)skb->data;
++ payload_ptr = (u8 *)(bcast_packet + 1);
++
++ return batadv_bla_check_duplist(bat_priv, skb, payload_ptr,
++ bcast_packet->orig);
++}
++
++/**
+ * batadv_bla_is_backbone_gw_orig - Check if the originator is a gateway for
+ * the VLAN identified by vid.
+ * @bat_priv: the bat priv with all the soft interface information
+@@ -1884,6 +1947,14 @@ bool batadv_bla_rx(struct batadv_priv *b
+ packet_type == BATADV_UNICAST)
+ goto handled;
+
++ /* potential duplicates from foreign BLA backbone gateways via
++ * multicast-in-unicast packets
++ */
++ if (is_multicast_ether_addr(ethhdr->h_dest) &&
++ packet_type == BATADV_UNICAST &&
++ batadv_bla_check_ucast_duplist(bat_priv, skb))
++ goto handled;
++
+ ether_addr_copy(search_claim.addr, ethhdr->h_source);
+ search_claim.vid = vid;
+ claim = batadv_claim_hash_find(bat_priv, &search_claim);
--- /dev/null
+From foo@baz Tue Nov 23 01:35:28 PM CET 2021
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 20 Nov 2021 13:40:14 +0100
+Subject: batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN
+To: stable@vger.kernel.org
+Cc: b.a.t.m.a.n@lists.open-mesh.org, "Linus Lüssing" <linus.luessing@c0d3.blue>, "Simon Wunderlich" <sw@simonwunderlich.de>, "Sven Eckelmann" <sven@narfation.org>
+Message-ID: <20211120124018.260907-2-sven@narfation.org>
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+commit 3236d215ad38a3f5372e65cd1e0a52cf93d3c6a2 upstream.
+
+Scenario:
+* Multicast frame send from a BLA backbone (multiple nodes with
+ their bat0 bridged together, with BLA enabled)
+
+Issue:
+* BLA backbone nodes receive the frame multiple times on bat0
+
+For multicast frames received via batman-adv broadcast packets the
+originator of the broadcast packet is checked before decapsulating and
+forwarding the frame to bat0 (batadv_bla_is_backbone_gw()->
+batadv_recv_bcast_packet()). If it came from a node which shares the
+same BLA backbone with us then it is not forwarded to bat0 to avoid a
+loop.
+
+When sending a multicast frame in a non-4-address batman-adv unicast
+packet we are currently missing this check - and cannot do so because
+the batman-adv unicast packet has no originator address field.
+
+However, we can simply fix this on the sender side by only sending the
+multicast frame via unicasts to interested nodes which do not share the
+same BLA backbone with us. This also nicely avoids some unnecessary
+transmissions on mesh side.
+
+Note that no infinite loop was observed, probably because of dropping
+via batadv_interface_tx()->batadv_bla_tx(). However the duplicates still
+utterly confuse switches/bridges, ICMPv6 duplicate address detection and
+neighbor discovery and therefore leads to long delays before being able
+to establish TCP connections, for instance. And it also leads to the Linux
+bridge printing messages like:
+"br-lan: received packet on eth1 with own address as source address ..."
+
+Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[ bp: 4.14 backport: drop usage in non-existing batadv_mcast_forw_*,
+ correct fixes line ]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/multicast.c | 31 +++++++++++++++++++++++++++++++
+ net/batman-adv/multicast.h | 15 +++++++++++++++
+ net/batman-adv/soft-interface.c | 5 ++---
+ 3 files changed, 48 insertions(+), 3 deletions(-)
+
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -55,10 +55,12 @@
+ #include <net/ip.h>
+ #include <net/ipv6.h>
+
++#include "bridge_loop_avoidance.h"
+ #include "hard-interface.h"
+ #include "hash.h"
+ #include "log.h"
+ #include "packet.h"
++#include "send.h"
+ #include "translation-table.h"
+ #include "tvlv.h"
+
+@@ -1291,6 +1293,35 @@ void batadv_mcast_free(struct batadv_pri
+ }
+
+ /**
++ * batadv_mcast_forw_send_orig() - send a multicast packet to an originator
++ * @bat_priv: the bat priv with all the soft interface information
++ * @skb: the multicast packet to send
++ * @vid: the vlan identifier
++ * @orig_node: the originator to send the packet to
++ *
++ * Return: NET_XMIT_DROP in case of error or NET_XMIT_SUCCESS otherwise.
++ */
++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv,
++ struct sk_buff *skb,
++ unsigned short vid,
++ struct batadv_orig_node *orig_node)
++{
++ /* Avoid sending multicast-in-unicast packets to other BLA
++ * gateways - they already got the frame from the LAN side
++ * we share with them.
++ * TODO: Refactor to take BLA into account earlier, to avoid
++ * reducing the mcast_fanout count.
++ */
++ if (batadv_bla_is_backbone_gw_orig(bat_priv, orig_node->orig, vid)) {
++ dev_kfree_skb(skb);
++ return NET_XMIT_SUCCESS;
++ }
++
++ return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST, 0,
++ orig_node, vid);
++}
++
++/**
+ * batadv_mcast_purge_orig - reset originator global mcast state modifications
+ * @orig: the originator which is going to get purged
+ */
+--- a/net/batman-adv/multicast.h
++++ b/net/batman-adv/multicast.h
+@@ -43,6 +43,11 @@ enum batadv_forw_mode
+ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ struct batadv_orig_node **mcast_single_orig);
+
++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv,
++ struct sk_buff *skb,
++ unsigned short vid,
++ struct batadv_orig_node *orig_node);
++
+ void batadv_mcast_init(struct batadv_priv *bat_priv);
+
+ int batadv_mcast_flags_seq_print_text(struct seq_file *seq, void *offset);
+@@ -65,6 +70,16 @@ static inline int batadv_mcast_init(stru
+ return 0;
+ }
+
++static inline int
++batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv,
++ struct sk_buff *skb,
++ unsigned short vid,
++ struct batadv_orig_node *orig_node)
++{
++ kfree_skb(skb);
++ return NET_XMIT_DROP;
++}
++
+ static inline void batadv_mcast_free(struct batadv_priv *bat_priv)
+ {
+ }
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -359,9 +359,8 @@ send:
+ goto dropped;
+ ret = batadv_send_skb_via_gw(bat_priv, skb, vid);
+ } else if (mcast_single_orig) {
+- ret = batadv_send_skb_unicast(bat_priv, skb,
+- BATADV_UNICAST, 0,
+- mcast_single_orig, vid);
++ ret = batadv_mcast_forw_send_orig(bat_priv, skb, vid,
++ mcast_single_orig);
+ } else {
+ if (batadv_dat_snoop_outgoing_arp_request(bat_priv,
+ skb))
--- /dev/null
+From foo@baz Tue Nov 23 01:35:28 PM CET 2021
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 20 Nov 2021 13:40:17 +0100
+Subject: batman-adv: Reserve needed_*room for fragments
+To: stable@vger.kernel.org
+Cc: b.a.t.m.a.n@lists.open-mesh.org, Sven Eckelmann <sven@narfation.org>, Simon Wunderlich <sw@simonwunderlich.de>
+Message-ID: <20211120124018.260907-5-sven@narfation.org>
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit c5cbfc87558168ef4c3c27ce36eba6b83391db19 upstream.
+
+The batadv net_device is trying to propagate the needed_headroom and
+needed_tailroom from the lower devices. This is needed to avoid cost
+intensive reallocations using pskb_expand_head during the transmission.
+
+But the fragmentation code split the skb's without adding extra room at the
+end/beginning of the various fragments. This reduced the performance of
+transmissions over complex scenarios (batadv on vxlan on wireguard) because
+the lower devices had to perform the reallocations at least once.
+
+Fixes: ee75ed88879a ("batman-adv: Fragment and send skbs larger than mtu")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[ bp: 4.14 backported: adjust context. ]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/fragmentation.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -402,6 +402,7 @@ out:
+
+ /**
+ * batadv_frag_create - create a fragment from skb
++ * @net_dev: outgoing device for fragment
+ * @skb: skb to create fragment from
+ * @frag_head: header to use in new fragment
+ * @fragment_size: size of new fragment
+@@ -412,22 +413,25 @@ out:
+ *
+ * Return: the new fragment, NULL on error.
+ */
+-static struct sk_buff *batadv_frag_create(struct sk_buff *skb,
++static struct sk_buff *batadv_frag_create(struct net_device *net_dev,
++ struct sk_buff *skb,
+ struct batadv_frag_packet *frag_head,
+ unsigned int fragment_size)
+ {
++ unsigned int ll_reserved = LL_RESERVED_SPACE(net_dev);
++ unsigned int tailroom = net_dev->needed_tailroom;
+ struct sk_buff *skb_fragment;
+ unsigned int header_size = sizeof(*frag_head);
+ unsigned int mtu = fragment_size + header_size;
+
+- skb_fragment = netdev_alloc_skb(NULL, mtu + ETH_HLEN);
++ skb_fragment = dev_alloc_skb(ll_reserved + mtu + tailroom);
+ if (!skb_fragment)
+ goto err;
+
+ skb_fragment->priority = skb->priority;
+
+ /* Eat the last mtu-bytes of the skb */
+- skb_reserve(skb_fragment, header_size + ETH_HLEN);
++ skb_reserve(skb_fragment, ll_reserved + header_size);
+ skb_split(skb, skb_fragment, skb->len - fragment_size);
+
+ /* Add the header */
+@@ -450,11 +454,12 @@ int batadv_frag_send_packet(struct sk_bu
+ struct batadv_orig_node *orig_node,
+ struct batadv_neigh_node *neigh_node)
+ {
++ struct net_device *net_dev = neigh_node->if_incoming->net_dev;
+ struct batadv_priv *bat_priv;
+ struct batadv_hard_iface *primary_if = NULL;
+ struct batadv_frag_packet frag_header;
+ struct sk_buff *skb_fragment;
+- unsigned int mtu = neigh_node->if_incoming->net_dev->mtu;
++ unsigned int mtu = net_dev->mtu;
+ unsigned int header_size = sizeof(frag_header);
+ unsigned int max_fragment_size, num_fragments;
+ int ret;
+@@ -514,7 +519,7 @@ int batadv_frag_send_packet(struct sk_bu
+ goto put_primary_if;
+ }
+
+- skb_fragment = batadv_frag_create(skb, &frag_header,
++ skb_fragment = batadv_frag_create(net_dev, skb, &frag_header,
+ max_fragment_size);
+ if (!skb_fragment) {
+ ret = -ENOMEM;
--- /dev/null
+From 4716023a8f6a0f4a28047f14dd7ebdc319606b84 Mon Sep 17 00:00:00 2001
+From: Greg Thelen <gthelen@google.com>
+Date: Wed, 10 Nov 2021 18:18:14 -0800
+Subject: perf/core: Avoid put_page() when GUP fails
+
+From: Greg Thelen <gthelen@google.com>
+
+commit 4716023a8f6a0f4a28047f14dd7ebdc319606b84 upstream.
+
+PEBS PERF_SAMPLE_PHYS_ADDR events use perf_virt_to_phys() to convert PMU
+sampled virtual addresses to physical using get_user_page_fast_only()
+and page_to_phys().
+
+Some get_user_page_fast_only() error cases return false, indicating no
+page reference, but still initialize the output page pointer with an
+unreferenced page. In these error cases perf_virt_to_phys() calls
+put_page(). This causes page reference count underflow, which can lead
+to unintentional page sharing.
+
+Fix perf_virt_to_phys() to only put_page() if get_user_page_fast_only()
+returns a referenced page.
+
+Fixes: fc7ce9c74c3ad ("perf/core, x86: Add PERF_SAMPLE_PHYS_ADDR")
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20211111021814.757086-1-gthelen@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -6110,7 +6110,6 @@ void perf_output_sample(struct perf_outp
+ static u64 perf_virt_to_phys(u64 virt)
+ {
+ u64 phys_addr = 0;
+- struct page *p = NULL;
+
+ if (!virt)
+ return 0;
+@@ -6129,14 +6128,15 @@ static u64 perf_virt_to_phys(u64 virt)
+ * If failed, leave phys_addr as 0.
+ */
+ if (current->mm != NULL) {
++ struct page *p;
++
+ pagefault_disable();
+- if (__get_user_pages_fast(virt, 1, 0, &p) == 1)
++ if (__get_user_pages_fast(virt, 1, 0, &p) == 1) {
+ phys_addr = page_to_phys(p) + virt % PAGE_SIZE;
++ put_page(p);
++ }
+ pagefault_enable();
+ }
+-
+- if (p)
+- put_page(p);
+ }
+
+ return phys_addr;
cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch
drm-udl-fix-control-message-timeout.patch
drm-amdgpu-fix-set-scaling-mode-full-full-aspect-center-not-works-on-vga-and-dvi-connectors.patch
+perf-core-avoid-put_page-when-gup-fails.patch
+batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-backbone-from-lan.patch
+batman-adv-mcast-fix-duplicate-mcast-packets-from-bla-backbone-to-mesh.patch
+batman-adv-consider-fragmentation-for-needed_headroom.patch
+batman-adv-reserve-needed_-room-for-fragments.patch
+batman-adv-don-t-always-reallocate-the-fragmentation-skb-head.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
