--- /dev/null
+From foo@baz Fri Jan 22 02:14:04 PM CET 2021
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 13 Jan 2021 08:18:19 -0800
+Subject: net: avoid 32 x truesize under-estimation for tiny skbs
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3226b158e67cfaa677fd180152bfb28989cb2fac ]
+
+Both virtio net and napi_get_frags() allocate skbs
+with a very small skb->head
+
+While using page fragments instead of a kmalloc backed skb->head might give
+a small performance improvement in some cases, there is a huge risk of
+under estimating memory usage.
+
+For both GOOD_COPY_LEN and GRO_MAX_HEAD, we can fit at least 32 allocations
+per page (order-3 page in x86), or even 64 on PowerPC
+
+We have been tracking OOM issues on GKE hosts hitting tcp_mem limits
+but consuming far more memory for TCP buffers than instructed in tcp_mem[2]
+
+Even if we force napi_alloc_skb() to only use order-0 pages, the issue
+would still be there on arches with PAGE_SIZE >= 32768
+
+This patch makes sure that small skb head are kmalloc backed, so that
+other objects in the slab page can be reused instead of being held as long
+as skbs are sitting in socket queues.
+
+Note that we might in the future use the sk_buff napi cache,
+instead of going through a more expensive __alloc_skb()
+
+Another idea would be to use separate page sizes depending
+on the allocated length (to never have more than 4 frags per page)
+
+I would like to thank Greg Thelen for his precious help on this matter,
+analysing crash dumps is always a time consuming task.
+
+Fixes: fd11a83dd363 ("net: Pull out core bits of __netdev_alloc_skb and add __napi_alloc_skb")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Greg Thelen <gthelen@google.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20210113161819.1155526-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -489,13 +489,17 @@ EXPORT_SYMBOL(__netdev_alloc_skb);
+ struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len,
+ gfp_t gfp_mask)
+ {
+- struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
++ struct napi_alloc_cache *nc;
+ struct sk_buff *skb;
+ void *data;
+
+ len += NET_SKB_PAD + NET_IP_ALIGN;
+
+- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) ||
++ /* If requested length is either too small or too big,
++ * we use kmalloc() for skb->head allocation.
++ */
++ if (len <= SKB_WITH_OVERHEAD(1024) ||
++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
+ (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
+ skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
+ if (!skb)
+@@ -503,6 +507,7 @@ struct sk_buff *__napi_alloc_skb(struct
+ goto skb_success;
+ }
+
++ nc = this_cpu_ptr(&napi_alloc_cache);
+ len += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ len = SKB_DATA_ALIGN(len);
+
--- /dev/null
+From foo@baz Fri Jan 22 02:14:04 PM CET 2021
+From: Petr Machata <petrm@nvidia.com>
+Date: Mon, 11 Jan 2021 18:07:07 +0100
+Subject: net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit df85bc140a4d6cbaa78d8e9c35154e1a2f0622c7 ]
+
+In commit 826f328e2b7e ("net: dcb: Validate netlink message in DCB
+handler"), Linux started rejecting RTM_GETDCB netlink messages if they
+contained a set-like DCB_CMD_ command.
+
+The reason was that privileges were only verified for RTM_SETDCB messages,
+but the value that determined the action to be taken is the command, not
+the message type. And validation of message type against the DCB command
+was the obvious missing piece.
+
+Unfortunately it turns out that mlnx_qos, a somewhat widely deployed tool
+for configuration of DCB, accesses the DCB set-like APIs through
+RTM_GETDCB.
+
+Therefore do not bounce the discrepancy between message type and command.
+Instead, in addition to validating privileges based on the actual message
+type, validate them also based on the expected message type. This closes
+the loophole of allowing DCB configuration on non-admin accounts, while
+maintaining backward compatibility.
+
+Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver")
+Fixes: 826f328e2b7e ("net: dcb: Validate netlink message in DCB handler")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://lore.kernel.org/r/a3edcfda0825f2aa2591801c5232f2bbf2d8a554.1610384801.git.me@pmachata.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1726,7 +1726,7 @@ static int dcb_doit(struct sk_buff *skb,
+ fn = &reply_funcs[dcb->cmd];
+ if (!fn->cb)
+ return -EOPNOTSUPP;
+- if (fn->type != nlh->nlmsg_type)
++ if (fn->type == RTM_SETDCB && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!tb[DCB_ATTR_IFNAME])
--- /dev/null
+From foo@baz Fri Jan 22 02:14:04 PM CET 2021
+From: Petr Machata <me@pmachata.org>
+Date: Tue, 22 Dec 2020 22:49:44 +0100
+Subject: net: dcb: Validate netlink message in DCB handler
+
+From: Petr Machata <me@pmachata.org>
+
+[ Upstream commit 826f328e2b7e8854dd42ea44e6519cd75018e7b1 ]
+
+DCB uses the same handler function for both RTM_GETDCB and RTM_SETDCB
+messages. dcb_doit() bounces RTM_SETDCB mesasges if the user does not have
+the CAP_NET_ADMIN capability.
+
+However, the operation to be performed is not decided from the DCB message
+type, but from the DCB command. Thus DCB_CMD_*_GET commands are used for
+reading DCB objects, the corresponding SET and DEL commands are used for
+manipulation.
+
+The assumption is that set-like commands will be sent via an RTM_SETDCB
+message, and get-like ones via RTM_GETDCB. However, this assumption is not
+enforced.
+
+It is therefore possible to manipulate DCB objects without CAP_NET_ADMIN
+capability by sending the corresponding command in an RTM_GETDCB message.
+That is a bug. Fix it by validating the type of the request message against
+the type used for the response.
+
+Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver")
+Signed-off-by: Petr Machata <me@pmachata.org>
+Link: https://lore.kernel.org/r/a2a9b88418f3a58ef211b718f2970128ef9e3793.1608673640.git.me@pmachata.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1726,6 +1726,8 @@ static int dcb_doit(struct sk_buff *skb,
+ fn = &reply_funcs[dcb->cmd];
+ if (!fn->cb)
+ return -EOPNOTSUPP;
++ if (fn->type != nlh->nlmsg_type)
++ return -EPERM;
+
+ if (!tb[DCB_ATTR_IFNAME])
+ return -EINVAL;
--- /dev/null
+From foo@baz Fri Jan 22 02:14:04 PM CET 2021
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Wed, 13 Jan 2021 17:29:47 -0800
+Subject: net: sit: unregister_netdevice on newlink's error path
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 47e4bb147a96f1c9b4e7691e7e994e53838bfff8 ]
+
+We need to unregister the netdevice if config failed.
+.ndo_uninit takes care of most of the heavy lifting.
+
+This was uncovered by recent commit c269a24ce057 ("net: make
+free_netdev() more lenient with unregistering devices").
+Previously the partially-initialized device would be left
+in the system.
+
+Reported-and-tested-by: syzbot+2393580080a2da190f04@syzkaller.appspotmail.com
+Fixes: e2f1f072db8d ("sit: allow to configure 6rd tunnels via netlink")
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Link: https://lore.kernel.org/r/20210114012947.2515313-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1583,8 +1583,11 @@ static int ipip6_newlink(struct net *src
+ }
+
+ #ifdef CONFIG_IPV6_SIT_6RD
+- if (ipip6_netlink_6rd_parms(data, &ip6rd))
++ if (ipip6_netlink_6rd_parms(data, &ip6rd)) {
+ err = ipip6_tunnel_update_6rd(nt, &ip6rd);
++ if (err < 0)
++ unregister_netdevice_queue(dev, NULL);
++ }
+ #endif
+
+ return err;
--- /dev/null
+From foo@baz Fri Jan 22 02:14:04 PM CET 2021
+From: Manish Chopra <manishc@marvell.com>
+Date: Thu, 7 Jan 2021 02:15:20 -0800
+Subject: netxen_nic: fix MSI/MSI-x interrupts
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit a2bc221b972db91e4be1970e776e98f16aa87904 ]
+
+For all PCI functions on the netxen_nic adapter, interrupt
+mode (INTx or MSI) configuration is dependent on what has
+been configured by the PCI function zero in the shared
+interrupt register, as these adapters do not support mixed
+mode interrupts among the functions of a given adapter.
+
+Logic for setting MSI/MSI-x interrupt mode in the shared interrupt
+register based on PCI function id zero check is not appropriate for
+all family of netxen adapters, as for some of the netxen family
+adapters PCI function zero is not really meant to be probed/loaded
+in the host but rather just act as a management function on the device,
+which caused all the other PCI functions on the adapter to always use
+legacy interrupt (INTx) mode instead of choosing MSI/MSI-x interrupt mode.
+
+This patch replaces that check with port number so that for all
+type of adapters driver attempts for MSI/MSI-x interrupt modes.
+
+Fixes: b37eb210c076 ("netxen_nic: Avoid mixed mode interrupts")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Link: https://lore.kernel.org/r/20210107101520.6735-1-manishc@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -586,11 +586,6 @@ static const struct net_device_ops netxe
+ #endif
+ };
+
+-static inline bool netxen_function_zero(struct pci_dev *pdev)
+-{
+- return (PCI_FUNC(pdev->devfn) == 0) ? true : false;
+-}
+-
+ static inline void netxen_set_interrupt_mode(struct netxen_adapter *adapter,
+ u32 mode)
+ {
+@@ -686,7 +681,7 @@ static int netxen_setup_intr(struct netx
+ netxen_initialize_interrupt_registers(adapter);
+ netxen_set_msix_bit(pdev, 0);
+
+- if (netxen_function_zero(pdev)) {
++ if (adapter->portnum == 0) {
+ if (!netxen_setup_msi_interrupts(adapter, num_msix))
+ netxen_set_interrupt_mode(adapter, NETXEN_MSI_MODE);
+ else
--- /dev/null
+From foo@baz Fri Jan 22 02:14:04 PM CET 2021
+From: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Date: Fri, 8 Jan 2021 09:58:39 +0000
+Subject: rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request
+
+From: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+
+[ Upstream commit e56b3d94d939f52d46209b9e1b6700c5bfff3123 ]
+
+MSFT ActiveSync implementation requires that the size of the response for
+incoming query is to be provided in the request input length. Failure to
+set the input size proper results in failed request transfer, where the
+ActiveSync counterpart reports the NDIS_STATUS_INVALID_LENGTH (0xC0010014L)
+error.
+
+Set the input size for OID_GEN_PHYSICAL_MEDIUM query to the expected size
+of the response in order for the ActiveSync to properly respond to the
+request.
+
+Fixes: 039ee17d1baa ("rndis_host: Add RNDIS physical medium checking into generic_rndis_bind()")
+Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Link: https://lore.kernel.org/r/20210108095839.3335-1-andrey.zhizhikin@leica-geosystems.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/rndis_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/rndis_host.c
++++ b/drivers/net/usb/rndis_host.c
+@@ -398,7 +398,7 @@ generic_rndis_bind(struct usbnet *dev, s
+ reply_len = sizeof *phym;
+ retval = rndis_query(dev, intf, u.buf,
+ RNDIS_OID_GEN_PHYSICAL_MEDIUM,
+- 0, (void **) &phym, &reply_len);
++ reply_len, (void **)&phym, &reply_len);
+ if (retval != 0 || !phym) {
+ /* OID is optional so don't fail here. */
+ phym_unspec = cpu_to_le32(RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED);
--- /dev/null
+From foo@baz Fri Jan 22 02:14:04 PM CET 2021
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 12 Jan 2021 15:23:51 +0000
+Subject: rxrpc: Fix handling of an unsupported token type in rxrpc_read()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ]
+
+Clang static analysis reports the following:
+
+net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined
+ toksize = toksizes[tok++];
+ ^ ~~~~~~~~~~~~~~~
+
+rxrpc_read() contains two consecutive loops. The first loop calculates the
+token sizes and stores the results in toksizes[] and the second one uses
+the array. When there is an error in identifying the token in the first
+loop, the token is skipped, no change is made to the toksizes[] array.
+When the same error happens in the second loop, the token is not skipped.
+This will cause the toksizes[] array to be out of step and will overrun
+past the calculated sizes.
+
+Fix this by making both loops log a message and return an error in this
+case. This should only happen if a new token type is incompletely
+implemented, so it should normally be impossible to trigger this.
+
+Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()")
+Reported-by: Tom Rix <trix@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Tom Rix <trix@redhat.com>
+Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/key.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -1106,7 +1106,7 @@ static long rxrpc_read(const struct key
+ default: /* we have a ticket we can't encode */
+ pr_err("Unsupported key token type (%u)\n",
+ token->security_index);
+- continue;
++ return -ENOPKG;
+ }
+
+ _debug("token[%u]: toksize=%u", ntoks, toksize);
+@@ -1226,7 +1226,9 @@ static long rxrpc_read(const struct key
+ break;
+
+ default:
+- break;
++ pr_err("Unsupported key token type (%u)\n",
++ token->security_index);
++ return -ENOPKG;
+ }
+
+ ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==,
compiler.h-raise-minimum-version-of-gcc-to-5.1-for-arm64.patch
nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch
net-cdc_ncm-correct-overhead-in-delayed_ndp_size.patch
+netxen_nic-fix-msi-msi-x-interrupts.patch
+rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch
+net-dcb-validate-netlink-message-in-dcb-handler.patch
+net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch
+net-sit-unregister_netdevice-on-newlink-s-error-path.patch
+net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch
+rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch
+tipc-fix-null-deref-in-tipc_link_xmit.patch
--- /dev/null
+From foo@baz Fri Jan 22 12:59:03 PM CET 2021
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Fri, 8 Jan 2021 14:13:37 +0700
+Subject: tipc: fix NULL deref in tipc_link_xmit()
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit b77413446408fdd256599daf00d5be72b5f3e7c6 ]
+
+The buffer list can have zero skb as following path:
+tipc_named_node_up()->tipc_node_xmit()->tipc_link_xmit(), so
+we need to check the list before casting an &sk_buff.
+
+Fault report:
+ [] tipc: Bulk publication failure
+ [] general protection fault, probably for non-canonical [#1] PREEMPT [...]
+ [] KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
+ [] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.10.0-rc4+ #2
+ [] Hardware name: Bochs ..., BIOS Bochs 01/01/2011
+ [] RIP: 0010:tipc_link_xmit+0xc1/0x2180
+ [] Code: 24 b8 00 00 00 00 4d 39 ec 4c 0f 44 e8 e8 d7 0a 10 f9 48 [...]
+ [] RSP: 0018:ffffc90000006ea0 EFLAGS: 00010202
+ [] RAX: dffffc0000000000 RBX: ffff8880224da000 RCX: 1ffff11003d3cc0d
+ [] RDX: 0000000000000019 RSI: ffffffff886007b9 RDI: 00000000000000c8
+ [] RBP: ffffc90000007018 R08: 0000000000000001 R09: fffff52000000ded
+ [] R10: 0000000000000003 R11: fffff52000000dec R12: ffffc90000007148
+ [] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000007018
+ [] FS: 0000000000000000(0000) GS:ffff888037400000(0000) knlGS:000[...]
+ [] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [] CR2: 00007fffd2db5000 CR3: 000000002b08f000 CR4: 00000000000006f0
+
+Fixes: af9b028e270fd ("tipc: make media xmit call outside node spinlock context")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Link: https://lore.kernel.org/r/20210108071337.3598-1-hoang.h.le@dektech.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/link.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -877,9 +877,8 @@ void tipc_link_reset(struct tipc_link *l
+ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list,
+ struct sk_buff_head *xmitq)
+ {
+- struct tipc_msg *hdr = buf_msg(skb_peek(list));
+ unsigned int maxwin = l->window;
+- unsigned int i, imp = msg_importance(hdr);
++ unsigned int i;
+ unsigned int mtu = l->mtu;
+ u16 ack = l->rcv_nxt - 1;
+ u16 seqno = l->snd_nxt;
+@@ -888,7 +887,13 @@ int tipc_link_xmit(struct tipc_link *l,
+ struct sk_buff_head *backlogq = &l->backlogq;
+ struct sk_buff *skb, *_skb, *bskb;
+ int pkt_cnt = skb_queue_len(list);
++ struct tipc_msg *hdr;
++ int imp;
+
++ if (pkt_cnt <= 0)
++ return 0;
++
++ imp = msg_importance(hdr);
+ /* Match msg importance against this and all higher backlog limits: */
+ if (!skb_queue_empty(backlogq)) {
+ for (i = imp; i <= TIPC_SYSTEM_IMPORTANCE; i++) {
+@@ -896,6 +901,8 @@ int tipc_link_xmit(struct tipc_link *l,
+ return link_schedule_user(l, list);
+ }
+ }
++
++ hdr = buf_msg(skb_peek(list));
+ if (unlikely(msg_size(hdr) > mtu)) {
+ skb_queue_purge(list);
+ return -EMSGSIZE;
projects / thirdparty / kernel / stable-queue.git / commitdiff
