--- /dev/null
+From foo@baz Fri Jan 22 02:26:36 PM CET 2021
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 13 Jan 2021 08:18:19 -0800
+Subject: net: avoid 32 x truesize under-estimation for tiny skbs
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3226b158e67cfaa677fd180152bfb28989cb2fac ]
+
+Both virtio net and napi_get_frags() allocate skbs
+with a very small skb->head
+
+While using page fragments instead of a kmalloc backed skb->head might give
+a small performance improvement in some cases, there is a huge risk of
+under estimating memory usage.
+
+For both GOOD_COPY_LEN and GRO_MAX_HEAD, we can fit at least 32 allocations
+per page (order-3 page in x86), or even 64 on PowerPC
+
+We have been tracking OOM issues on GKE hosts hitting tcp_mem limits
+but consuming far more memory for TCP buffers than instructed in tcp_mem[2]
+
+Even if we force napi_alloc_skb() to only use order-0 pages, the issue
+would still be there on arches with PAGE_SIZE >= 32768
+
+This patch makes sure that small skb head are kmalloc backed, so that
+other objects in the slab page can be reused instead of being held as long
+as skbs are sitting in socket queues.
+
+Note that we might in the future use the sk_buff napi cache,
+instead of going through a more expensive __alloc_skb()
+
+Another idea would be to use separate page sizes depending
+on the allocated length (to never have more than 4 frags per page)
+
+I would like to thank Greg Thelen for his precious help on this matter,
+analysing crash dumps is always a time consuming task.
+
+Fixes: fd11a83dd363 ("net: Pull out core bits of __netdev_alloc_skb and add __napi_alloc_skb")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Greg Thelen <gthelen@google.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20210113161819.1155526-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -480,13 +480,17 @@ EXPORT_SYMBOL(__netdev_alloc_skb);
+ struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len,
+ gfp_t gfp_mask)
+ {
+- struct page_frag_cache *nc = this_cpu_ptr(&napi_alloc_cache);
++ struct page_frag_cache *nc;
+ struct sk_buff *skb;
+ void *data;
+
+ len += NET_SKB_PAD + NET_IP_ALIGN;
+
+- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) ||
++ /* If requested length is either too small or too big,
++ * we use kmalloc() for skb->head allocation.
++ */
++ if (len <= SKB_WITH_OVERHEAD(1024) ||
++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
+ (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
+ skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
+ if (!skb)
+@@ -494,6 +498,7 @@ struct sk_buff *__napi_alloc_skb(struct
+ goto skb_success;
+ }
+
++ nc = this_cpu_ptr(&napi_alloc_cache);
+ len += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ len = SKB_DATA_ALIGN(len);
+
--- /dev/null
+From foo@baz Fri Jan 22 02:26:36 PM CET 2021
+From: Petr Machata <petrm@nvidia.com>
+Date: Mon, 11 Jan 2021 18:07:07 +0100
+Subject: net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit df85bc140a4d6cbaa78d8e9c35154e1a2f0622c7 ]
+
+In commit 826f328e2b7e ("net: dcb: Validate netlink message in DCB
+handler"), Linux started rejecting RTM_GETDCB netlink messages if they
+contained a set-like DCB_CMD_ command.
+
+The reason was that privileges were only verified for RTM_SETDCB messages,
+but the value that determined the action to be taken is the command, not
+the message type. And validation of message type against the DCB command
+was the obvious missing piece.
+
+Unfortunately it turns out that mlnx_qos, a somewhat widely deployed tool
+for configuration of DCB, accesses the DCB set-like APIs through
+RTM_GETDCB.
+
+Therefore do not bounce the discrepancy between message type and command.
+Instead, in addition to validating privileges based on the actual message
+type, validate them also based on the expected message type. This closes
+the loophole of allowing DCB configuration on non-admin accounts, while
+maintaining backward compatibility.
+
+Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver")
+Fixes: 826f328e2b7e ("net: dcb: Validate netlink message in DCB handler")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://lore.kernel.org/r/a3edcfda0825f2aa2591801c5232f2bbf2d8a554.1610384801.git.me@pmachata.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1725,7 +1725,7 @@ static int dcb_doit(struct sk_buff *skb,
+ fn = &reply_funcs[dcb->cmd];
+ if (!fn->cb)
+ return -EOPNOTSUPP;
+- if (fn->type != nlh->nlmsg_type)
++ if (fn->type == RTM_SETDCB && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!tb[DCB_ATTR_IFNAME])
--- /dev/null
+From foo@baz Fri Jan 22 02:26:36 PM CET 2021
+From: Petr Machata <me@pmachata.org>
+Date: Tue, 22 Dec 2020 22:49:44 +0100
+Subject: net: dcb: Validate netlink message in DCB handler
+
+From: Petr Machata <me@pmachata.org>
+
+[ Upstream commit 826f328e2b7e8854dd42ea44e6519cd75018e7b1 ]
+
+DCB uses the same handler function for both RTM_GETDCB and RTM_SETDCB
+messages. dcb_doit() bounces RTM_SETDCB mesasges if the user does not have
+the CAP_NET_ADMIN capability.
+
+However, the operation to be performed is not decided from the DCB message
+type, but from the DCB command. Thus DCB_CMD_*_GET commands are used for
+reading DCB objects, the corresponding SET and DEL commands are used for
+manipulation.
+
+The assumption is that set-like commands will be sent via an RTM_SETDCB
+message, and get-like ones via RTM_GETDCB. However, this assumption is not
+enforced.
+
+It is therefore possible to manipulate DCB objects without CAP_NET_ADMIN
+capability by sending the corresponding command in an RTM_GETDCB message.
+That is a bug. Fix it by validating the type of the request message against
+the type used for the response.
+
+Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver")
+Signed-off-by: Petr Machata <me@pmachata.org>
+Link: https://lore.kernel.org/r/a2a9b88418f3a58ef211b718f2970128ef9e3793.1608673640.git.me@pmachata.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1725,6 +1725,8 @@ static int dcb_doit(struct sk_buff *skb,
+ fn = &reply_funcs[dcb->cmd];
+ if (!fn->cb)
+ return -EOPNOTSUPP;
++ if (fn->type != nlh->nlmsg_type)
++ return -EPERM;
+
+ if (!tb[DCB_ATTR_IFNAME])
+ return -EINVAL;
--- /dev/null
+From foo@baz Fri Jan 22 02:26:36 PM CET 2021
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Wed, 13 Jan 2021 17:29:47 -0800
+Subject: net: sit: unregister_netdevice on newlink's error path
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 47e4bb147a96f1c9b4e7691e7e994e53838bfff8 ]
+
+We need to unregister the netdevice if config failed.
+.ndo_uninit takes care of most of the heavy lifting.
+
+This was uncovered by recent commit c269a24ce057 ("net: make
+free_netdev() more lenient with unregistering devices").
+Previously the partially-initialized device would be left
+in the system.
+
+Reported-and-tested-by: syzbot+2393580080a2da190f04@syzkaller.appspotmail.com
+Fixes: e2f1f072db8d ("sit: allow to configure 6rd tunnels via netlink")
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Link: https://lore.kernel.org/r/20210114012947.2515313-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1584,8 +1584,11 @@ static int ipip6_newlink(struct net *src
+ }
+
+ #ifdef CONFIG_IPV6_SIT_6RD
+- if (ipip6_netlink_6rd_parms(data, &ip6rd))
++ if (ipip6_netlink_6rd_parms(data, &ip6rd)) {
+ err = ipip6_tunnel_update_6rd(nt, &ip6rd);
++ if (err < 0)
++ unregister_netdevice_queue(dev, NULL);
++ }
+ #endif
+
+ return err;
--- /dev/null
+From foo@baz Fri Jan 22 02:26:36 PM CET 2021
+From: Manish Chopra <manishc@marvell.com>
+Date: Thu, 7 Jan 2021 02:15:20 -0800
+Subject: netxen_nic: fix MSI/MSI-x interrupts
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit a2bc221b972db91e4be1970e776e98f16aa87904 ]
+
+For all PCI functions on the netxen_nic adapter, interrupt
+mode (INTx or MSI) configuration is dependent on what has
+been configured by the PCI function zero in the shared
+interrupt register, as these adapters do not support mixed
+mode interrupts among the functions of a given adapter.
+
+Logic for setting MSI/MSI-x interrupt mode in the shared interrupt
+register based on PCI function id zero check is not appropriate for
+all family of netxen adapters, as for some of the netxen family
+adapters PCI function zero is not really meant to be probed/loaded
+in the host but rather just act as a management function on the device,
+which caused all the other PCI functions on the adapter to always use
+legacy interrupt (INTx) mode instead of choosing MSI/MSI-x interrupt mode.
+
+This patch replaces that check with port number so that for all
+type of adapters driver attempts for MSI/MSI-x interrupt modes.
+
+Fixes: b37eb210c076 ("netxen_nic: Avoid mixed mode interrupts")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Link: https://lore.kernel.org/r/20210107101520.6735-1-manishc@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -586,11 +586,6 @@ static const struct net_device_ops netxe
+ #endif
+ };
+
+-static inline bool netxen_function_zero(struct pci_dev *pdev)
+-{
+- return (PCI_FUNC(pdev->devfn) == 0) ? true : false;
+-}
+-
+ static inline void netxen_set_interrupt_mode(struct netxen_adapter *adapter,
+ u32 mode)
+ {
+@@ -686,7 +681,7 @@ static int netxen_setup_intr(struct netx
+ netxen_initialize_interrupt_registers(adapter);
+ netxen_set_msix_bit(pdev, 0);
+
+- if (netxen_function_zero(pdev)) {
++ if (adapter->portnum == 0) {
+ if (!netxen_setup_msi_interrupts(adapter, num_msix))
+ netxen_set_interrupt_mode(adapter, NETXEN_MSI_MODE);
+ else
--- /dev/null
+From foo@baz Fri Jan 22 02:26:36 PM CET 2021
+From: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Date: Fri, 8 Jan 2021 09:58:39 +0000
+Subject: rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request
+
+From: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+
+[ Upstream commit e56b3d94d939f52d46209b9e1b6700c5bfff3123 ]
+
+MSFT ActiveSync implementation requires that the size of the response for
+incoming query is to be provided in the request input length. Failure to
+set the input size proper results in failed request transfer, where the
+ActiveSync counterpart reports the NDIS_STATUS_INVALID_LENGTH (0xC0010014L)
+error.
+
+Set the input size for OID_GEN_PHYSICAL_MEDIUM query to the expected size
+of the response in order for the ActiveSync to properly respond to the
+request.
+
+Fixes: 039ee17d1baa ("rndis_host: Add RNDIS physical medium checking into generic_rndis_bind()")
+Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Link: https://lore.kernel.org/r/20210108095839.3335-1-andrey.zhizhikin@leica-geosystems.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/rndis_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/rndis_host.c
++++ b/drivers/net/usb/rndis_host.c
+@@ -398,7 +398,7 @@ generic_rndis_bind(struct usbnet *dev, s
+ reply_len = sizeof *phym;
+ retval = rndis_query(dev, intf, u.buf,
+ RNDIS_OID_GEN_PHYSICAL_MEDIUM,
+- 0, (void **) &phym, &reply_len);
++ reply_len, (void **)&phym, &reply_len);
+ if (retval != 0 || !phym) {
+ /* OID is optional so don't fail here. */
+ phym_unspec = cpu_to_le32(RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED);
--- /dev/null
+From foo@baz Fri Jan 22 02:26:36 PM CET 2021
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 12 Jan 2021 15:23:51 +0000
+Subject: rxrpc: Fix handling of an unsupported token type in rxrpc_read()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ]
+
+Clang static analysis reports the following:
+
+net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined
+ toksize = toksizes[tok++];
+ ^ ~~~~~~~~~~~~~~~
+
+rxrpc_read() contains two consecutive loops. The first loop calculates the
+token sizes and stores the results in toksizes[] and the second one uses
+the array. When there is an error in identifying the token in the first
+loop, the token is skipped, no change is made to the toksizes[] array.
+When the same error happens in the second loop, the token is not skipped.
+This will cause the toksizes[] array to be out of step and will overrun
+past the calculated sizes.
+
+Fix this by making both loops log a message and return an error in this
+case. This should only happen if a new token type is incompletely
+implemented, so it should normally be impossible to trigger this.
+
+Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()")
+Reported-by: Tom Rix <trix@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Tom Rix <trix@redhat.com>
+Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/ar-key.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/ar-key.c
++++ b/net/rxrpc/ar-key.c
+@@ -1116,7 +1116,7 @@ static long rxrpc_read(const struct key
+ default: /* we have a ticket we can't encode */
+ pr_err("Unsupported key token type (%u)\n",
+ token->security_index);
+- continue;
++ return -ENOPKG;
+ }
+
+ _debug("token[%u]: toksize=%u", ntoks, toksize);
+@@ -1236,7 +1236,9 @@ static long rxrpc_read(const struct key
+ break;
+
+ default:
+- break;
++ pr_err("Unsupported key token type (%u)\n",
++ token->security_index);
++ return -ENOPKG;
+ }
+
+ ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==,
iio-buffer-fix-demux-update.patch
nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch
net-cdc_ncm-correct-overhead-in-delayed_ndp_size.patch
+netxen_nic-fix-msi-msi-x-interrupts.patch
+rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch
+net-dcb-validate-netlink-message-in-dcb-handler.patch
+net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch
+net-sit-unregister_netdevice-on-newlink-s-error-path.patch
+rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch
+net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
