--- /dev/null
+From a3c4a125ec725cefb40047eb05ff9eafd57830b4 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Fri, 11 Jul 2025 05:32:07 +0000
+Subject: netlink: Fix rmem check in netlink_broadcast_deliver().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit a3c4a125ec725cefb40047eb05ff9eafd57830b4 upstream.
+
+We need to allow queuing at least one skb even when skb is
+larger than sk->sk_rcvbuf.
+
+The cited commit made a mistake while converting a condition
+in netlink_broadcast_deliver().
+
+Let's correct the rmem check for the allow-one-skb rule.
+
+Fixes: ae8f160e7eb24 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250711053208.2965945-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1393,7 +1393,7 @@ static int netlink_broadcast_deliver(str
+ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+ rcvbuf = READ_ONCE(sk->sk_rcvbuf);
+
+- if ((rmem != skb->truesize || rmem <= rcvbuf) &&
++ if ((rmem == skb->truesize || rmem <= rcvbuf) &&
+ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
+ netlink_skb_set_owner_r(skb, sk);
+ __netlink_sendskb(sk, skb);
--- /dev/null
+From a215b5723922f8099078478122f02100e489cb80 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Thu, 10 Jul 2025 17:11:21 -0700
+Subject: netlink: make sure we allow at least one dump skb
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit a215b5723922f8099078478122f02100e489cb80 upstream.
+
+Commit under Fixes tightened up the memory accounting for Netlink
+sockets. Looks like the accounting is too strict for some existing
+use cases, Marek reported issues with nl80211 / WiFi iw CLI.
+
+To reduce number of iterations Netlink dumps try to allocate
+messages based on the size of the buffer passed to previous
+recvmsg() calls. If user space uses a larger buffer in recvmsg()
+than sk_rcvbuf we will allocate an skb we won't be able to queue.
+
+Make sure we always allow at least one skb to be queued.
+Same workaround is already present in netlink_attachskb().
+Alternative would be to cap the allocation size to
+ rcvbuf - rmem_alloc
+but as I said, the workaround is already present in other places.
+
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/9794af18-4905-46c6-b12c-365ea2f05858@samsung.com
+Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.")
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250711001121.3649033-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2168,11 +2168,11 @@ static int netlink_dump(struct sock *sk,
+ struct netlink_ext_ack extack = {};
+ struct netlink_callback *cb;
+ struct sk_buff *skb = NULL;
++ unsigned int rmem, rcvbuf;
+ size_t max_recvmsg_len;
+ struct module *module;
+ int err = -ENOBUFS;
+ int alloc_min_size;
+- unsigned int rmem;
+ int alloc_size;
+
+ if (!lock_taken)
+@@ -2204,8 +2204,9 @@ static int netlink_dump(struct sock *sk,
+ if (!skb)
+ goto errout_skb;
+
++ rcvbuf = READ_ONCE(sk->sk_rcvbuf);
+ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+- if (rmem >= READ_ONCE(sk->sk_rcvbuf)) {
++ if (rmem != skb->truesize && rmem >= rcvbuf) {
+ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+ goto errout_skb;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
