From: Greg Kroah-Hartman Date: Fri, 22 Jan 2021 13:29:46 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.253~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=178d8b3919857f22f5f14dc3b98e870f57270b45;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch net-dcb-validate-netlink-message-in-dcb-handler.patch net-sit-unregister_netdevice-on-newlink-s-error-path.patch netxen_nic-fix-msi-msi-x-interrupts.patch rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch tipc-fix-null-deref-in-tipc_link_xmit.patch --- diff --git a/queue-4.9/net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch b/queue-4.9/net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch new file mode 100644 index 00000000000..38f409411b5 --- /dev/null +++ b/queue-4.9/net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch @@ -0,0 +1,81 @@ +From foo@baz Fri Jan 22 02:14:04 PM CET 2021 +From: Eric Dumazet +Date: Wed, 13 Jan 2021 08:18:19 -0800 +Subject: net: avoid 32 x truesize under-estimation for tiny skbs + +From: Eric Dumazet + +[ Upstream commit 3226b158e67cfaa677fd180152bfb28989cb2fac ] + +Both virtio net and napi_get_frags() allocate skbs +with a very small skb->head + +While using page fragments instead of a kmalloc backed skb->head might give +a small performance improvement in some cases, there is a huge risk of +under estimating memory usage. + +For both GOOD_COPY_LEN and GRO_MAX_HEAD, we can fit at least 32 allocations +per page (order-3 page in x86), or even 64 on PowerPC + +We have been tracking OOM issues on GKE hosts hitting tcp_mem limits +but consuming far more memory for TCP buffers than instructed in tcp_mem[2] + +Even if we force napi_alloc_skb() to only use order-0 pages, the issue +would still be there on arches with PAGE_SIZE >= 32768 + +This patch makes sure that small skb head are kmalloc backed, so that +other objects in the slab page can be reused instead of being held as long +as skbs are sitting in socket queues. + +Note that we might in the future use the sk_buff napi cache, +instead of going through a more expensive __alloc_skb() + +Another idea would be to use separate page sizes depending +on the allocated length (to never have more than 4 frags per page) + +I would like to thank Greg Thelen for his precious help on this matter, +analysing crash dumps is always a time consuming task. + +Fixes: fd11a83dd363 ("net: Pull out core bits of __netdev_alloc_skb and add __napi_alloc_skb") +Signed-off-by: Eric Dumazet +Cc: Paolo Abeni +Cc: Greg Thelen +Reviewed-by: Alexander Duyck +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20210113161819.1155526-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -489,13 +489,17 @@ EXPORT_SYMBOL(__netdev_alloc_skb); + struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len, + gfp_t gfp_mask) + { +- struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache); ++ struct napi_alloc_cache *nc; + struct sk_buff *skb; + void *data; + + len += NET_SKB_PAD + NET_IP_ALIGN; + +- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) || ++ /* If requested length is either too small or too big, ++ * we use kmalloc() for skb->head allocation. ++ */ ++ if (len <= SKB_WITH_OVERHEAD(1024) || ++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) || + (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) { + skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE); + if (!skb) +@@ -503,6 +507,7 @@ struct sk_buff *__napi_alloc_skb(struct + goto skb_success; + } + ++ nc = this_cpu_ptr(&napi_alloc_cache); + len += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); + len = SKB_DATA_ALIGN(len); + diff --git a/queue-4.9/net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch b/queue-4.9/net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch new file mode 100644 index 00000000000..54b7325bc50 --- /dev/null +++ b/queue-4.9/net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch @@ -0,0 +1,49 @@ +From foo@baz Fri Jan 22 02:14:04 PM CET 2021 +From: Petr Machata +Date: Mon, 11 Jan 2021 18:07:07 +0100 +Subject: net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands + +From: Petr Machata + +[ Upstream commit df85bc140a4d6cbaa78d8e9c35154e1a2f0622c7 ] + +In commit 826f328e2b7e ("net: dcb: Validate netlink message in DCB +handler"), Linux started rejecting RTM_GETDCB netlink messages if they +contained a set-like DCB_CMD_ command. + +The reason was that privileges were only verified for RTM_SETDCB messages, +but the value that determined the action to be taken is the command, not +the message type. And validation of message type against the DCB command +was the obvious missing piece. + +Unfortunately it turns out that mlnx_qos, a somewhat widely deployed tool +for configuration of DCB, accesses the DCB set-like APIs through +RTM_GETDCB. + +Therefore do not bounce the discrepancy between message type and command. +Instead, in addition to validating privileges based on the actual message +type, validate them also based on the expected message type. This closes +the loophole of allowing DCB configuration on non-admin accounts, while +maintaining backward compatibility. + +Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver") +Fixes: 826f328e2b7e ("net: dcb: Validate netlink message in DCB handler") +Signed-off-by: Petr Machata +Link: https://lore.kernel.org/r/a3edcfda0825f2aa2591801c5232f2bbf2d8a554.1610384801.git.me@pmachata.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1726,7 +1726,7 @@ static int dcb_doit(struct sk_buff *skb, + fn = &reply_funcs[dcb->cmd]; + if (!fn->cb) + return -EOPNOTSUPP; +- if (fn->type != nlh->nlmsg_type) ++ if (fn->type == RTM_SETDCB && !netlink_capable(skb, CAP_NET_ADMIN)) + return -EPERM; + + if (!tb[DCB_ATTR_IFNAME]) diff --git a/queue-4.9/net-dcb-validate-netlink-message-in-dcb-handler.patch b/queue-4.9/net-dcb-validate-netlink-message-in-dcb-handler.patch new file mode 100644 index 00000000000..668be7a0f9c --- /dev/null +++ b/queue-4.9/net-dcb-validate-netlink-message-in-dcb-handler.patch @@ -0,0 +1,47 @@ +From foo@baz Fri Jan 22 02:14:04 PM CET 2021 +From: Petr Machata +Date: Tue, 22 Dec 2020 22:49:44 +0100 +Subject: net: dcb: Validate netlink message in DCB handler + +From: Petr Machata + +[ Upstream commit 826f328e2b7e8854dd42ea44e6519cd75018e7b1 ] + +DCB uses the same handler function for both RTM_GETDCB and RTM_SETDCB +messages. dcb_doit() bounces RTM_SETDCB mesasges if the user does not have +the CAP_NET_ADMIN capability. + +However, the operation to be performed is not decided from the DCB message +type, but from the DCB command. Thus DCB_CMD_*_GET commands are used for +reading DCB objects, the corresponding SET and DEL commands are used for +manipulation. + +The assumption is that set-like commands will be sent via an RTM_SETDCB +message, and get-like ones via RTM_GETDCB. However, this assumption is not +enforced. + +It is therefore possible to manipulate DCB objects without CAP_NET_ADMIN +capability by sending the corresponding command in an RTM_GETDCB message. +That is a bug. Fix it by validating the type of the request message against +the type used for the response. + +Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver") +Signed-off-by: Petr Machata +Link: https://lore.kernel.org/r/a2a9b88418f3a58ef211b718f2970128ef9e3793.1608673640.git.me@pmachata.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1726,6 +1726,8 @@ static int dcb_doit(struct sk_buff *skb, + fn = &reply_funcs[dcb->cmd]; + if (!fn->cb) + return -EOPNOTSUPP; ++ if (fn->type != nlh->nlmsg_type) ++ return -EPERM; + + if (!tb[DCB_ATTR_IFNAME]) + return -EINVAL; diff --git a/queue-4.9/net-sit-unregister_netdevice-on-newlink-s-error-path.patch b/queue-4.9/net-sit-unregister_netdevice-on-newlink-s-error-path.patch new file mode 100644 index 00000000000..598b76c5904 --- /dev/null +++ b/queue-4.9/net-sit-unregister_netdevice-on-newlink-s-error-path.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Jan 22 02:14:04 PM CET 2021 +From: Jakub Kicinski +Date: Wed, 13 Jan 2021 17:29:47 -0800 +Subject: net: sit: unregister_netdevice on newlink's error path + +From: Jakub Kicinski + +[ Upstream commit 47e4bb147a96f1c9b4e7691e7e994e53838bfff8 ] + +We need to unregister the netdevice if config failed. +.ndo_uninit takes care of most of the heavy lifting. + +This was uncovered by recent commit c269a24ce057 ("net: make +free_netdev() more lenient with unregistering devices"). +Previously the partially-initialized device would be left +in the system. + +Reported-and-tested-by: syzbot+2393580080a2da190f04@syzkaller.appspotmail.com +Fixes: e2f1f072db8d ("sit: allow to configure 6rd tunnels via netlink") +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20210114012947.2515313-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1583,8 +1583,11 @@ static int ipip6_newlink(struct net *src + } + + #ifdef CONFIG_IPV6_SIT_6RD +- if (ipip6_netlink_6rd_parms(data, &ip6rd)) ++ if (ipip6_netlink_6rd_parms(data, &ip6rd)) { + err = ipip6_tunnel_update_6rd(nt, &ip6rd); ++ if (err < 0) ++ unregister_netdevice_queue(dev, NULL); ++ } + #endif + + return err; diff --git a/queue-4.9/netxen_nic-fix-msi-msi-x-interrupts.patch b/queue-4.9/netxen_nic-fix-msi-msi-x-interrupts.patch new file mode 100644 index 00000000000..f24a27c3957 --- /dev/null +++ b/queue-4.9/netxen_nic-fix-msi-msi-x-interrupts.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Jan 22 02:14:04 PM CET 2021 +From: Manish Chopra +Date: Thu, 7 Jan 2021 02:15:20 -0800 +Subject: netxen_nic: fix MSI/MSI-x interrupts + +From: Manish Chopra + +[ Upstream commit a2bc221b972db91e4be1970e776e98f16aa87904 ] + +For all PCI functions on the netxen_nic adapter, interrupt +mode (INTx or MSI) configuration is dependent on what has +been configured by the PCI function zero in the shared +interrupt register, as these adapters do not support mixed +mode interrupts among the functions of a given adapter. + +Logic for setting MSI/MSI-x interrupt mode in the shared interrupt +register based on PCI function id zero check is not appropriate for +all family of netxen adapters, as for some of the netxen family +adapters PCI function zero is not really meant to be probed/loaded +in the host but rather just act as a management function on the device, +which caused all the other PCI functions on the adapter to always use +legacy interrupt (INTx) mode instead of choosing MSI/MSI-x interrupt mode. + +This patch replaces that check with port number so that for all +type of adapters driver attempts for MSI/MSI-x interrupt modes. + +Fixes: b37eb210c076 ("netxen_nic: Avoid mixed mode interrupts") +Signed-off-by: Manish Chopra +Signed-off-by: Igor Russkikh +Link: https://lore.kernel.org/r/20210107101520.6735-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -586,11 +586,6 @@ static const struct net_device_ops netxe + #endif + }; + +-static inline bool netxen_function_zero(struct pci_dev *pdev) +-{ +- return (PCI_FUNC(pdev->devfn) == 0) ? true : false; +-} +- + static inline void netxen_set_interrupt_mode(struct netxen_adapter *adapter, + u32 mode) + { +@@ -686,7 +681,7 @@ static int netxen_setup_intr(struct netx + netxen_initialize_interrupt_registers(adapter); + netxen_set_msix_bit(pdev, 0); + +- if (netxen_function_zero(pdev)) { ++ if (adapter->portnum == 0) { + if (!netxen_setup_msi_interrupts(adapter, num_msix)) + netxen_set_interrupt_mode(adapter, NETXEN_MSI_MODE); + else diff --git a/queue-4.9/rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch b/queue-4.9/rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch new file mode 100644 index 00000000000..139308ff6a9 --- /dev/null +++ b/queue-4.9/rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Jan 22 02:14:04 PM CET 2021 +From: Andrey Zhizhikin +Date: Fri, 8 Jan 2021 09:58:39 +0000 +Subject: rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request + +From: Andrey Zhizhikin + +[ Upstream commit e56b3d94d939f52d46209b9e1b6700c5bfff3123 ] + +MSFT ActiveSync implementation requires that the size of the response for +incoming query is to be provided in the request input length. Failure to +set the input size proper results in failed request transfer, where the +ActiveSync counterpart reports the NDIS_STATUS_INVALID_LENGTH (0xC0010014L) +error. + +Set the input size for OID_GEN_PHYSICAL_MEDIUM query to the expected size +of the response in order for the ActiveSync to properly respond to the +request. + +Fixes: 039ee17d1baa ("rndis_host: Add RNDIS physical medium checking into generic_rndis_bind()") +Signed-off-by: Andrey Zhizhikin +Link: https://lore.kernel.org/r/20210108095839.3335-1-andrey.zhizhikin@leica-geosystems.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/rndis_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/rndis_host.c ++++ b/drivers/net/usb/rndis_host.c +@@ -398,7 +398,7 @@ generic_rndis_bind(struct usbnet *dev, s + reply_len = sizeof *phym; + retval = rndis_query(dev, intf, u.buf, + RNDIS_OID_GEN_PHYSICAL_MEDIUM, +- 0, (void **) &phym, &reply_len); ++ reply_len, (void **)&phym, &reply_len); + if (retval != 0 || !phym) { + /* OID is optional so don't fail here. */ + phym_unspec = cpu_to_le32(RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED); diff --git a/queue-4.9/rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch b/queue-4.9/rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch new file mode 100644 index 00000000000..72dbf967f19 --- /dev/null +++ b/queue-4.9/rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch @@ -0,0 +1,60 @@ +From foo@baz Fri Jan 22 02:14:04 PM CET 2021 +From: David Howells +Date: Tue, 12 Jan 2021 15:23:51 +0000 +Subject: rxrpc: Fix handling of an unsupported token type in rxrpc_read() + +From: David Howells + +[ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ] + +Clang static analysis reports the following: + +net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined + toksize = toksizes[tok++]; + ^ ~~~~~~~~~~~~~~~ + +rxrpc_read() contains two consecutive loops. The first loop calculates the +token sizes and stores the results in toksizes[] and the second one uses +the array. When there is an error in identifying the token in the first +loop, the token is skipped, no change is made to the toksizes[] array. +When the same error happens in the second loop, the token is not skipped. +This will cause the toksizes[] array to be out of step and will overrun +past the calculated sizes. + +Fix this by making both loops log a message and return an error in this +case. This should only happen if a new token type is incompletely +implemented, so it should normally be impossible to trigger this. + +Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()") +Reported-by: Tom Rix +Signed-off-by: David Howells +Reviewed-by: Tom Rix +Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1106,7 +1106,7 @@ static long rxrpc_read(const struct key + default: /* we have a ticket we can't encode */ + pr_err("Unsupported key token type (%u)\n", + token->security_index); +- continue; ++ return -ENOPKG; + } + + _debug("token[%u]: toksize=%u", ntoks, toksize); +@@ -1226,7 +1226,9 @@ static long rxrpc_read(const struct key + break; + + default: +- break; ++ pr_err("Unsupported key token type (%u)\n", ++ token->security_index); ++ return -ENOPKG; + } + + ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==, diff --git a/queue-4.9/series b/queue-4.9/series index 13a7abe66a4..4449717fd3e 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -24,3 +24,11 @@ usb-ohci-make-distrust_firmware-param-default-to-false.patch compiler.h-raise-minimum-version-of-gcc-to-5.1-for-arm64.patch nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch net-cdc_ncm-correct-overhead-in-delayed_ndp_size.patch +netxen_nic-fix-msi-msi-x-interrupts.patch +rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch +net-dcb-validate-netlink-message-in-dcb-handler.patch +net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch +net-sit-unregister_netdevice-on-newlink-s-error-path.patch +net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch +rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch +tipc-fix-null-deref-in-tipc_link_xmit.patch diff --git a/queue-4.9/tipc-fix-null-deref-in-tipc_link_xmit.patch b/queue-4.9/tipc-fix-null-deref-in-tipc_link_xmit.patch new file mode 100644 index 00000000000..b043233892d --- /dev/null +++ b/queue-4.9/tipc-fix-null-deref-in-tipc_link_xmit.patch @@ -0,0 +1,77 @@ +From foo@baz Fri Jan 22 12:59:03 PM CET 2021 +From: Hoang Le +Date: Fri, 8 Jan 2021 14:13:37 +0700 +Subject: tipc: fix NULL deref in tipc_link_xmit() + +From: Hoang Le + +[ Upstream commit b77413446408fdd256599daf00d5be72b5f3e7c6 ] + +The buffer list can have zero skb as following path: +tipc_named_node_up()->tipc_node_xmit()->tipc_link_xmit(), so +we need to check the list before casting an &sk_buff. + +Fault report: + [] tipc: Bulk publication failure + [] general protection fault, probably for non-canonical [#1] PREEMPT [...] + [] KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] + [] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.10.0-rc4+ #2 + [] Hardware name: Bochs ..., BIOS Bochs 01/01/2011 + [] RIP: 0010:tipc_link_xmit+0xc1/0x2180 + [] Code: 24 b8 00 00 00 00 4d 39 ec 4c 0f 44 e8 e8 d7 0a 10 f9 48 [...] + [] RSP: 0018:ffffc90000006ea0 EFLAGS: 00010202 + [] RAX: dffffc0000000000 RBX: ffff8880224da000 RCX: 1ffff11003d3cc0d + [] RDX: 0000000000000019 RSI: ffffffff886007b9 RDI: 00000000000000c8 + [] RBP: ffffc90000007018 R08: 0000000000000001 R09: fffff52000000ded + [] R10: 0000000000000003 R11: fffff52000000dec R12: ffffc90000007148 + [] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000007018 + [] FS: 0000000000000000(0000) GS:ffff888037400000(0000) knlGS:000[...] + [] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [] CR2: 00007fffd2db5000 CR3: 000000002b08f000 CR4: 00000000000006f0 + +Fixes: af9b028e270fd ("tipc: make media xmit call outside node spinlock context") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Link: https://lore.kernel.org/r/20210108071337.3598-1-hoang.h.le@dektech.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/link.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -877,9 +877,8 @@ void tipc_link_reset(struct tipc_link *l + int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list, + struct sk_buff_head *xmitq) + { +- struct tipc_msg *hdr = buf_msg(skb_peek(list)); + unsigned int maxwin = l->window; +- unsigned int i, imp = msg_importance(hdr); ++ unsigned int i; + unsigned int mtu = l->mtu; + u16 ack = l->rcv_nxt - 1; + u16 seqno = l->snd_nxt; +@@ -888,7 +887,13 @@ int tipc_link_xmit(struct tipc_link *l, + struct sk_buff_head *backlogq = &l->backlogq; + struct sk_buff *skb, *_skb, *bskb; + int pkt_cnt = skb_queue_len(list); ++ struct tipc_msg *hdr; ++ int imp; + ++ if (pkt_cnt <= 0) ++ return 0; ++ ++ imp = msg_importance(hdr); + /* Match msg importance against this and all higher backlog limits: */ + if (!skb_queue_empty(backlogq)) { + for (i = imp; i <= TIPC_SYSTEM_IMPORTANCE; i++) { +@@ -896,6 +901,8 @@ int tipc_link_xmit(struct tipc_link *l, + return link_schedule_user(l, list); + } + } ++ ++ hdr = buf_msg(skb_peek(list)); + if (unlikely(msg_size(hdr) > mtu)) { + skb_queue_purge(list); + return -EMSGSIZE;