On Sat, Dec 05, 2020 at 09:59:57AM +0100, Greg KH wrote:
> On Sat, Dec 05, 2020 at 12:48:48AM +0000, Will McVicker wrote:
> > The HID subsystem allows an "HID report field" to have a different
> > number of "values" and "usages" when it is allocated. When a field
> > struct is created, the size of the usage array is guaranteed to be at
> > least as large as the values array, but it may be larger. This leads to
> > a potential out-of-bounds write in
> > __hidinput_change_resolution_multipliers() and an out-of-bounds read in
> > hidinput_count_leds().
> >
> > To fix this, let's make sure that both the usage and value arrays are
> > the same size.
> >
> > Signed-off-by: Will McVicker <willmcvicker(a)google.com>
>
> Any reason not to also add a cc: stable on this?
No reason not to include stable. CC'd here.
>
> And, has this always been the case, or was this caused by some specific
> commit in the past? If so, a "Fixes:" tag is always nice to included.
I dug into the history and it's been like this for the past 10 years. So yeah
pretty much always like this.
>
> And finally, as you have a fix for this already, no need to cc:
> security(a)k.o as there's nothing the people there can do about it now :)
Is that short for security(a)kernel.org? If yes, then I did include them. If no,
do you mind explaining?
>
> thanks,
>
> greg k-h
Previously receiver buffer auto-tuning starts after receiving
one advertised window amount of data.After the initial
receiver buffer was raised by
commit a337531b942b ("tcp: up initial rmem to 128KB
and SYN rwin to around 64KB"),the receiver buffer may
take too long for TCP autotuning to start raising
the receiver buffer size.
commit 041a14d26715 ("tcp: start receiver buffer autotuning sooner")
tried to decrease the threshold at which TCP auto-tuning starts
but it's doesn't work well in some environments
where the receiver has large MTU (9001) configured
specially within environments where RTT is high.
To address this issue this patch is relying on RCV_MSS
so auto-tuning can start early regardless
the receiver configured MTU.
Fixes: a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin to around 64KB")
Fixes: 041a14d26715 ("tcp: start receiver buffer autotuning sooner")
Signed-off-by: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com>
---
net/ipv4/tcp_input.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 389d1b340248..f0ffac9e937b 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -504,13 +504,14 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
static void tcp_init_buffer_space(struct sock *sk)
{
int tcp_app_win = sock_net(sk)->ipv4.sysctl_tcp_app_win;
+ struct inet_connection_sock *icsk = inet_csk(sk);
struct tcp_sock *tp = tcp_sk(sk);
int maxwin;
if (!(sk->sk_userlocks & SOCK_SNDBUF_LOCK))
tcp_sndbuf_expand(sk);
- tp->rcvq_space.space = min_t(u32, tp->rcv_wnd, TCP_INIT_CWND * tp->advmss);
+ tp->rcvq_space.space = min_t(u32, tp->rcv_wnd, TCP_INIT_CWND * icsk->icsk_ack.rcv_mss);
tcp_mstamp_refresh(tp);
tp->rcvq_space.time = tp->tcp_mstamp;
tp->rcvq_space.seq = tp->copied_seq;
--
2.16.6
Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284
Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705
Previously receiver buffer auto-tuning starts after receiving
one advertised window amount of data.After the initial
receiver buffer was raised by
commit a337531b942b ("tcp: up initial rmem to 128KB
and SYN rwin to around 64KB"),the receiver buffer may
take too long for TCP autotuning to start raising
the receiver buffer size.
commit 041a14d26715 ("tcp: start receiver buffer autotuning sooner")
tried to decrease the threshold at which TCP auto-tuning starts
but it's doesn't work well in some environments
where the receiver has large MTU (9001) especially with high RTT
connections as in these environments rcvq_space.space will be the same
as rcv_wnd so TCP autotuning will never start because
sender can't send more than rcv_wnd size in one round trip.
To address this issue this patch is decreasing the initial
rcvq_space.space so TCP autotuning kicks in whenever the sender is
able to send more than 5360 bytes in one round trip regardless the
receiver's configured MTU.
Fixes: a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin to around 64KB")
Fixes: 041a14d26715 ("tcp: start receiver buffer autotuning sooner")
Signed-off-by: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com>
---
net/ipv4/tcp_input.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 389d1b340248..f0ffac9e937b 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -504,13 +504,14 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
static void tcp_init_buffer_space(struct sock *sk)
{
int tcp_app_win = sock_net(sk)->ipv4.sysctl_tcp_app_win;
+ struct inet_connection_sock *icsk = inet_csk(sk);
struct tcp_sock *tp = tcp_sk(sk);
int maxwin;
if (!(sk->sk_userlocks & SOCK_SNDBUF_LOCK))
tcp_sndbuf_expand(sk);
- tp->rcvq_space.space = min_t(u32, tp->rcv_wnd, TCP_INIT_CWND * tp->advmss);
+ tp->rcvq_space.space = min_t(u32, tp->rcv_wnd, TCP_INIT_CWND * icsk->icsk_ack.rcv_mss);
tcp_mstamp_refresh(tp);
tp->rcvq_space.time = tp->tcp_mstamp;
tp->rcvq_space.seq = tp->copied_seq;
--
2.16.6
Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284
Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705
This is the start of the stable review cycle for the 4.14.211 release.
There are 20 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue, 08 Dec 2020 11:15:42 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.211-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.14.211-rc1
Shiraz Saleem <shiraz.saleem(a)intel.com>
RDMA/i40iw: Address an mmap handler exploit in i40iw
Po-Hsu Lin <po-hsu.lin(a)canonical.com>
Input: i8042 - add ByteSpeed touchpad to noloop table
Sanjay Govind <sanjay.govind9(a)gmail.com>
Input: xpad - support Ardwiino Controllers
Hector Martin <marcan(a)marcan.st>
ALSA: usb-audio: US16x08: fix value count for level meters
Krzysztof Kozlowski <krzk(a)kernel.org>
dt-bindings: net: correct interrupt flags in examples
Eran Ben Elisha <eranbe(a)nvidia.com>
net/mlx5: Fix wrong address reclaim when command interface is down
Zhang Changzhong <zhangchangzhong(a)huawei.com>
net: pasemi: fix error return code in pasemi_mac_open()
Zhang Changzhong <zhangchangzhong(a)huawei.com>
cxgb3: fix error return code in t3_sge_alloc_qset()
Dan Carpenter <dan.carpenter(a)oracle.com>
net/x25: prevent a couple of overflows
Thomas Falcon <tlfalcon(a)linux.ibm.com>
ibmvnic: Fix TX completion error handling
Thomas Falcon <tlfalcon(a)linux.ibm.com>
ibmvnic: Ensure that SCRQ entry reads are correctly ordered
Guillaume Nault <gnault(a)redhat.com>
ipv4: Fix tos mask in inet_rtm_getroute()
Antoine Tenart <atenart(a)kernel.org>
netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
Jamie Iles <jamie(a)nuviainc.com>
bonding: wait for sysfs kobject destruction before freeing struct slave
Yves-Alexis Perez <corsac(a)corsac.net>
usbnet: ipheth: fix connectivity with iOS 14
Jens Axboe <axboe(a)kernel.dk>
tun: honor IOCB_NOWAIT flag
Alexander Duyck <alexanderduyck(a)fb.com>
tcp: Set INET_ECN_xmit configuration in tcp_reinit_congestion_control
Willem de Bruijn <willemb(a)google.com>
sock: set sk_err to ee_errno on dequeue from errq
Anmol Karn <anmol.karan123(a)gmail.com>
rose: Fix Null pointer dereference in rose_send_frame()
Julian Wiedmann <jwi(a)linux.ibm.com>
net/af_iucv: set correct sk_protocol for child sockets
-------------
Diffstat:
.../devicetree/bindings/net/nfc/nxp-nci.txt | 2 +-
.../devicetree/bindings/net/nfc/pn544.txt | 2 +-
Makefile | 4 +-
drivers/infiniband/hw/i40iw/i40iw_main.c | 5 --
drivers/infiniband/hw/i40iw/i40iw_verbs.c | 36 +++----------
drivers/input/joystick/xpad.c | 2 +
drivers/input/serio/i8042-x86ia64io.h | 4 ++
drivers/net/bonding/bond_main.c | 61 +++++++++++++++-------
drivers/net/bonding/bond_sysfs_slave.c | 18 +------
drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 +
drivers/net/ethernet/ibm/ibmvnic.c | 22 ++++++--
.../net/ethernet/mellanox/mlx5/core/pagealloc.c | 21 +++++++-
drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++-
drivers/net/tun.c | 14 +++--
drivers/net/usb/ipheth.c | 2 +-
include/net/bonding.h | 8 +++
net/bridge/br_netfilter_hooks.c | 7 ++-
net/core/skbuff.c | 2 +-
net/ipv4/route.c | 7 +--
net/ipv4/tcp_cong.c | 5 ++
net/iucv/af_iucv.c | 4 +-
net/rose/rose_loopback.c | 17 ++++--
net/x25/af_x25.c | 6 ++-
sound/usb/mixer_us16x08.c | 2 +-
24 files changed, 161 insertions(+), 99 deletions(-)
This is the start of the stable review cycle for the 5.4.82 release.
There are 39 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue, 08 Dec 2020 11:15:42 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.82-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.4.82-rc1
Shiraz Saleem <shiraz.saleem(a)intel.com>
RDMA/i40iw: Address an mmap handler exploit in i40iw
Vasily Averin <vvs(a)virtuozzo.com>
tracing: Remove WARN_ON in start_thread()
Po-Hsu Lin <po-hsu.lin(a)canonical.com>
Input: i8042 - add ByteSpeed touchpad to noloop table
Sanjay Govind <sanjay.govind9(a)gmail.com>
Input: xpad - support Ardwiino Controllers
Hector Martin <marcan(a)marcan.st>
ALSA: usb-audio: US16x08: fix value count for level meters
Eran Ben Elisha <eranbe(a)nvidia.com>
net/mlx5: Fix wrong address reclaim when command interface is down
Yevgeny Kliteynik <kliteyn(a)nvidia.com>
net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering
Davide Caratti <dcaratti(a)redhat.com>
net/sched: act_mpls: ensure LSE is pullable before reading it
Davide Caratti <dcaratti(a)redhat.com>
net: openvswitch: ensure LSE is pullable before reading it
Davide Caratti <dcaratti(a)redhat.com>
net: skbuff: ensure LSE is pullable before decrementing the MPLS ttl
Wang Hai <wanghai38(a)huawei.com>
net: mvpp2: Fix error return code in mvpp2_open()
Dan Carpenter <dan.carpenter(a)oracle.com>
chelsio/chtls: fix a double free in chtls_setkey()
Zhang Changzhong <zhangchangzhong(a)huawei.com>
vxlan: fix error return code in __vxlan_dev_create()
Zhang Changzhong <zhangchangzhong(a)huawei.com>
net: pasemi: fix error return code in pasemi_mac_open()
Zhang Changzhong <zhangchangzhong(a)huawei.com>
cxgb3: fix error return code in t3_sge_alloc_qset()
Dan Carpenter <dan.carpenter(a)oracle.com>
net/x25: prevent a couple of overflows
Antoine Tenart <atenart(a)kernel.org>
net: ip6_gre: set dev->hard_header_len when using header_ops
Eric Dumazet <edumazet(a)google.com>
geneve: pull IP header before ECN decapsulation
Toke Høiland-Jørgensen <toke(a)redhat.com>
inet_ecn: Fix endianness of checksum update when setting ECT(1)
Thomas Falcon <tlfalcon(a)linux.ibm.com>
ibmvnic: Fix TX completion error handling
Thomas Falcon <tlfalcon(a)linux.ibm.com>
ibmvnic: Ensure that SCRQ entry reads are correctly ordered
Vinay Kumar Yadav <vinay.yadav(a)chelsio.com>
chelsio/chtls: fix panic during unload reload chtls
Krzysztof Kozlowski <krzk(a)kernel.org>
dt-bindings: net: correct interrupt flags in examples
Guillaume Nault <gnault(a)redhat.com>
ipv4: Fix tos mask in inet_rtm_getroute()
Antoine Tenart <atenart(a)kernel.org>
netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
Vincent Guittot <vincent.guittot(a)linaro.org>
sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list
Maurizio Drocco <maurizio.drocco(a)ibm.com>
ima: extend boot_aggregate with kernel measurements
Randy Dunlap <rdunlap(a)infradead.org>
staging/octeon: fix up merge error
Jamie Iles <jamie(a)nuviainc.com>
bonding: wait for sysfs kobject destruction before freeing struct slave
Yves-Alexis Perez <corsac(a)corsac.net>
usbnet: ipheth: fix connectivity with iOS 14
Jens Axboe <axboe(a)kernel.dk>
tun: honor IOCB_NOWAIT flag
Alexander Duyck <alexanderduyck(a)fb.com>
tcp: Set INET_ECN_xmit configuration in tcp_reinit_congestion_control
Willem de Bruijn <willemb(a)google.com>
sock: set sk_err to ee_errno on dequeue from errq
Anmol Karn <anmol.karan123(a)gmail.com>
rose: Fix Null pointer dereference in rose_send_frame()
Maxim Mikityanskiy <maximmi(a)mellanox.com>
net/tls: Protect from calling tls_dev_del for TLS RX twice
Vadim Fedorenko <vfedorenko(a)novek.ru>
net/tls: missing received data after fast remote close
Julian Wiedmann <jwi(a)linux.ibm.com>
net/af_iucv: set correct sk_protocol for child sockets
Wang Hai <wanghai38(a)huawei.com>
ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init
Parav Pandit <parav(a)nvidia.com>
devlink: Hold rtnl lock while reading netdev attributes
-------------
Diffstat:
.../devicetree/bindings/net/can/tcan4x5x.txt | 2 +-
.../devicetree/bindings/net/nfc/nxp-nci.txt | 2 +-
.../devicetree/bindings/net/nfc/pn544.txt | 2 +-
Makefile | 4 +-
drivers/crypto/chelsio/chtls/chtls_cm.c | 1 +
drivers/crypto/chelsio/chtls/chtls_hw.c | 1 +
drivers/infiniband/hw/i40iw/i40iw_main.c | 5 --
drivers/infiniband/hw/i40iw/i40iw_verbs.c | 36 +++----------
drivers/input/joystick/xpad.c | 2 +
drivers/input/serio/i8042-x86ia64io.h | 4 ++
drivers/net/bonding/bond_main.c | 61 +++++++++++++++-------
drivers/net/bonding/bond_sysfs_slave.c | 18 +------
drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 +
drivers/net/ethernet/ibm/ibmvnic.c | 22 ++++++--
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 1 +
.../net/ethernet/mellanox/mlx5/core/pagealloc.c | 21 +++++++-
.../ethernet/mellanox/mlx5/core/steering/dr_cmd.c | 1 +
.../mellanox/mlx5/core/steering/dr_domain.c | 5 ++
.../mellanox/mlx5/core/steering/dr_types.h | 1 +
drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++-
drivers/net/geneve.c | 20 +++++--
drivers/net/tun.c | 14 +++--
drivers/net/usb/ipheth.c | 2 +-
drivers/net/vxlan.c | 4 +-
drivers/staging/octeon/ethernet-tx.c | 2 +-
include/linux/mlx5/mlx5_ifc.h | 9 +++-
include/net/bonding.h | 8 +++
include/net/inet_ecn.h | 2 +-
include/net/tls.h | 6 +++
kernel/sched/fair.c | 36 ++++++++++---
kernel/trace/trace_hwlat.c | 2 +-
net/bridge/br_netfilter_hooks.c | 7 ++-
net/core/devlink.c | 4 ++
net/core/skbuff.c | 5 +-
net/ipv4/route.c | 7 +--
net/ipv4/tcp_cong.c | 5 ++
net/ipv6/addrlabel.c | 26 +++++----
net/ipv6/ip6_gre.c | 16 ++++--
net/iucv/af_iucv.c | 4 +-
net/openvswitch/actions.c | 3 ++
net/rose/rose_loopback.c | 17 ++++--
net/sched/act_mpls.c | 3 ++
net/tls/tls_device.c | 5 +-
net/tls/tls_sw.c | 6 +++
net/x25/af_x25.c | 6 ++-
security/integrity/ima/ima.h | 2 +-
security/integrity/ima/ima_crypto.c | 15 +++++-
sound/usb/mixer_us16x08.c | 2 +-
48 files changed, 304 insertions(+), 132 deletions(-)