--- /dev/null
+From 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:24 +0200
+Subject: rxrpc: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rxrpc/rxkad.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -229,7 +229,9 @@ static int rxkad_secure_packet_encrypt(c
+ len &= ~(call->conn->size_align - 1);
+
+ sg_init_table(sg, nsg);
+- skb_to_sgvec(skb, sg, 0, len);
++ err = skb_to_sgvec(skb, sg, 0, len);
++ if (unlikely(err < 0))
++ goto out;
+ skcipher_request_set_crypt(req, sg, sg, len, iv.x);
+ crypto_skcipher_encrypt(req);
+
+@@ -325,7 +327,7 @@ static int rxkad_verify_packet_1(struct
+ struct sk_buff *trailer;
+ u32 data_size, buf;
+ u16 check;
+- int nsg;
++ int nsg, ret;
+
+ _enter("");
+
+@@ -342,7 +344,9 @@ static int rxkad_verify_packet_1(struct
+ goto nomem;
+
+ sg_init_table(sg, nsg);
+- skb_to_sgvec(skb, sg, offset, 8);
++ ret = skb_to_sgvec(skb, sg, offset, 8);
++ if (unlikely(ret < 0))
++ return ret;
+
+ /* start the decryption afresh */
+ memset(&iv, 0, sizeof(iv));
+@@ -405,7 +409,7 @@ static int rxkad_verify_packet_2(struct
+ struct sk_buff *trailer;
+ u32 data_size, buf;
+ u16 check;
+- int nsg;
++ int nsg, ret;
+
+ _enter(",{%d}", skb->len);
+
+@@ -429,7 +433,12 @@ static int rxkad_verify_packet_2(struct
+ }
+
+ sg_init_table(sg, nsg);
+- skb_to_sgvec(skb, sg, offset, len);
++ ret = skb_to_sgvec(skb, sg, offset, len);
++ if (unlikely(ret < 0)) {
++ if (sg != _sg)
++ kfree(sg);
++ return ret;
++ }
+
+ /* decrypt from the session key */
+ token = call->conn->params.key->payload.data[0];
--- /dev/null
+From e2fcad58fd230f635a74e4e983c6f4ea893642d2 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:26 +0200
+Subject: virtio_net: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit e2fcad58fd230f635a74e4e983c6f4ea893642d2 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/virtio_net.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -831,7 +831,7 @@ static int xmit_skb(struct send_queue *s
+ struct virtio_net_hdr_mrg_rxbuf *hdr;
+ const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest;
+ struct virtnet_info *vi = sq->vq->vdev->priv;
+- unsigned num_sg;
++ int num_sg;
+ unsigned hdr_len = vi->hdr_len;
+ bool can_push;
+
+@@ -858,11 +858,16 @@ static int xmit_skb(struct send_queue *s
+ if (can_push) {
+ __skb_push(skb, hdr_len);
+ num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len);
++ if (unlikely(num_sg < 0))
++ return num_sg;
+ /* Pull header back to avoid skew in tx bytes calculations. */
+ __skb_pull(skb, hdr_len);
+ } else {
+ sg_set_buf(sq->sg, hdr, hdr_len);
+- num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1;
++ num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len);
++ if (unlikely(num_sg < 0))
++ return num_sg;
++ num_sg++;
+ }
+ return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC);
+ }
--- /dev/null
+From natechancellor@gmail.com Tue Apr 10 08:34:50 2018
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 9 Apr 2018 18:21:50 -0700
+Subject: virtio_net: check return value of skb_to_sgvec in one more location
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: Nathan Chancellor <natechancellor@gmail.com>, "Jason A . Donenfeld" <Jason@zx2c4.com>, Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>, "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com>, "David S . Miller" <davem@davemloft.net>
+Message-ID: <20180410012150.6573-10-natechancellor@gmail.com>
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+Kernels that do not have f6b10209b90d ("virtio-net: switch to use
+build_skb() for small buffer") will have an extra call to skb_to_sgvec
+that is not handled by e2fcad58fd23 ("virtio_net: check return value of
+skb_to_sgvec always"). Since the former does not appear to be stable
+material, just fix the call up directly.
+
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/virtio_net.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -529,7 +529,12 @@ static int add_recvbuf_small(struct virt
+ hdr = skb_vnet_hdr(skb);
+ sg_init_table(rq->sg, 2);
+ sg_set_buf(rq->sg, hdr, vi->hdr_len);
+- skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
++
++ err = skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
++ if (unlikely(err < 0)) {
++ dev_kfree_skb(skb);
++ return err;
++ }
+
+ err = virtqueue_add_inbuf(rq->vq, rq->sg, 2, skb, gfp);
+ if (err < 0)
projects / thirdparty / kernel / stable-queue.git / commitdiff
