--- /dev/null
+From minyard@acm.org Thu Sep 19 14:56:39 2019
+From: minyard@acm.org
+Date: Thu, 19 Sep 2019 07:16:46 -0500
+Subject: x86/boot: Add missing bootparam that breaks boot on some platforms
+To: stable@vger.kernel.org
+Cc: Corey Minyard <cminyard@mvista.com>
+Message-ID: <20190919121646.22472-1-minyard@acm.org>
+
+From: Corey Minyard <cminyard@mvista.com>
+
+Change
+
+ a90118c445cc x86/boot: Save fields explicitly, zero out everything else
+
+modified the way boot parameters were saved on x86. When this was
+backported, e820_table didn't exists, and that change was dropped.
+Unfortunately, e820_table did exist, it was just named e820_map
+in this kernel version.
+
+This was breaking booting on a Supermicro Super Server/A2SDi-2C-HLN4F
+with a Denverton CPU. Adding e820_map to the saved boot params table
+fixes the issue.
+
+Cc: <stable@vger.kernel.org> # 4.9.x, 4.4.x
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/bootparam_utils.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/include/asm/bootparam_utils.h
++++ b/arch/x86/include/asm/bootparam_utils.h
+@@ -71,6 +71,7 @@ static void sanitize_boot_params(struct
+ BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
+ BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
+ BOOT_PARAM_PRESERVE(hdr),
++ BOOT_PARAM_PRESERVE(e820_map),
+ BOOT_PARAM_PRESERVE(eddbuf),
+ };
+
--- /dev/null
+From foo@baz Thu 19 Sep 2019 03:25:18 PM CEST
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Mon, 16 Sep 2019 11:46:59 +0800
+Subject: xen-netfront: do not assume sk_buff_head list is empty in error handling
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+[ Upstream commit 00b368502d18f790ab715e055869fd4bb7484a9b ]
+
+When skb_shinfo(skb) is not able to cache extra fragment (that is,
+skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS), xennet_fill_frags() assumes
+the sk_buff_head list is already empty. As a result, cons is increased only
+by 1 and returns to error handling path in xennet_poll().
+
+However, if the sk_buff_head list is not empty, queue->rx.rsp_cons may be
+set incorrectly. That is, queue->rx.rsp_cons would point to the rx ring
+buffer entries whose queue->rx_skbs[i] and queue->grant_rx_ref[i] are
+already cleared to NULL. This leads to NULL pointer access in the next
+iteration to process rx ring buffer entries.
+
+Below is how xennet_poll() does error handling. All remaining entries in
+tmpq are accounted to queue->rx.rsp_cons without assuming how many
+outstanding skbs are remained in the list.
+
+ 985 static int xennet_poll(struct napi_struct *napi, int budget)
+... ...
+1032 if (unlikely(xennet_set_skb_gso(skb, gso))) {
+1033 __skb_queue_head(&tmpq, skb);
+1034 queue->rx.rsp_cons += skb_queue_len(&tmpq);
+1035 goto err;
+1036 }
+
+It is better to always have the error handling in the same way.
+
+Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags")
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -893,7 +893,7 @@ static RING_IDX xennet_fill_frags(struct
+ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ }
+ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
+- queue->rx.rsp_cons = ++cons;
++ queue->rx.rsp_cons = ++cons + skb_queue_len(list);
+ kfree_skb(nskb);
+ return ~0U;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
