From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 10 Apr 2018 07:12:04 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.16.2~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a5ffd09270983bd93331a68df6cce165bb92126;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	rxrpc-check-return-value-of-skb_to_sgvec-always.patch
	virtio_net-check-return-value-of-skb_to_sgvec-always.patch
	virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch
---

diff --git a/queue-4.9/rxrpc-check-return-value-of-skb_to_sgvec-always.patch b/queue-4.9/rxrpc-check-return-value-of-skb_to_sgvec-always.patch
new file mode 100644
index 00000000000..80156a05f55
--- /dev/null
+++ b/queue-4.9/rxrpc-check-return-value-of-skb_to_sgvec-always.patch
@@ -0,0 +1,75 @@
+From 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:24 +0200
+Subject: rxrpc: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rxrpc/rxkad.c |   19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -229,7 +229,9 @@ static int rxkad_secure_packet_encrypt(c
+ 	len &= ~(call->conn->size_align - 1);
+ 
+ 	sg_init_table(sg, nsg);
+-	skb_to_sgvec(skb, sg, 0, len);
++	err = skb_to_sgvec(skb, sg, 0, len);
++	if (unlikely(err < 0))
++		goto out;
+ 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
+ 	crypto_skcipher_encrypt(req);
+ 
+@@ -325,7 +327,7 @@ static int rxkad_verify_packet_1(struct
+ 	struct sk_buff *trailer;
+ 	u32 data_size, buf;
+ 	u16 check;
+-	int nsg;
++	int nsg, ret;
+ 
+ 	_enter("");
+ 
+@@ -342,7 +344,9 @@ static int rxkad_verify_packet_1(struct
+ 		goto nomem;
+ 
+ 	sg_init_table(sg, nsg);
+-	skb_to_sgvec(skb, sg, offset, 8);
++	ret = skb_to_sgvec(skb, sg, offset, 8);
++	if (unlikely(ret < 0))
++		return ret;
+ 
+ 	/* start the decryption afresh */
+ 	memset(&iv, 0, sizeof(iv));
+@@ -405,7 +409,7 @@ static int rxkad_verify_packet_2(struct
+ 	struct sk_buff *trailer;
+ 	u32 data_size, buf;
+ 	u16 check;
+-	int nsg;
++	int nsg, ret;
+ 
+ 	_enter(",{%d}", skb->len);
+ 
+@@ -429,7 +433,12 @@ static int rxkad_verify_packet_2(struct
+ 	}
+ 
+ 	sg_init_table(sg, nsg);
+-	skb_to_sgvec(skb, sg, offset, len);
++	ret = skb_to_sgvec(skb, sg, offset, len);
++	if (unlikely(ret < 0)) {
++		if (sg != _sg)
++			kfree(sg);
++		return ret;
++	}
+ 
+ 	/* decrypt from the session key */
+ 	token = call->conn->params.key->payload.data[0];
diff --git a/queue-4.9/virtio_net-check-return-value-of-skb_to_sgvec-always.patch b/queue-4.9/virtio_net-check-return-value-of-skb_to_sgvec-always.patch
new file mode 100644
index 00000000000..2c27ccbec8f
--- /dev/null
+++ b/queue-4.9/virtio_net-check-return-value-of-skb_to_sgvec-always.patch
@@ -0,0 +1,50 @@
+From e2fcad58fd230f635a74e4e983c6f4ea893642d2 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:26 +0200
+Subject: virtio_net: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit e2fcad58fd230f635a74e4e983c6f4ea893642d2 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/virtio_net.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -831,7 +831,7 @@ static int xmit_skb(struct send_queue *s
+ 	struct virtio_net_hdr_mrg_rxbuf *hdr;
+ 	const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest;
+ 	struct virtnet_info *vi = sq->vq->vdev->priv;
+-	unsigned num_sg;
++	int num_sg;
+ 	unsigned hdr_len = vi->hdr_len;
+ 	bool can_push;
+ 
+@@ -858,11 +858,16 @@ static int xmit_skb(struct send_queue *s
+ 	if (can_push) {
+ 		__skb_push(skb, hdr_len);
+ 		num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len);
++		if (unlikely(num_sg < 0))
++			return num_sg;
+ 		/* Pull header back to avoid skew in tx bytes calculations. */
+ 		__skb_pull(skb, hdr_len);
+ 	} else {
+ 		sg_set_buf(sq->sg, hdr, hdr_len);
+-		num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1;
++		num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len);
++		if (unlikely(num_sg < 0))
++			return num_sg;
++		num_sg++;
+ 	}
+ 	return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC);
+ }
diff --git a/queue-4.9/virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch b/queue-4.9/virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch
new file mode 100644
index 00000000000..dfac4c4e323
--- /dev/null
+++ b/queue-4.9/virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch
@@ -0,0 +1,44 @@
+From natechancellor@gmail.com  Tue Apr 10 08:34:50 2018
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon,  9 Apr 2018 18:21:50 -0700
+Subject: virtio_net: check return value of skb_to_sgvec in one more location
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: Nathan Chancellor <natechancellor@gmail.com>, "Jason A . Donenfeld" <Jason@zx2c4.com>, Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>, "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com>, "David S . Miller" <davem@davemloft.net>
+Message-ID: <20180410012150.6573-10-natechancellor@gmail.com>
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+Kernels that do not have f6b10209b90d ("virtio-net: switch to use
+build_skb() for small buffer") will have an extra call to skb_to_sgvec
+that is not handled by e2fcad58fd23 ("virtio_net: check return value of
+skb_to_sgvec always"). Since the former does not appear to be stable
+material, just fix the call up directly.
+
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/virtio_net.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -529,7 +529,12 @@ static int add_recvbuf_small(struct virt
+ 	hdr = skb_vnet_hdr(skb);
+ 	sg_init_table(rq->sg, 2);
+ 	sg_set_buf(rq->sg, hdr, vi->hdr_len);
+-	skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
++
++	err = skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
++	if (unlikely(err < 0)) {
++		dev_kfree_skb(skb);
++		return err;
++	}
+ 
+ 	err = virtqueue_add_inbuf(rq->vq, rq->sg, 2, skb, gfp);
+ 	if (err < 0)