From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 12 Aug 2018 15:15:28 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.18.1~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69660c9df62a7c889e7638bd822116c4d673eec0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	xen-netfront-don-t-cache-skb_shinfo.patch
---

diff --git a/queue-4.9/series b/queue-4.9/series
index 49b496bd612..e3fec43ebfb 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -4,3 +4,4 @@ parisc-enable-config_mlongcalls-by-default.patch
 parisc-define-mb-and-add-memory-barriers-to-assembler-unlock-sequences.patch
 kasan-add-no_sanitize-attribute-for-clang-builds.patch
 mark-hi-and-tasklet-softirq-synchronous.patch
+xen-netfront-don-t-cache-skb_shinfo.patch
diff --git a/queue-4.9/xen-netfront-don-t-cache-skb_shinfo.patch b/queue-4.9/xen-netfront-don-t-cache-skb_shinfo.patch
new file mode 100644
index 00000000000..1954bf2242f
--- /dev/null
+++ b/queue-4.9/xen-netfront-don-t-cache-skb_shinfo.patch
@@ -0,0 +1,52 @@
+From d472b3a6cf63cd31cae1ed61930f07e6cd6671b5 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 9 Aug 2018 16:42:16 +0200
+Subject: xen/netfront: don't cache skb_shinfo()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit d472b3a6cf63cd31cae1ed61930f07e6cd6671b5 upstream.
+
+skb_shinfo() can change when calling __pskb_pull_tail(): Don't cache
+its return value.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -893,7 +893,6 @@ static RING_IDX xennet_fill_frags(struct
+ 				  struct sk_buff *skb,
+ 				  struct sk_buff_head *list)
+ {
+-	struct skb_shared_info *shinfo = skb_shinfo(skb);
+ 	RING_IDX cons = queue->rx.rsp_cons;
+ 	struct sk_buff *nskb;
+ 
+@@ -902,15 +901,16 @@ static RING_IDX xennet_fill_frags(struct
+ 			RING_GET_RESPONSE(&queue->rx, ++cons);
+ 		skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
+ 
+-		if (shinfo->nr_frags == MAX_SKB_FRAGS) {
++		if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
+ 			unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+ 
+ 			BUG_ON(pull_to <= skb_headlen(skb));
+ 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ 		}
+-		BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
++		BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
+ 
+-		skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
++		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
++				skb_frag_page(nfrag),
+ 				rx->offset, rx->status, PAGE_SIZE);
+ 
+ 		skb_shinfo(nskb)->nr_frags = 0;