From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 12 Aug 2018 15:14:23 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.18.1~45
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=81aca7f82910583e6c0fa73eb2e2681744cdcdf7;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	xen-netfront-don-t-cache-skb_shinfo.patch
---

diff --git a/queue-3.18/series b/queue-3.18/series
index e69de29bb2d..320d84408e7 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -0,0 +1 @@
+xen-netfront-don-t-cache-skb_shinfo.patch
diff --git a/queue-3.18/xen-netfront-don-t-cache-skb_shinfo.patch b/queue-3.18/xen-netfront-don-t-cache-skb_shinfo.patch
new file mode 100644
index 00000000000..6edbada02f0
--- /dev/null
+++ b/queue-3.18/xen-netfront-don-t-cache-skb_shinfo.patch
@@ -0,0 +1,52 @@
+From d472b3a6cf63cd31cae1ed61930f07e6cd6671b5 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 9 Aug 2018 16:42:16 +0200
+Subject: xen/netfront: don't cache skb_shinfo()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit d472b3a6cf63cd31cae1ed61930f07e6cd6671b5 upstream.
+
+skb_shinfo() can change when calling __pskb_pull_tail(): Don't cache
+its return value.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -903,7 +903,6 @@ static RING_IDX xennet_fill_frags(struct
+ 				  struct sk_buff *skb,
+ 				  struct sk_buff_head *list)
+ {
+-	struct skb_shared_info *shinfo = skb_shinfo(skb);
+ 	RING_IDX cons = queue->rx.rsp_cons;
+ 	struct sk_buff *nskb;
+ 
+@@ -912,15 +911,16 @@ static RING_IDX xennet_fill_frags(struct
+ 			RING_GET_RESPONSE(&queue->rx, ++cons);
+ 		skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
+ 
+-		if (shinfo->nr_frags == MAX_SKB_FRAGS) {
++		if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
+ 			unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+ 
+ 			BUG_ON(pull_to <= skb_headlen(skb));
+ 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ 		}
+-		BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
++		BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
+ 
+-		skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
++		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
++				skb_frag_page(nfrag),
+ 				rx->offset, rx->status, PAGE_SIZE);
+ 
+ 		skb_shinfo(nskb)->nr_frags = 0;