From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 12 Aug 2018 15:15:13 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.18.1~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7a09cc8b92a0f9dfa284031d23044aac56f5fc1;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	xen-netfront-don-t-cache-skb_shinfo.patch
---

diff --git a/queue-4.4/kasan-turn-on-fsanitize-address-use-after-scope.patch b/queue-4.4/kasan-turn-on-fsanitize-address-use-after-scope.patch
deleted file mode 100644
index a9c0a58b5ef..00000000000
--- a/queue-4.4/kasan-turn-on-fsanitize-address-use-after-scope.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From c5caf21ab0cf884ef15b25af234f620e4a233139 Mon Sep 17 00:00:00 2001
-From: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Date: Mon, 12 Dec 2016 16:44:59 -0800
-Subject: kasan: turn on -fsanitize-address-use-after-scope
-
-From: Andrey Ryabinin <aryabinin@virtuozzo.com>
-
-commit c5caf21ab0cf884ef15b25af234f620e4a233139 upstream.
-
-In the upcoming gcc7 release, the -fsanitize=kernel-address option at
-first implied new -fsanitize-address-use-after-scope option.  This would
-cause link errors on older kernels because they don't have two new
-functions required for use-after-scope support.  Therefore, gcc7 changed
-default to -fno-sanitize-address-use-after-scope.
-
-Now the kernel has everything required for that feature since commit
-828347f8f9a5 ("kasan: support use-after-scope detection").  So, to make it
-work, we just have to enable use-after-scope in CFLAGS.
-
-Link: http://lkml.kernel.org/r/1481207977-28654-1-git-send-email-aryabinin@virtuozzo.com
-Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Acked-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: Alexander Potapenko <glider@google.com>
-Cc: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Nick Desaulniers <ndesaulniers@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- scripts/Makefile.kasan |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/scripts/Makefile.kasan
-+++ b/scripts/Makefile.kasan
-@@ -28,4 +28,6 @@ else
-         CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
-     endif
- endif
-+
-+CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope)
- endif
diff --git a/queue-4.4/series b/queue-4.4/series
index 05605533611..cd85ed99c93 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -4,4 +4,4 @@ ipv4-ipv6-make-inet-_esp-select-crypto_echainiv.patch
 fork-unconditionally-clear-stack-on-fork.patch
 parisc-enable-config_mlongcalls-by-default.patch
 parisc-define-mb-and-add-memory-barriers-to-assembler-unlock-sequences.patch
-kasan-turn-on-fsanitize-address-use-after-scope.patch
+xen-netfront-don-t-cache-skb_shinfo.patch
diff --git a/queue-4.4/xen-netfront-don-t-cache-skb_shinfo.patch b/queue-4.4/xen-netfront-don-t-cache-skb_shinfo.patch
new file mode 100644
index 00000000000..d0a1eea9718
--- /dev/null
+++ b/queue-4.4/xen-netfront-don-t-cache-skb_shinfo.patch
@@ -0,0 +1,52 @@
+From d472b3a6cf63cd31cae1ed61930f07e6cd6671b5 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 9 Aug 2018 16:42:16 +0200
+Subject: xen/netfront: don't cache skb_shinfo()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit d472b3a6cf63cd31cae1ed61930f07e6cd6671b5 upstream.
+
+skb_shinfo() can change when calling __pskb_pull_tail(): Don't cache
+its return value.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -879,7 +879,6 @@ static RING_IDX xennet_fill_frags(struct
+ 				  struct sk_buff *skb,
+ 				  struct sk_buff_head *list)
+ {
+-	struct skb_shared_info *shinfo = skb_shinfo(skb);
+ 	RING_IDX cons = queue->rx.rsp_cons;
+ 	struct sk_buff *nskb;
+ 
+@@ -888,15 +887,16 @@ static RING_IDX xennet_fill_frags(struct
+ 			RING_GET_RESPONSE(&queue->rx, ++cons);
+ 		skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
+ 
+-		if (shinfo->nr_frags == MAX_SKB_FRAGS) {
++		if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
+ 			unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+ 
+ 			BUG_ON(pull_to <= skb_headlen(skb));
+ 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ 		}
+-		BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
++		BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
+ 
+-		skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
++		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
++				skb_frag_page(nfrag),
+ 				rx->offset, rx->status, PAGE_SIZE);
+ 
+ 		skb_shinfo(nskb)->nr_frags = 0;