From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 19 Sep 2019 13:26:27 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.194~44
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dfa8eded188c73653a596e8951040c2911f99302;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	x86-boot-add-missing-bootparam-that-breaks-boot-on-some-platforms.patch
	xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index 1ee34a348bd..d7ed37a2885 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -26,3 +26,5 @@ mips-netlogic-xlr-remove-erroneous-check-in-nlm_fmn_send.patch
 arc-configs-remove-config_initramfs_source-from-defconfigs.patch
 usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch
 media-tm6000-double-free-if-usb-disconnect-while-streaming.patch
+x86-boot-add-missing-bootparam-that-breaks-boot-on-some-platforms.patch
+xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
diff --git a/queue-4.4/x86-boot-add-missing-bootparam-that-breaks-boot-on-some-platforms.patch b/queue-4.4/x86-boot-add-missing-bootparam-that-breaks-boot-on-some-platforms.patch
new file mode 100644
index 00000000000..5a730a65cf2
--- /dev/null
+++ b/queue-4.4/x86-boot-add-missing-bootparam-that-breaks-boot-on-some-platforms.patch
@@ -0,0 +1,41 @@
+From minyard@acm.org  Thu Sep 19 14:56:39 2019
+From: minyard@acm.org
+Date: Thu, 19 Sep 2019 07:16:46 -0500
+Subject: x86/boot: Add missing bootparam that breaks boot on some platforms
+To: stable@vger.kernel.org
+Cc: Corey Minyard <cminyard@mvista.com>
+Message-ID: <20190919121646.22472-1-minyard@acm.org>
+
+From: Corey Minyard <cminyard@mvista.com>
+
+Change
+
+  a90118c445cc x86/boot: Save fields explicitly, zero out everything else
+
+modified the way boot parameters were saved on x86.  When this was
+backported, e820_table didn't exists, and that change was dropped.
+Unfortunately, e820_table did exist, it was just named e820_map
+in this kernel version.
+
+This was breaking booting on a Supermicro Super Server/A2SDi-2C-HLN4F
+with a Denverton CPU.  Adding e820_map to the saved boot params table
+fixes the issue.
+
+Cc: <stable@vger.kernel.org> # 4.9.x, 4.4.x
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/bootparam_utils.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/include/asm/bootparam_utils.h
++++ b/arch/x86/include/asm/bootparam_utils.h
+@@ -71,6 +71,7 @@ static void sanitize_boot_params(struct
+ 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
+ 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
+ 			BOOT_PARAM_PRESERVE(hdr),
++			BOOT_PARAM_PRESERVE(e820_map),
+ 			BOOT_PARAM_PRESERVE(eddbuf),
+ 		};
+ 
diff --git a/queue-4.4/xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch b/queue-4.4/xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
new file mode 100644
index 00000000000..9de71b71d98
--- /dev/null
+++ b/queue-4.4/xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
@@ -0,0 +1,53 @@
+From foo@baz Thu 19 Sep 2019 03:25:18 PM CEST
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Mon, 16 Sep 2019 11:46:59 +0800
+Subject: xen-netfront: do not assume sk_buff_head list is empty in error handling
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+[ Upstream commit 00b368502d18f790ab715e055869fd4bb7484a9b ]
+
+When skb_shinfo(skb) is not able to cache extra fragment (that is,
+skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS), xennet_fill_frags() assumes
+the sk_buff_head list is already empty. As a result, cons is increased only
+by 1 and returns to error handling path in xennet_poll().
+
+However, if the sk_buff_head list is not empty, queue->rx.rsp_cons may be
+set incorrectly. That is, queue->rx.rsp_cons would point to the rx ring
+buffer entries whose queue->rx_skbs[i] and queue->grant_rx_ref[i] are
+already cleared to NULL. This leads to NULL pointer access in the next
+iteration to process rx ring buffer entries.
+
+Below is how xennet_poll() does error handling. All remaining entries in
+tmpq are accounted to queue->rx.rsp_cons without assuming how many
+outstanding skbs are remained in the list.
+
+ 985 static int xennet_poll(struct napi_struct *napi, int budget)
+... ...
+1032           if (unlikely(xennet_set_skb_gso(skb, gso))) {
+1033                   __skb_queue_head(&tmpq, skb);
+1034                   queue->rx.rsp_cons += skb_queue_len(&tmpq);
+1035                   goto err;
+1036           }
+
+It is better to always have the error handling in the same way.
+
+Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags")
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -893,7 +893,7 @@ static RING_IDX xennet_fill_frags(struct
+ 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ 		}
+ 		if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
+-			queue->rx.rsp_cons = ++cons;
++			queue->rx.rsp_cons = ++cons + skb_queue_len(list);
+ 			kfree_skb(nskb);
+ 			return ~0U;
+ 		}