From b8ae732080fd8ac712be7c7cd9cf3b2d665b8e33 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Nov 2019 18:55:02 +0100
Subject: [PATCH] 4.4-stable patches

added patches:
	net-cdc_ncm-signedness-bug-in-cdc_ncm_set_dgram_size.patch
---
 ...edness-bug-in-cdc_ncm_set_dgram_size.patch | 35 +++++++++++++++++++
 queue-4.4/series                              |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 queue-4.4/net-cdc_ncm-signedness-bug-in-cdc_ncm_set_dgram_size.patch

diff --git a/queue-4.4/net-cdc_ncm-signedness-bug-in-cdc_ncm_set_dgram_size.patch b/queue-4.4/net-cdc_ncm-signedness-bug-in-cdc_ncm_set_dgram_size.patch
new file mode 100644
index 00000000000..e9cf5c51e0a
--- /dev/null
+++ b/queue-4.4/net-cdc_ncm-signedness-bug-in-cdc_ncm_set_dgram_size.patch
@@ -0,0 +1,35 @@
+From a56dcc6b455830776899ce3686735f1172e12243 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 13 Nov 2019 21:28:31 +0300
+Subject: net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a56dcc6b455830776899ce3686735f1172e12243 upstream.
+
+This code is supposed to test for negative error codes and partial
+reads, but because sizeof() is size_t (unsigned) type then negative
+error codes are type promoted to high positive values and the condition
+doesn't work as expected.
+
+Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/cdc_ncm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -534,7 +534,7 @@ static void cdc_ncm_set_dgram_size(struc
+ 	err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
+ 			      USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
+ 			      0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
+-	if (err < sizeof(max_datagram_size)) {
++	if (err != sizeof(max_datagram_size)) {
+ 		dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
+ 		goto out;
+ 	}
diff --git a/queue-4.4/series b/queue-4.4/series
index d54aefef38d..f2a52963311 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -97,3 +97,4 @@ bluetooth-hci_ldisc-fix-null-pointer-derefence-in-case-of-early-data.patch
 bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in-hci_uart_set_proto.patch
 memfd-use-radix_tree_deref_slot_protected-to-avoid-the-warning.patch
 slcan-fix-memory-leak-in-error-path.patch
+net-cdc_ncm-signedness-bug-in-cdc_ncm_set_dgram_size.patch
-- 
2.47.3