Patch "xen-netfront: do not cast grant table reference to signed short" has been added to the 4.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 12 Jun 2017 11:19:33 +0200

This is a note to let you know that I've just added the patch titled

    xen-netfront: do not cast grant table reference to signed short

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 87557efc27f6a50140fb20df06a917f368ce3c66 Mon Sep 17 00:00:00 2001
From: Dongli Zhang <dongli.zhang@xxxxxxxxxx>
Date: Mon, 31 Oct 2016 13:38:29 +0800
Subject: xen-netfront: do not cast grant table reference to signed short

From: Dongli Zhang <dongli.zhang@xxxxxxxxxx>

commit 87557efc27f6a50140fb20df06a917f368ce3c66 upstream.

While grant reference is of type uint32_t, xen-netfront erroneously casts
it to signed short in BUG_ON().

This would lead to the xen domU panic during boot-up or migration when it
is attached with lots of paravirtual devices.

Signed-off-by: Dongli Zhang <dongli.zhang@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Cc: Blake Cooper <blake.cooper@xxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/net/xen-netfront.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(stru
 		queue->rx_skbs[id] = skb;
 
 		ref = gnttab_claim_grant_reference(&queue->gref_rx_head);
-		BUG_ON((signed short)ref < 0);
+		WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));
 		queue->grant_rx_ref[id] = ref;
 
 		page = skb_frag_page(&skb_shinfo(skb)->frags[0]);
@@ -437,7 +437,7 @@ static void xennet_tx_setup_grant(unsign
 	id = get_id_from_freelist(&queue->tx_skb_freelist, queue->tx_skbs);
 	tx = RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++);
 	ref = gnttab_claim_grant_reference(&queue->gref_tx_head);
-	BUG_ON((signed short)ref < 0);
+	WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));
 
 	gnttab_grant_foreign_access_ref(ref, queue->info->xbdev->otherend_id,
 					gfn, GNTMAP_readonly);


Patches currently in stable-queue which might be from dongli.zhang@xxxxxxxxxx are

queue-4.4/xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch
queue-4.4/xen-netfront-cast-grant-table-reference-first-to-type-int.patch






