4.10.7-100.fc24.gnu

8 files changed, 337 insertions, 67 deletions

diff --git a/freed-ora/current/f24/CVE-2017-7184.patch b/freed-ora/current/f24/CVE-2017-7184.patch
new file mode 100644
index 000000000..b2d48b0a7
--- /dev/null
+++ b/freed-ora/current/f24/CVE-2017-7184.patch
@@ -0,0 +1,154 @@
+From c282222a45cb9503cbfbebfdb60491f06ae84b49 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 8 Feb 2017 11:52:29 +0100
+Subject: xfrm: policy: init locks early
+
+From: Florian Westphal <fw@strlen.de>
+
+commit c282222a45cb9503cbfbebfdb60491f06ae84b49 upstream.
+
+Dmitry reports following splat:
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1
+[..]
+ spin_lock_bh include/linux/spinlock.h:304 [inline]
+ xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963
+ xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041
+ xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091
+ ops_init+0x10a/0x530 net/core/net_namespace.c:115
+ setup_net+0x2ed/0x690 net/core/net_namespace.c:291
+ copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
+ create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
+ unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
+ SYSC_unshare kernel/fork.c:2281 [inline]
+
+Problem is that when we get error during xfrm_net_init we will call
+xfrm_policy_fini which will acquire xfrm_policy_lock before it was
+initialized.  Just move it around so locks get set up first.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: 283bc9f35bbbcb0e9 ("xfrm: Namespacify xfrm state/policy locks")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3062,6 +3062,11 @@ static int __net_init xfrm_net_init(stru
+ {
+ 	int rv;
+ 
++	/* Initialize the per-net locks here */
++	spin_lock_init(&net->xfrm.xfrm_state_lock);
++	spin_lock_init(&net->xfrm.xfrm_policy_lock);
++	mutex_init(&net->xfrm.xfrm_cfg_mutex);
++
+ 	rv = xfrm_statistics_init(net);
+ 	if (rv < 0)
+ 		goto out_statistics;
+@@ -3078,11 +3083,6 @@ static int __net_init xfrm_net_init(stru
+ 	if (rv < 0)
+ 		goto out;
+ 
+-	/* Initialize the per-net locks here */
+-	spin_lock_init(&net->xfrm.xfrm_state_lock);
+-	spin_lock_init(&net->xfrm.xfrm_policy_lock);
+-	mutex_init(&net->xfrm.xfrm_cfg_mutex);
+-
+ 	return 0;
+ 
+ out:
+From 677e806da4d916052585301785d847c3b3e6186a Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Wed, 22 Mar 2017 07:29:31 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit 677e806da4d916052585301785d847c3b3e6186a upstream.
+
+When a new xfrm state is created during an XFRM_MSG_NEWSA call we
+validate the user supplied replay_esn to ensure that the size is valid
+and to ensure that the replay_window size is within the allocated
+buffer.  However later it is possible to update this replay_esn via a
+XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
+buffer matches the existing state and if so inject the contents.  We do
+not at this point check that the replay_window is within the allocated
+memory.  This leads to out-of-bounds reads and writes triggered by
+netlink packets.  This leads to memory corruption and the potential for
+priviledge escalation.
+
+We already attempt to validate the incoming replay information in
+xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
+is not trying to change the size of the replay state buffer which
+includes the replay_esn.  It however does not check the replay_window
+remains within that buffer.  Add validation of the contained
+replay_window.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len
+ 	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ 		return -EINVAL;
+ 
++	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
++		return -EINVAL;
++
+ 	return 0;
+ }
+ 
+From f843ee6dd019bcece3e74e76ad9df0155655d0df Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 23 Mar 2017 07:45:44 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.
+
+Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
+wrapping issues.  To ensure we are correctly ensuring that the two ESN
+structures are the same size compare both the overall size as reported
+by xfrm_replay_state_esn_len() and the internal length are the same.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len
+ 	up = nla_data(rp);
+ 	ulen = xfrm_replay_state_esn_len(up);
+ 
+-	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
++	/* Check the overall length and the internal bitmap length to avoid
++	 * potential overflow. */
++	if (nla_len(rp) < ulen ||
++	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
++	    replay_esn->bmp_len != up->bmp_len)
+ 		return -EINVAL;
+ 
+ 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
diff --git a/freed-ora/current/f24/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch b/freed-ora/current/f24/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
deleted file mode 100644
index ab048d1c9..000000000
--- a/freed-ora/current/f24/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Stanislaw Gruszka <sgruszka@redhat.com>
-Date: 2017-03-22 15:08:33
-Subject: [PATCH 4.11] genetlink: fix counting regression on ctrl_dumpfamily()
-
-Commit 2ae0f17df1cd ("genetlink: use idr to track families") replaced
-
-	if (++n < fams_to_skip)
-		continue;
-into:
-
-	if (n++ < fams_to_skip)
-		continue;
-
-This subtle change cause that on retry ctrl_dumpfamily() call we omit
-one family that failed to do ctrl_fill_info() on previous call, because
-cb->args[0] = n number counts also family that failed to do
-ctrl_fill_info().
-
-Patch fixes the problem and avoid confusion in the future just decrease
-n counter when ctrl_fill_info() fail.
-
-User visible problem caused by this bug is failure to get access to
-some genetlink family i.e. nl80211. However problem is reproducible
-only if number of registered genetlink families is big enough to
-cause second call of ctrl_dumpfamily().
-
-Cc: Xose Vazquez Perez <xose.vazquez@gmail.com>
-Cc: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Johannes Berg <johannes@sipsolutions.net>
-Fixes: 2ae0f17df1cd ("genetlink: use idr to track families")
-Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
----
-Dave, please also target this for 4.10+ -stable.
-
- net/netlink/genetlink.c |    4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
-
-diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
-index fb6e10f..92e0981 100644
---- a/net/netlink/genetlink.c
-+++ b/net/netlink/genetlink.c
-@@ -783,8 +783,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb)
- 
- 		if (ctrl_fill_info(rt, NETLINK_CB(cb->skb).portid,
- 				   cb->nlh->nlmsg_seq, NLM_F_MULTI,
--				   skb, CTRL_CMD_NEWFAMILY) < 0)
-+				   skb, CTRL_CMD_NEWFAMILY) < 0) {
-+			n--;
- 			break;
-+		}
- 	}
- 
- 	cb->args[0] = n;
--- 
-1.7.1
diff --git a/freed-ora/current/f24/kernel.spec b/freed-ora/current/f24/kernel.spec
index 15d0d00aa..26ec4d505 100644
--- a/freed-ora/current/f24/kernel.spec
+++ b/freed-ora/current/f24/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 7
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -653,8 +653,14 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 #CVE-2017-2596 rhbz 1417812 1417813
 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
 
-#Fix crda rhbz 1422247
-Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
+#CVE-2017-7261 rhbz 1435719 1435740
+Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
+
+#CVE-2017-7277 rhbz 1436629 1436661
+Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
+
+#CVE-2017-7184 rhbz 1435153 1437469
+Patch859: CVE-2017-7184.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2322,7 +2328,20 @@ fi
 #
 # 
 %changelog
-* Tue Mar 28 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* Thu Mar 30 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.10.7-gnu.
+
+* Thu Mar 30 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.7-100
+- Linux v4.10.7
+- CVE-2017-7184 Out-of-bounds heap access in xfrm (rhbz 1435153 1437469)
+
+* Tue Mar 28 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661)
+
+* Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740)
+
+* Mon Mar 27 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre Tue Mar 28
 - GNU Linux-libre 4.10.6-gnu.
 
 * Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.6-100
diff --git a/freed-ora/current/f24/patch-4.10-gnu-4.10.6-gnu.xz.sign b/freed-ora/current/f24/patch-4.10-gnu-4.10.6-gnu.xz.sign
deleted file mode 100644
index 19247e86a..000000000
--- a/freed-ora/current/f24/patch-4.10-gnu-4.10.6-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAljYgT0ACgkQvLfPh359R6eoKACeMbuEVAM1ZbrV7BeaF7FHwV5s
-rIMAoJTaWEQ02sa8TWxk/0nLJ3PS1zqT
-=zkaY
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f24/patch-4.10-gnu-4.10.7-gnu.xz.sign b/freed-ora/current/f24/patch-4.10-gnu-4.10.7-gnu.xz.sign
new file mode 100644
index 000000000..5599f3eac
--- /dev/null
+++ b/freed-ora/current/f24/patch-4.10-gnu-4.10.7-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAljdZKUACgkQvLfPh359R6ddqACfV4IsWQqnkU+79XO0PJx9403K
+9hwAmwfKBLVgIyO/BXwqnOqdSSGeD/HA
+=T2mc
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f24/sources b/freed-ora/current/f24/sources
index 8b08471af..d050f74cf 100644
--- a/freed-ora/current/f24/sources
+++ b/freed-ora/current/f24/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.10-gnu.tar.xz) = 44d1774a1d43a15322297d351737fbcbf92c6f433266ce2b17587437d433562cf5811fdae48fafd5a8e00d18ed9ac2e1ad4b12a657f322eb234384316ad131e0
 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
-SHA512 (patch-4.10-gnu-4.10.6-gnu.xz) = 4390c92afb02678e416fab6cc988139463c247047d09d4e0f69677e2239f05d8aa412842de383a3e7de603c979b1f2786017cd398fe931ba25a5b554d666ad9b
+SHA512 (patch-4.10-gnu-4.10.7-gnu.xz) = 12bb7d4750a68a0594a225a75987193488942fc517ded3f5304dd427f2abfdcc24361d97f72c6b1a661d17dbc5cc1fb88049c05be271fdd41a5bf070cf2b4f1b
diff --git a/freed-ora/current/f24/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch b/freed-ora/current/f24/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
new file mode 100644
index 000000000..9eabfc098
--- /dev/null
+++ b/freed-ora/current/f24/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
@@ -0,0 +1,119 @@
+From 4ef1b2869447411ad3ef91ad7d4891a83c1a509a Mon Sep 17 00:00:00 2001
+From: Soheil Hassas Yeganeh <soheil@google.com>
+Date: Sat, 18 Mar 2017 17:03:00 -0400
+Subject: [PATCH] tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS
+
+SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled
+while packets are collected on the error queue.
+So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags
+is not enough to safely assume that the skb contains
+OPT_STATS data.
+
+Add a bit in sock_exterr_skb to indicate whether the
+skb contains opt_stats data.
+
+Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
+Reported-by: JongHwan Kim <zzoru007@gmail.com>
+Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/linux/errqueue.h |  2 ++
+ net/core/skbuff.c        | 17 +++++++++++------
+ net/socket.c             |  2 +-
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h
+index 9ca23fc..6fdfc88 100644
+--- a/include/linux/errqueue.h
++++ b/include/linux/errqueue.h
+@@ -20,6 +20,8 @@ struct sock_exterr_skb {
+ 	struct sock_extended_err	ee;
+ 	u16				addr_offset;
+ 	__be16				port;
++	u8				opt_stats:1,
++					unused:7;
+ };
+
+ #endif
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index b1fbd19..9f78109 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3793,16 +3793,20 @@ EXPORT_SYMBOL(skb_clone_sk);
+
+ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
+ 					struct sock *sk,
+-					int tstype)
++					int tstype,
++					bool opt_stats)
+ {
+ 	struct sock_exterr_skb *serr;
+ 	int err;
+
++	BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
++
+ 	serr = SKB_EXT_ERR(skb);
+ 	memset(serr, 0, sizeof(*serr));
+ 	serr->ee.ee_errno = ENOMSG;
+ 	serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
+ 	serr->ee.ee_info = tstype;
++	serr->opt_stats = opt_stats;
+ 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
+ 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
+ 		if (sk->sk_protocol == IPPROTO_TCP &&
+@@ -3843,7 +3847,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
+ 	 */
+ 	if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
+ 		*skb_hwtstamps(skb) = *hwtstamps;
+-		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
++		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
+ 		sock_put(sk);
+ 	}
+ }
+@@ -3854,7 +3858,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ 		     struct sock *sk, int tstype)
+ {
+ 	struct sk_buff *skb;
+-	bool tsonly;
++	bool tsonly, opt_stats = false;
+
+ 	if (!sk)
+ 		return;
+@@ -3867,9 +3871,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ #ifdef CONFIG_INET
+ 		if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
+ 		    sk->sk_protocol == IPPROTO_TCP &&
+-		    sk->sk_type == SOCK_STREAM)
++		    sk->sk_type == SOCK_STREAM) {
+ 			skb = tcp_get_timestamping_opt_stats(sk);
+-		else
++			opt_stats = true;
++		} else
+ #endif
+ 			skb = alloc_skb(0, GFP_ATOMIC);
+ 	} else {
+@@ -3888,7 +3893,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ 	else
+ 		skb->tstamp = ktime_get_real();
+
+-	__skb_complete_tx_timestamp(skb, sk, tstype);
++	__skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
+ }
+ EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
+
+
+diff --git a/net/socket.c b/net/socket.c
+index 02bd924..84e3f85 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -697,7 +697,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ 		put_cmsg(msg, SOL_SOCKET,
+ 			 SCM_TIMESTAMPING, sizeof(tss), &tss);
+
+-		if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
++		if (skb->len && SKB_EXT_ERR(skb)->opt_stats)
+ 			put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
+ 				 skb->len, skb->data);
+ 	}
diff --git a/freed-ora/current/f24/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/freed-ora/current/f24/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
new file mode 100644
index 000000000..1ede96c60
--- /dev/null
+++ b/freed-ora/current/f24/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
@@ -0,0 +1,33 @@
+From:       Vladis Dronov <vdronov@redhat.com>
+Subject:    [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
+Date:       2017-03-24 15:37:10
+
+In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
+user-controlled value which is not checked for zero. It is used in
+a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
+is dereferenced which leads to a GPF and possibly to a kernel panic.
+Add the check for zero to avoid this.
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+index b445ce9..42840cc 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
+ 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+ 		num_sizes += req->mip_levels[i];
+ 
+-	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
+-	    DRM_VMW_MAX_MIP_LEVELS)
++	if (num_sizes <= 0 ||
++	    num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
+ 		return -EINVAL;
+ 
+ 	size = vmw_user_surface_size + 128 +
+-- 
+2.9.3