From: Madhuparna Bhowmik madhuparnabhowmik04@gmail.com
commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream.
list_for_each_entry_rcu has built-in RCU and lock checking. Pass cond argument to list_for_each_entry_rcu.
Signed-off-by: Madhuparna Bhowmik madhuparnabhowmik04@gmail.com Acked-by: Wei Liu wei.liu@kernel.org Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Hagar Hemdan hagarhem@amazon.com --- This is a dependency to fix CVE-2024-49936 in 5.4.
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -51,7 +51,8 @@ static void xenvif_add_hash(struct xenvif *vif, const u8 *tag,
found = false; oldest = NULL; - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { + list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, + lockdep_is_held(&vif->hash.cache.lock)) { /* Make sure we don't add duplicate entries */ if (entry->len == len && memcmp(entry->tag, tag, len) == 0) @@ -102,7 +103,8 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { + list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, + lockdep_is_held(&vif->hash.cache.lock)) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu);
From: Jeongjun Park aha310510@gmail.com
commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 upstream.
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
Signed-off-by: Jeongjun Park aha310510@gmail.com Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Hagar Hemdan hagarhem@amazon.com --- This is the main fix for CVE-2024-49936.
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data,
static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags;
if (xenvif_hash_cache_size == 0) @@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, - lockdep_is_held(&vif->hash.cache.lock)) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu);
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12
WARNING: Author mismatch between patch and upstream commit: Backport author: Hagar Hemdanhagarhem@amazon.com Commit author: Jeongjun Parkaha310510@gmail.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 143edf098b80) 6.1.y | Present (different SHA1: efcff6ce7467) 5.15.y | Present (different SHA1: a0465723b858) 5.10.y | Present (different SHA1: a7f0073fcd12) 5.4.y | Not found
Note: The patch differs from the upstream commit: --- Failed to apply patch cleanly, falling back to interdiff... ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Failed | N/A |
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: f3265971ded98a069ad699b51b8a5ab95e9e5be1
WARNING: Author mismatch between patch and upstream commit: Backport author: Hagar Hemdanhagarhem@amazon.com Commit author: Madhuparna Bhowmikmadhuparnabhowmik04@gmail.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (exact SHA1) 5.15.y | Present (exact SHA1) 5.10.y | Present (exact SHA1) 5.4.y | Not found
Note: The patch differs from the upstream commit: --- 1: f3265971ded98 ! 1: 3a1397498ef8f net: xen-netback: hash.c: Use built-in RCU list checking @@ Metadata ## Commit message ## net: xen-netback: hash.c: Use built-in RCU list checking
+ commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream. + list_for_each_entry_rcu has built-in RCU and lock checking. Pass cond argument to list_for_each_entry_rcu.
Signed-off-by: Madhuparna Bhowmik madhuparnabhowmik04@gmail.com Acked-by: Wei Liu wei.liu@kernel.org Signed-off-by: David S. Miller davem@davemloft.net + Signed-off-by: Hagar Hemdan hagarhem@amazon.com
## drivers/net/xen-netback/hash.c ## @@ drivers/net/xen-netback/hash.c: static void xenvif_add_hash(struct xenvif *vif, const u8 *tag, ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Success | Success |
linux-stable-mirror@lists.linaro.org
-
Hagar Hemdan -
Sasha Levin