* [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking
@ 2025-01-22 17:43 Hagar Hemdan
2025-01-22 17:43 ` [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash() Hagar Hemdan
2025-01-22 22:38 ` [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Sasha Levin
0 siblings, 2 replies; 4+ messages in thread
From: Hagar Hemdan @ 2025-01-22 17:43 UTC (permalink / raw)
Cc: stable, Madhuparna Bhowmik, Wei Liu, David S . Miller,
Hagar Hemdan
From: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream.
list_for_each_entry_rcu has built-in RCU and lock checking.
Pass cond argument to list_for_each_entry_rcu.
Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
Acked-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
---
This is a dependency to fix CVE-2024-49936 in 5.4.
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -51,7 +51,8 @@ static void xenvif_add_hash(struct xenvif *vif, const u8 *tag,
found = false;
oldest = NULL;
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) {
+ list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
+ lockdep_is_held(&vif->hash.cache.lock)) {
/* Make sure we don't add duplicate entries */
if (entry->len == len &&
memcmp(entry->tag, tag, len) == 0)
@@ -102,7 +103,8 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) {
+ list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
+ lockdep_is_held(&vif->hash.cache.lock)) {
list_del_rcu(&entry->link);
vif->hash.cache.count--;
kfree_rcu(entry, rcu);
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash()
2025-01-22 17:43 [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Hagar Hemdan
@ 2025-01-22 17:43 ` Hagar Hemdan
2025-01-22 22:38 ` Sasha Levin
2025-01-22 22:38 ` [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Sasha Levin
1 sibling, 1 reply; 4+ messages in thread
From: Hagar Hemdan @ 2025-01-22 17:43 UTC (permalink / raw)
Cc: stable, Jeongjun Park, Jakub Kicinski, Hagar Hemdan
From: Jeongjun Park <aha310510@gmail.com>
commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 upstream.
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
---
This is the main fix for CVE-2024-49936.
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data,
static void xenvif_flush_hash(struct xenvif *vif)
{
- struct xenvif_hash_cache_entry *entry;
+ struct xenvif_hash_cache_entry *entry, *n;
unsigned long flags;
if (xenvif_hash_cache_size == 0)
@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
- lockdep_is_held(&vif->hash.cache.lock)) {
+ list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) {
list_del_rcu(&entry->link);
vif->hash.cache.count--;
kfree_rcu(entry, rcu);
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash()
2025-01-22 17:43 ` [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash() Hagar Hemdan
@ 2025-01-22 22:38 ` Sasha Levin
0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2025-01-22 22:38 UTC (permalink / raw)
To: stable; +Cc: Hagar Hemdan, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12
WARNING: Author mismatch between patch and upstream commit:
Backport author: Hagar Hemdan<hagarhem@amazon.com>
Commit author: Jeongjun Park<aha310510@gmail.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 143edf098b80)
6.1.y | Present (different SHA1: efcff6ce7467)
5.15.y | Present (different SHA1: a0465723b858)
5.10.y | Present (different SHA1: a7f0073fcd12)
5.4.y | Not found
Note: The patch differs from the upstream commit:
---
Failed to apply patch cleanly, falling back to interdiff...
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y | Failed | N/A |
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking
2025-01-22 17:43 [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Hagar Hemdan
2025-01-22 17:43 ` [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash() Hagar Hemdan
@ 2025-01-22 22:38 ` Sasha Levin
1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2025-01-22 22:38 UTC (permalink / raw)
To: stable; +Cc: Hagar Hemdan, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: f3265971ded98a069ad699b51b8a5ab95e9e5be1
WARNING: Author mismatch between patch and upstream commit:
Backport author: Hagar Hemdan<hagarhem@amazon.com>
Commit author: Madhuparna Bhowmik<madhuparnabhowmik04@gmail.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)
5.15.y | Present (exact SHA1)
5.10.y | Present (exact SHA1)
5.4.y | Not found
Note: The patch differs from the upstream commit:
---
1: f3265971ded98 ! 1: 3a1397498ef8f net: xen-netback: hash.c: Use built-in RCU list checking
@@ Metadata
## Commit message ##
net: xen-netback: hash.c: Use built-in RCU list checking
+ commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream.
+
list_for_each_entry_rcu has built-in RCU and lock checking.
Pass cond argument to list_for_each_entry_rcu.
Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
Acked-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
## drivers/net/xen-netback/hash.c ##
@@ drivers/net/xen-netback/hash.c: static void xenvif_add_hash(struct xenvif *vif, const u8 *tag,
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y | Success | Success |
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-01-22 22:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-22 17:43 [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Hagar Hemdan
2025-01-22 17:43 ` [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash() Hagar Hemdan
2025-01-22 22:38 ` Sasha Levin
2025-01-22 22:38 ` [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.