[PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking

[PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking

[Hagar Hemdan]

From: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>

commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream.

list_for_each_entry_rcu has built-in RCU and lock checking.
Pass cond argument to list_for_each_entry_rcu.

Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
Acked-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
---
This is a dependency to fix CVE-2024-49936 in 5.4.

diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -51,7 +51,8 @@ static void xenvif_add_hash(struct xenvif *vif, const u8 *tag,
 
 	found = false;
 	oldest = NULL;
-	list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) {
+	list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
+				lockdep_is_held(&vif->hash.cache.lock)) {
 		/* Make sure we don't add duplicate entries */
 		if (entry->len == len &&
 		    memcmp(entry->tag, tag, len) == 0)
@@ -102,7 +103,8 @@ static void xenvif_flush_hash(struct xenvif *vif)
 
 	spin_lock_irqsave(&vif->hash.cache.lock, flags);
 
-	list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) {
+	list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
+				lockdep_is_held(&vif->hash.cache.lock)) {
 		list_del_rcu(&entry->link);
 		vif->hash.cache.count--;
 		kfree_rcu(entry, rcu);

[PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash()

[Hagar Hemdan]

From: Jeongjun Park <aha310510@gmail.com>

commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 upstream.

During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.

Therefore, to solve this, you need to change it to list_for_each_entry_safe.

Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
---
This is the main fix for CVE-2024-49936.

diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data,
 
 static void xenvif_flush_hash(struct xenvif *vif)
 {
-	struct xenvif_hash_cache_entry *entry;
+	struct xenvif_hash_cache_entry *entry, *n;
 	unsigned long flags;
 
 	if (xenvif_hash_cache_size == 0)
@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif)
 
 	spin_lock_irqsave(&vif->hash.cache.lock, flags);
 
-	list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
-				lockdep_is_held(&vif->hash.cache.lock)) {
+	list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) {
 		list_del_rcu(&entry->link);
 		vif->hash.cache.count--;
 		kfree_rcu(entry, rcu);

Re: [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash()

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12

WARNING: Author mismatch between patch and upstream commit:
Backport author: Hagar Hemdan<hagarhem@amazon.com>
Commit author: Jeongjun Park<aha310510@gmail.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 143edf098b80)
6.1.y | Present (different SHA1: efcff6ce7467)
5.15.y | Present (different SHA1: a0465723b858)
5.10.y | Present (different SHA1: a7f0073fcd12)
5.4.y | Not found

Note: The patch differs from the upstream commit:
---
Failed to apply patch cleanly, falling back to interdiff...
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Failed     |  N/A       |

Re: [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: f3265971ded98a069ad699b51b8a5ab95e9e5be1

WARNING: Author mismatch between patch and upstream commit:
Backport author: Hagar Hemdan<hagarhem@amazon.com>
Commit author: Madhuparna Bhowmik<madhuparnabhowmik04@gmail.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)
5.15.y | Present (exact SHA1)
5.10.y | Present (exact SHA1)
5.4.y | Not found

Note: The patch differs from the upstream commit:
---
1:  f3265971ded98 ! 1:  3a1397498ef8f net: xen-netback: hash.c: Use built-in RCU list checking
    @@ Metadata
      ## Commit message ##
         net: xen-netback: hash.c: Use built-in RCU list checking
     
    +    commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream.
    +
         list_for_each_entry_rcu has built-in RCU and lock checking.
         Pass cond argument to list_for_each_entry_rcu.
     
         Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
         Acked-by: Wei Liu <wei.liu@kernel.org>
         Signed-off-by: David S. Miller <davem@davemloft.net>
    +    Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
     
      ## drivers/net/xen-netback/hash.c ##
     @@ drivers/net/xen-netback/hash.c: static void xenvif_add_hash(struct xenvif *vif, const u8 *tag,
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |