xen-netback: take a reference to the RX task thread (CVE-2021-28691)

3 files changed, 60 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 845050b66898..4dafa5a0383c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -228,6 +228,7 @@ linux (5.10.42-1) UNRELEASED; urgency=medium
   * Ignore some ABI changes that should not affect OOT modules
   * Bump ABI to 8
   * net: usb: cdc_ncm: don't spew notifications (Closes: #989451)
+  * xen-netback: take a reference to the RX task thread (CVE-2021-28691)
 
   [ Vagrant Cascadian ]
   * [arm64] Add pwm-rockchip to fb-modules udeb.
diff --git a/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch b/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch
new file mode 100644
index 000000000000..927c0b4da2a0
--- /dev/null
+++ b/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch
@@ -0,0 +1,58 @@
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 7 Jun 2021 15:13:15 +0200
+Subject: xen-netback: take a reference to the RX task thread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/107866a8eb0b664675a260f1ba0655010fac1e08
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-28691
+
+Do this in order to prevent the task from being freed if the thread
+returns (which can be triggered by the frontend) before the call to
+kthread_stop done as part of the backend tear down. Not taking the
+reference will lead to a use-after-free in that scenario. Such
+reference was taken before but dropped as part of the rework done in
+2ac061ce97f4.
+
+Reintroduce the reference taking and add a comment this time
+explaining why it's needed.
+
+This is XSA-374 / CVE-2021-28691.
+
+Fixes: 2ac061ce97f4 ('xen/netback: cleanup init and deinit code')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+---
+ drivers/net/xen-netback/interface.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
+index 193b723fe3bd..c58996c1e230 100644
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -684,6 +684,7 @@ static void xenvif_disconnect_queue(struct xenvif_queue *queue)
+ {
+ 	if (queue->task) {
+ 		kthread_stop(queue->task);
++		put_task_struct(queue->task);
+ 		queue->task = NULL;
+ 	}
+ 
+@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_queue *queue,
+ 	if (IS_ERR(task))
+ 		goto kthread_err;
+ 	queue->task = task;
++	/*
++	 * Take a reference to the task in order to prevent it from being freed
++	 * if the thread function returns before kthread_stop is called.
++	 */
++	get_task_struct(task);
+ 
+ 	task = kthread_run(xenvif_dealloc_kthread, queue,
+ 			   "%s-dealloc", queue->name);
+-- 
+2.32.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 71407a56dc73..d32cbd8dc4f2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -116,6 +116,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 debian/ntfs-mark-it-as-broken.patch
 bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch
+bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch