diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-09 22:02:22 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-09 22:03:15 +0200 |
commit | 1cef9973a694e0f2a38b0a5ea509c77ab63829e6 (patch) | |
tree | cecf1270b8de453feda927c74e92d4ad79cbbbaa | |
parent | 044e36c50f72a357706e8849b2283b02ae8c233c (diff) | |
download | kernel_replicant_linux-1cef9973a694e0f2a38b0a5ea509c77ab63829e6.tar.gz kernel_replicant_linux-1cef9973a694e0f2a38b0a5ea509c77ab63829e6.tar.bz2 kernel_replicant_linux-1cef9973a694e0f2a38b0a5ea509c77ab63829e6.zip |
xen-netback: take a reference to the RX task thread (CVE-2021-28691)
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch | 58 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 60 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 845050b66898..4dafa5a0383c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -228,6 +228,7 @@ linux (5.10.42-1) UNRELEASED; urgency=medium * Ignore some ABI changes that should not affect OOT modules * Bump ABI to 8 * net: usb: cdc_ncm: don't spew notifications (Closes: #989451) + * xen-netback: take a reference to the RX task thread (CVE-2021-28691) [ Vagrant Cascadian ] * [arm64] Add pwm-rockchip to fb-modules udeb. diff --git a/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch b/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch new file mode 100644 index 000000000000..927c0b4da2a0 --- /dev/null +++ b/debian/patches/bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch @@ -0,0 +1,58 @@ +From: Roger Pau Monne <roger.pau@citrix.com> +Date: Mon, 7 Jun 2021 15:13:15 +0200 +Subject: xen-netback: take a reference to the RX task thread +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/107866a8eb0b664675a260f1ba0655010fac1e08 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-28691 + +Do this in order to prevent the task from being freed if the thread +returns (which can be triggered by the frontend) before the call to +kthread_stop done as part of the backend tear down. Not taking the +reference will lead to a use-after-free in that scenario. Such +reference was taken before but dropped as part of the rework done in +2ac061ce97f4. + +Reintroduce the reference taking and add a comment this time +explaining why it's needed. + +This is XSA-374 / CVE-2021-28691. + +Fixes: 2ac061ce97f4 ('xen/netback: cleanup init and deinit code') +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +Cc: stable@vger.kernel.org +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Signed-off-by: Juergen Gross <jgross@suse.com> +--- + drivers/net/xen-netback/interface.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 193b723fe3bd..c58996c1e230 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -684,6 +684,7 @@ static void xenvif_disconnect_queue(struct xenvif_queue *queue) + { + if (queue->task) { + kthread_stop(queue->task); ++ put_task_struct(queue->task); + queue->task = NULL; + } + +@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_queue *queue, + if (IS_ERR(task)) + goto kthread_err; + queue->task = task; ++ /* ++ * Take a reference to the task in order to prevent it from being freed ++ * if the thread function returns before kthread_stop is called. ++ */ ++ get_task_struct(task); + + task = kthread_run(xenvif_dealloc_kthread, queue, + "%s-dealloc", queue->name); +-- +2.32.0 + diff --git a/debian/patches/series b/debian/patches/series index 71407a56dc73..d32cbd8dc4f2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -116,6 +116,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch +bugfix/all/xen-netback-take-a-reference-to-the-RX-task-thread.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |