xen/netback: don't call kfree_skb() with interrupts disabled

stable inclusion from stable-v5.10.159 commit 83632fc41449c480f2d0193683ec202caaa186c9 category: bugfix bugzilla: 188137, https://gitee.com/src-openeuler/kernel/issues/I651DP CVE: CVE-2022-42328 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83632fc41449c480f2d0193683ec202caaa186c9 -------------------------------- [ Upstream commit 74e7e1ef ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So remove kfree_skb() from the spin_lock_irqsave() section and use the already existing "drop" label in xenvif_start_xmit() for dropping the SKB. At the same time replace the dev_kfree_skb() call there with a call of dev_kfree_skb_any(), as xenvif_start_xmit() can be called with disabled interrupts. This is XSA-424 / CVE-2022-42328 / CVE-2022-42329. Fixes: be81992f ("xen/netback: don't queue unlimited number of packages") Reported-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Reviewed-by: N Jan Beulich <jbeulich@suse.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> conflict: drivers/net/xen-netback/common.h Signed-off-by: N Lu Wei <luwei32@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

xen/netback: don't call kfree_skb() with interrupts disabled
stable inclusion from stable-v5.10.159 commit 83632fc41449c480f2d0193683ec202caaa186c9 category: bugfix bugzilla: 188137, https://gitee.com/src-openeuler/kernel/issues/I651DP CVE: CVE-2022-42328 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83632fc41449c480f2d0193683ec202caaa186c9 -------------------------------- [ Upstream commit 74e7e1ef ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So remove kfree_skb() from the spin_lock_irqsave() section and use the already existing "drop" label in xenvif_start_xmit() for dropping the SKB. At the same time replace the dev_kfree_skb() call there with a call of dev_kfree_skb_any(), as xenvif_start_xmit() can be called with disabled interrupts. This is XSA-424 / CVE-2022-42328 / CVE-2022-42329. Fixes: be81992f ("xen/netback: don't queue unlimited number of packages") Reported-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Reviewed-by: N Jan Beulich <jbeulich@suse.com> Signed-off-by: N Juergen Gross <jgross@suse.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> conflict: drivers/net/xen-netback/common.h Signed-off-by: N Lu Wei <luwei32@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
1d0e6131 · Juergen Gross · Zheng Zengkai · 6187aefd · 1d0e6131 · 1d0e6131
Showing with 10 addition and 6 deletion

drivers/net/xen-netback/common.h drivers/net/xen-netback/common.h +1 -1

drivers/net/xen-netback/interface.c drivers/net/xen-netback/interface.c +4 -2

drivers/net/xen-netback/rx.c drivers/net/xen-netback/rx.c +5 -3

未找到文件。
--- a/drivers/net/xen-netback/common.h
+++ b/drivers/net/xen-netback/common.h
@@ -395,7 +395,7 @@ irqreturn_t xenvif_ctrl_irq_fn(int irq, void *data);

 bool xenvif_have_rx_work(struct xenvif_queue *queue, bool test_kthread);
 void xenvif_rx_action(struct xenvif_queue *queue);
-void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb);
+bool xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb);

 void xenvif_carrier_on(struct xenvif *vif);


--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
@@ -269,14 +269,16 @@ xenvif_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE)
 		skb_clear_hash(skb);

-	xenvif_rx_queue_tail(queue, skb);
+	if (!xenvif_rx_queue_tail(queue, skb))
+		goto drop;
+
 	xenvif_kick_thread(queue);

 	return NETDEV_TX_OK;

 drop:
 	vif->dev->stats.tx_dropped++;
-	dev_kfree_skb(skb);
+	dev_kfree_skb_any(skb);
 	return NETDEV_TX_OK;
 }


--- a/drivers/net/xen-netback/rx.c
+++ b/drivers/net/xen-netback/rx.c
@@ -82,9 +82,10 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
 	return false;
 }

-void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
+bool xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
 {
 	unsigned long flags;
+	bool ret = true;

 	spin_lock_irqsave(&queue->rx_queue.lock, flags);

@@ -92,8 +93,7 @@ void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
 		struct net_device *dev = queue->vif->dev;

 		netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
-		kfree_skb(skb);
-		queue->vif->dev->stats.rx_dropped++;
+		ret = false;
 	} else {
 		if (skb_queue_empty(&queue->rx_queue))
 			xenvif_update_needed_slots(queue, skb);
@@ -104,6 +104,8 @@ void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb)
 	}

 	spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
+
+	return ret;
 }

 static struct sk_buff *xenvif_rx_dequeue(struct xenvif_queue *queue)