--- /dev/null
+From 7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@kernel.org>
+Date: Mon, 7 Jun 2021 11:35:30 -0600
+Subject: neighbour: allow NUD_NOARP entries to be forced GCed
+
+From: David Ahern <dsahern@kernel.org>
+
+commit 7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f upstream.
+
+IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to
+fill up the neighbour table with enough entries that it will overflow for
+valid connections after that.
+
+This behaviour is more prevalent after commit 58956317c8de ("neighbor:
+Improve garbage collection") is applied, as it prevents removal from
+entries that are not NUD_FAILED, unless they are more than 5s old.
+
+Fixes: 58956317c8de (neighbor: Improve garbage collection)
+Reported-by: Kasper Dupont <kasperd@gjkwv.06.feb.2021.kasperd.net>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -239,6 +239,7 @@ static int neigh_forced_gc(struct neigh_
+
+ write_lock(&n->lock);
+ if ((n->nud_state == NUD_FAILED) ||
++ (n->nud_state == NUD_NOARP) ||
+ (tbl->is_multicast &&
+ tbl->is_multicast(n->primary_key)) ||
+ time_after(tref, n->updated))
--- /dev/null
+From 107866a8eb0b664675a260f1ba0655010fac1e08 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 7 Jun 2021 15:13:15 +0200
+Subject: xen-netback: take a reference to the RX task thread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 107866a8eb0b664675a260f1ba0655010fac1e08 upstream.
+
+Do this in order to prevent the task from being freed if the thread
+returns (which can be triggered by the frontend) before the call to
+kthread_stop done as part of the backend tear down. Not taking the
+reference will lead to a use-after-free in that scenario. Such
+reference was taken before but dropped as part of the rework done in
+2ac061ce97f4.
+
+Reintroduce the reference taking and add a comment this time
+explaining why it's needed.
+
+This is XSA-374 / CVE-2021-28691.
+
+Fixes: 2ac061ce97f4 ('xen/netback: cleanup init and deinit code')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/interface.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -685,6 +685,7 @@ static void xenvif_disconnect_queue(stru
+ {
+ if (queue->task) {
+ kthread_stop(queue->task);
++ put_task_struct(queue->task);
+ queue->task = NULL;
+ }
+
+@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_qu
+ if (IS_ERR(task))
+ goto kthread_err;
+ queue->task = task;
++ /*
++ * Take a reference to the task in order to prevent it from being freed
++ * if the thread function returns before kthread_stop is called.
++ */
++ get_task_struct(task);
+
+ task = kthread_run(xenvif_dealloc_kthread, queue,
+ "%s-dealloc", queue->name);
projects / thirdparty / kernel / stable-queue.git / commitdiff
