From: Greg Kroah-Hartman Date: Tue, 17 Dec 2024 14:13:20 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.288~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9e93755ae497b2bdf179af3c6f01c714c45998d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: xen-netfront-fix-crash-when-removing-device.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index 37cf7ac90c0..d739823ac30 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -20,3 +20,4 @@ blk-iocost-fix-weight-updates-of-inner-active-iocgs.patch blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch tracing-kprobes-skip-symbol-counting-logic-for-module-symbols-in-create_local_trace_kprobe.patch +xen-netfront-fix-crash-when-removing-device.patch diff --git a/queue-5.4/xen-netfront-fix-crash-when-removing-device.patch b/queue-5.4/xen-netfront-fix-crash-when-removing-device.patch new file mode 100644 index 00000000000..fd8a0b06db1 --- /dev/null +++ b/queue-5.4/xen-netfront-fix-crash-when-removing-device.patch @@ -0,0 +1,47 @@ +From 38cf925d9b66ff80bb9784e0c8872b5fe3f9347a Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 7 Nov 2024 16:17:00 +0100 +Subject: xen/netfront: fix crash when removing device + +From: Juergen Gross + +commit f9244fb55f37356f75c739c57323d9422d7aa0f8 upstream. + +When removing a netfront device directly after a suspend/resume cycle +it might happen that the queues have not been setup again, causing a +crash during the attempt to stop the queues another time. + +Fix that by checking the queues are existing before trying to stop +them. + +This is XSA-465 / CVE-2024-53240. + +Reported-by: Marek Marczykowski-Górecki +Fixes: d50b7914fae0 ("xen-netfront: Fix NULL sring after live migration") +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -787,7 +787,7 @@ static netdev_tx_t xennet_start_xmit(str + static int xennet_close(struct net_device *dev) + { + struct netfront_info *np = netdev_priv(dev); +- unsigned int num_queues = dev->real_num_tx_queues; ++ unsigned int num_queues = np->queues ? dev->real_num_tx_queues : 0; + unsigned int i; + struct netfront_queue *queue; + netif_tx_stop_all_queues(np->netdev); +@@ -802,6 +802,9 @@ static void xennet_destroy_queues(struct + { + unsigned int i; + ++ if (!info->queues) ++ return; ++ + for (i = 0; i < info->netdev->real_num_tx_queues; i++) { + struct netfront_queue *queue = &info->queues[i]; +