From 822aaee498da4f01019acc1dbc2f93726c88c5b0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Jun 2021 19:59:14 +0200
Subject: [PATCH] 5.12-stable patches

added patches:
	neighbour-allow-nud_noarp-entries-to-be-forced-gced.patch
	xen-netback-take-a-reference-to-the-rx-task-thread.patch
---
 ...-nud_noarp-entries-to-be-forced-gced.patch | 37 ++++++++++++
 queue-5.12/series                             |  2 +
 ...ke-a-reference-to-the-rx-task-thread.patch | 57 +++++++++++++++++++
 3 files changed, 96 insertions(+)
 create mode 100644 queue-5.12/neighbour-allow-nud_noarp-entries-to-be-forced-gced.patch
 create mode 100644 queue-5.12/xen-netback-take-a-reference-to-the-rx-task-thread.patch

diff --git a/queue-5.12/neighbour-allow-nud_noarp-entries-to-be-forced-gced.patch b/queue-5.12/neighbour-allow-nud_noarp-entries-to-be-forced-gced.patch
new file mode 100644
index 00000000000..faa31f34426
--- /dev/null
+++ b/queue-5.12/neighbour-allow-nud_noarp-entries-to-be-forced-gced.patch
@@ -0,0 +1,37 @@
+From 7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@kernel.org>
+Date: Mon, 7 Jun 2021 11:35:30 -0600
+Subject: neighbour: allow NUD_NOARP entries to be forced GCed
+
+From: David Ahern <dsahern@kernel.org>
+
+commit 7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f upstream.
+
+IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to
+fill up the neighbour table with enough entries that it will overflow for
+valid connections after that.
+
+This behaviour is more prevalent after commit 58956317c8de ("neighbor:
+Improve garbage collection") is applied, as it prevents removal from
+entries that are not NUD_FAILED, unless they are more than 5s old.
+
+Fixes: 58956317c8de (neighbor: Improve garbage collection)
+Reported-by: Kasper Dupont <kasperd@gjkwv.06.feb.2021.kasperd.net>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -238,6 +238,7 @@ static int neigh_forced_gc(struct neigh_
+ 
+ 			write_lock(&n->lock);
+ 			if ((n->nud_state == NUD_FAILED) ||
++			    (n->nud_state == NUD_NOARP) ||
+ 			    (tbl->is_multicast &&
+ 			     tbl->is_multicast(n->primary_key)) ||
+ 			    time_after(tref, n->updated))
diff --git a/queue-5.12/series b/queue-5.12/series
index 81bd932e648..94213c4091d 100644
--- a/queue-5.12/series
+++ b/queue-5.12/series
@@ -157,3 +157,5 @@ arm-omap1-isp1301-omap-add-missing-gpiod_add_lookup_table-function.patch
 i2c-qcom-geni-suspend-and-resume-the-bus-during-system_sleep_pm-ops.patch
 x86-fault-don-t-send-sigsegv-twice-on-segv_pkuerr.patch
 netfilter-nf_tables-missing-error-reporting-for-not-selected-expressions.patch
+xen-netback-take-a-reference-to-the-rx-task-thread.patch
+neighbour-allow-nud_noarp-entries-to-be-forced-gced.patch
diff --git a/queue-5.12/xen-netback-take-a-reference-to-the-rx-task-thread.patch b/queue-5.12/xen-netback-take-a-reference-to-the-rx-task-thread.patch
new file mode 100644
index 00000000000..f65aa64758d
--- /dev/null
+++ b/queue-5.12/xen-netback-take-a-reference-to-the-rx-task-thread.patch
@@ -0,0 +1,57 @@
+From 107866a8eb0b664675a260f1ba0655010fac1e08 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 7 Jun 2021 15:13:15 +0200
+Subject: xen-netback: take a reference to the RX task thread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 107866a8eb0b664675a260f1ba0655010fac1e08 upstream.
+
+Do this in order to prevent the task from being freed if the thread
+returns (which can be triggered by the frontend) before the call to
+kthread_stop done as part of the backend tear down. Not taking the
+reference will lead to a use-after-free in that scenario. Such
+reference was taken before but dropped as part of the rework done in
+2ac061ce97f4.
+
+Reintroduce the reference taking and add a comment this time
+explaining why it's needed.
+
+This is XSA-374 / CVE-2021-28691.
+
+Fixes: 2ac061ce97f4 ('xen/netback: cleanup init and deinit code')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/interface.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -684,6 +684,7 @@ static void xenvif_disconnect_queue(stru
+ {
+ 	if (queue->task) {
+ 		kthread_stop(queue->task);
++		put_task_struct(queue->task);
+ 		queue->task = NULL;
+ 	}
+ 
+@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_qu
+ 	if (IS_ERR(task))
+ 		goto kthread_err;
+ 	queue->task = task;
++	/*
++	 * Take a reference to the task in order to prevent it from being freed
++	 * if the thread function returns before kthread_stop is called.
++	 */
++	get_task_struct(task);
+ 
+ 	task = kthread_run(xenvif_dealloc_kthread, queue,
+ 			   "%s-dealloc", queue->name);
-- 
2.47.3