net/xen-netback: prevent UAF in xenvif_flush_hash()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.

Therefore, to solve this, you need to change it to list_for_each_entry_safe.

Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Jeongjun Park and committed by

Jakub Kicinski 2 years ago 0fa5e94a e5899b60

+2 -3

1 changed file

expand all

drivers

net

xen-netback

hash.c

+2 -3

drivers/net/xen-netback/hash.c

··· 95 95 96 96 static void xenvif_flush_hash(struct xenvif *vif) 97 97 { 98 - struct xenvif_hash_cache_entry *entry; 98 + struct xenvif_hash_cache_entry *entry, *n; 99 99 unsigned long flags; 100 100 101 101 if (xenvif_hash_cache_size == 0) ··· 103 103 104 104 spin_lock_irqsave(&vif->hash.cache.lock, flags); 105 105 106 - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, 107 - lockdep_is_held(&vif->hash.cache.lock)) { 106 + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { 108 107 list_del_rcu(&entry->link); 109 108 vif->hash.cache.count--; 110 109 kfree_rcu(entry, rcu);