From: Juergen Gross <jgross@xxxxxxxx>
commit f9244fb55f37356f75c739c57323d9422d7aa0f8 upstream.
When removing a netfront device directly after a suspend/resume cycle
it might happen that the queues have not been setup again, causing a
crash during the attempt to stop the queues another time.
Fix that by checking the queues are existing before trying to stop
them.
This is XSA-465 / CVE-2024-53240.
Reported-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Fixes: d50b7914fae0 ("xen-netfront: Fix NULL sring after live migration")
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/xen-netfront.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -867,7 +867,7 @@ static netdev_tx_t xennet_start_xmit(str
static int xennet_close(struct net_device *dev)
{
struct netfront_info *np = netdev_priv(dev);
- unsigned int num_queues = dev->real_num_tx_queues;
+ unsigned int num_queues = np->queues ? dev->real_num_tx_queues : 0;
unsigned int i;
struct netfront_queue *queue;
netif_tx_stop_all_queues(np->netdev);
@@ -882,6 +882,9 @@ static void xennet_destroy_queues(struct
{
unsigned int i;
+ if (!info->queues)
+ return;
+
for (i = 0; i < info->netdev->real_num_tx_queues; i++) {
struct netfront_queue *queue = &info->queues[i];
Patches currently in stable-queue which might be from jgross@xxxxxxxx are
queue-6.12/x86-make-get_cpu_vendor-accessible-from-xen-code.patch
queue-6.12/x86-xen-use-new-hypercall-functions-instead-of-hypercall-page.patch
queue-6.12/x86-static-call-provide-a-way-to-do-very-early-static-call-updates.patch
queue-6.12/objtool-x86-allow-syscall-instruction.patch
queue-6.12/x86-xen-remove-hypercall-page.patch
queue-6.12/xen-netfront-fix-crash-when-removing-device.patch
queue-6.12/x86-xen-don-t-do-pv-iret-hypercall-through-hypercall-page.patch
queue-6.12/x86-xen-add-central-hypercall-functions.patch
