projects / linux-block.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f932fb9)
xen/netfront: fix crash when removing device
authorJuergen Gross <jgross@suse.com>
Thu, 7 Nov 2024 15:17:00 +0000 (16:17 +0100)
committerJuergen Gross <jgross@suse.com>
Fri, 13 Dec 2024 08:12:24 +0000 (09:12 +0100)
When removing a netfront device directly after a suspend/resume cycle
it might happen that the queues have not been setup again, causing a
crash during the attempt to stop the queues another time.

Fix that by checking the queues are existing before trying to stop
them.

This is XSA-465 / CVE-2024-53240.

Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Fixes: d50b7914fae0 ("xen-netfront: Fix NULL sring after live migration")
Signed-off-by: Juergen Gross <jgross@suse.com>
drivers/net/xen-netfront.c patch | blob | blame | history

diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 4265c1cd0ff716c2825b15f4e546792082958ded..63fe51d0e64db3b0d146340df937714c5a651c1c 100644 (file)
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -867,7 +867,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
 static int xennet_close(struct net_device *dev)
 {
        struct netfront_info *np = netdev_priv(dev);
-       unsigned int num_queues = dev->real_num_tx_queues;
+       unsigned int num_queues = np->queues ? dev->real_num_tx_queues : 0;
        unsigned int i;
        struct netfront_queue *queue;
        netif_tx_stop_all_queues(np->netdev);
@@ -882,6 +882,9 @@ static void xennet_destroy_queues(struct netfront_info *info)
 {
        unsigned int i;
 
+       if (!info->queues)
+               return;
+
        for (i = 0; i < info->netdev->real_num_tx_queues; i++) {
                struct netfront_queue *queue = &info->queues[i];
 
Linux 6.x block layer and io_uring tree(s)