From: Artem Savkov <asavkov@redhat.com>

Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable

Date: Mon, 30 Aug 2021 17:33:51 +0200

Kernels:

3.10.0-1160.el7

3.10.0-1160.2.1.el7

3.10.0-1160.2.2.el7

3.10.0-1160.6.1.el7

3.10.0-1160.11.1.el7

3.10.0-1160.15.2.el7

3.10.0-1160.21.1.el7

3.10.0-1160.24.1.el7

3.10.0-1160.25.1.el7

3.10.0-1160.31.1.el7

3.10.0-1160.36.2.el7

3.10.0-1160.41.1.el7

Changes since last build:

arches: x86_64 ppc64le

cls_route.o: changed function: route4_change

---------------------------

Kernels:

3.10.0-1160.el7

3.10.0-1160.2.1.el7

3.10.0-1160.2.2.el7

3.10.0-1160.6.1.el7

3.10.0-1160.11.1.el7

3.10.0-1160.15.2.el7

3.10.0-1160.21.1.el7

3.10.0-1160.24.1.el7

3.10.0-1160.25.1.el7

3.10.0-1160.31.1.el7

3.10.0-1160.36.2.el7

Modifications: none

Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251

commit f4e1814eb56167451ddd819fccb951178f97660b

Author: Ivan Vecera <ivecera@redhat.com>

Date:   Tue Aug 17 12:21:33 2021 +0200

    net_sched: cls_route: remove the right filter from hashtable

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926

    commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359

    Author: Cong Wang <xiyou.wangcong@gmail.com>

    Date:   Fri Mar 13 22:29:54 2020 -0700

        net_sched: cls_route: remove the right filter from hashtable

        route4_change() allocates a new filter and copies values from

        the old one. After the new filter is inserted into the hash

        table, the old filter should be removed and freed, as the final

        step of the update.

        However, the current code mistakenly removes the new one. This

        looks apparently wrong to me, and it causes double "free" and

        use-after-free too, as reported by syzbot.

        Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com

        Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com

        Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com

        Fixes: 1109c00547fc ("net: sched: RCU cls_route")

        Cc: Jamal Hadi Salim <jhs@mojatatu.com>

        Cc: Jiri Pirko <jiri@resnulli.us>

        Cc: John Fastabend <john.fastabend@gmail.com>

        Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

        Signed-off-by: David S. Miller <davem@davemloft.net>

    Signed-off-by: Ivan Vecera <ivecera@redhat.com>

Signed-off-by: Artem Savkov <asavkov@redhat.com>

Acked-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 net/sched/cls_route.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c

index 7bd464e8d084..2fed29fa504e 100644

--- a/net/sched/cls_route.c

+++ b/net/sched/cls_route.c

@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,

 			fp = &b->ht[h];

 			for (pfp = rtnl_dereference(*fp); pfp;

 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {

-				if (pfp == f) {

-					*fp = f->next;

+				if (pfp == fold) {

+					rcu_assign_pointer(*fp, fold->next);

 					break;

 				}

 			}

-- 

2.31.1