From 3111384fa7b8af2a6df2b12ebbc550da9a8411a7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 07 2021 14:28:57 +0000
Subject: import kpatch-patch-3_10_0-1160_41_1-1-1.el7


---

diff --git a/.gitignore b/.gitignore
index e69de29..70f1008 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/kernel-3.10.0-1160.41.1.el7.src.rpm
+SOURCES/v0.9.2.tar.gz
diff --git a/.kpatch-patch-3_10_0-1160_41_1.metadata b/.kpatch-patch-3_10_0-1160_41_1.metadata
index e69de29..04ad05b 100644
--- a/.kpatch-patch-3_10_0-1160_41_1.metadata
+++ b/.kpatch-patch-3_10_0-1160_41_1.metadata
@@ -0,0 +1,2 @@
+edb473dbf54ab00079218194e6da90e77349fc23 SOURCES/kernel-3.10.0-1160.41.1.el7.src.rpm
+c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz
diff --git a/SOURCES/CVE-2021-3715.patch b/SOURCES/CVE-2021-3715.patch
new file mode 100644
index 0000000..2c5f2c8
--- /dev/null
+++ b/SOURCES/CVE-2021-3715.patch
@@ -0,0 +1,89 @@
+From: Artem Savkov <asavkov@redhat.com>
+Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable
+Date: Mon, 30 Aug 2021 17:33:51 +0200
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+
+Changes since last build:
+arches: x86_64 ppc64le
+cls_route.o: changed function: route4_change
+---------------------------
+
+Kernels:
+3.10.0-1160.41.1.el7
+
+Modifications: none
+Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251
+
+commit f4e1814eb56167451ddd819fccb951178f97660b
+Author: Ivan Vecera <ivecera@redhat.com>
+Date:   Tue Aug 17 12:21:33 2021 +0200
+
+    net_sched: cls_route: remove the right filter from hashtable
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926
+
+    commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359
+    Author: Cong Wang <xiyou.wangcong@gmail.com>
+    Date:   Fri Mar 13 22:29:54 2020 -0700
+
+        net_sched: cls_route: remove the right filter from hashtable
+
+        route4_change() allocates a new filter and copies values from
+        the old one. After the new filter is inserted into the hash
+        table, the old filter should be removed and freed, as the final
+        step of the update.
+
+        However, the current code mistakenly removes the new one. This
+        looks apparently wrong to me, and it causes double "free" and
+        use-after-free too, as reported by syzbot.
+
+        Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
+        Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
+        Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
+        Fixes: 1109c00547fc ("net: sched: RCU cls_route")
+        Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+        Cc: Jiri Pirko <jiri@resnulli.us>
+        Cc: John Fastabend <john.fastabend@gmail.com>
+        Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+        Signed-off-by: David S. Miller <davem@davemloft.net>
+
+    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+---
+ net/sched/cls_route.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
+index 7bd464e8d084..2fed29fa504e 100644
+--- a/net/sched/cls_route.c
++++ b/net/sched/cls_route.c
+@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
+ 			fp = &b->ht[h];
+ 			for (pfp = rtnl_dereference(*fp); pfp;
+ 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
+-				if (pfp == f) {
+-					*fp = f->next;
++				if (pfp == fold) {
++					rcu_assign_pointer(*fp, fold->next);
+ 					break;
+ 				}
+ 			}
+-- 
+2.31.1
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index 388caf3..40ce19f 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -1,17 +1,18 @@
 # Set to 1 if building an empty subscription-only package.
-%define empty_package		1
+%define empty_package		0
 
 #######################################################
 # Only need to update these variables and the changelog
 %define kernel_ver	3.10.0-1160.41.1.el7
 %define kpatch_ver	0.9.2
-%define rpm_ver		0
-%define rpm_rel		0
+%define rpm_ver		1
+%define rpm_rel		1
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
-Source100:		XXX.patch
-#Source101:		YYY.patch
+#
+# https://bugzilla.redhat.com/1997195
+Source100: CVE-2021-3715.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -144,5 +145,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Wed Sep 01 2021 Joe Lawrence <joe.lawrence@redhat.com> [1-1.el7]
+- kernel: use-after-free in route4_change() in net/sched/cls_route.c [1997195] {CVE-2021-3715}
+
 * Mon Aug 16 2021 Joel Savitz <jsavitz@redhat.com> [0-0.el7]
 - An empty patch to subscribe to kpatch stream for kernel-3.10.0-1160.41.1.el7 [1994152]