CVE-2022-48969

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen-netfront: Fix NULL sring after live migration<br /> <br /> A NAPI is setup for each network sring to poll data to kernel<br /> The sring with source host is destroyed before live migration and<br /> new sring with target host is setup after live migration.<br /> The NAPI for the old sring is not deleted until setup new sring<br /> with target host after migration. With busy_poll/busy_read enabled,<br /> the NAPI can be polled before got deleted when resume VM.<br /> <br /> BUG: unable to handle kernel NULL pointer dereference at<br /> 0000000000000008<br /> IP: xennet_poll+0xae/0xd20<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] SMP PTI<br /> Call Trace:<br /> finish_task_switch+0x71/0x230<br /> timerqueue_del+0x1d/0x40<br /> hrtimer_try_to_cancel+0xb5/0x110<br /> xennet_alloc_rx_buffers+0x2a0/0x2a0<br /> napi_busy_loop+0xdb/0x270<br /> sock_poll+0x87/0x90<br /> do_sys_poll+0x26f/0x580<br /> tracing_map_insert+0x1d4/0x2f0<br /> event_hist_trigger+0x14a/0x260<br /> <br /> finish_task_switch+0x71/0x230<br /> __schedule+0x256/0x890<br /> recalc_sigpending+0x1b/0x50<br /> xen_sched_clock+0x15/0x20<br /> __rb_reserve_next+0x12d/0x140<br /> ring_buffer_lock_reserve+0x123/0x3d0<br /> event_triggers_call+0x87/0xb0<br /> trace_event_buffer_commit+0x1c4/0x210<br /> xen_clocksource_get_cycles+0x15/0x20<br /> ktime_get_ts64+0x51/0xf0<br /> SyS_ppoll+0x160/0x1a0<br /> SyS_ppoll+0x160/0x1a0<br /> do_syscall_64+0x73/0x130<br /> entry_SYSCALL_64_after_hwframe+0x41/0xa6<br /> ...<br /> RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900<br /> CR2: 0000000000000008<br /> ---[ end trace f8601785b354351c ]---<br /> <br /> xen frontend should remove the NAPIs for the old srings before live<br /> migration as the bond srings are destroyed<br /> <br /> There is a tiny window between the srings are set to NULL and<br /> the NAPIs are disabled, It is safe as the NAPI threads are still<br /> frozen at that time