CVE-2022-48969

In the Linux kernel, the following vulnerability has been resolved:

xen-netfront: Fix NULL sring after live migration

A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busypoll/busyread enabled, the NAPI can be polled before got deleted when resume VM.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennetpoll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finishtaskswitch+0x71/0x230 timerqueuedel+0x1d/0x40 hrtimertrytocancel+0xb5/0x110 xennetallocrxbuffers+0x2a0/0x2a0 napibusyloop+0xdb/0x270 sockpoll+0x87/0x90 dosyspoll+0x26f/0x580 tracingmapinsert+0x1d4/0x2f0 eventhist_trigger+0x14a/0x260

finishtaskswitch+0x71/0x230 __schedule+0x256/0x890 recalcsigpending+0x1b/0x50 xensched_clock+0x15/0x20 __rbreservenext+0x12d/0x140 ringbufferlockreserve+0x123/0x3d0 eventtriggerscall+0x87/0xb0 traceeventbuffercommit+0x1c4/0x210 xenclocksourcegetcycles+0x15/0x20 ktimegetts64+0x51/0xf0 SySppoll+0x160/0x1a0 SySppoll+0x160/0x1a0 dosyscall64+0x73/0x130 entrySYSCALL64afterhwframe+0x41/0xa6 ... RIP: xennetpoll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]---

xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed

There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time