From 74ad9ec5c5d6d85cadf198638cb03eeecebc5e98 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 07 2021 14:28:05 +0000
Subject: import kpatch-patch-3_10_0-1160_15_2-1-8.el7


---

diff --git a/SOURCES/CVE-2021-3715.patch b/SOURCES/CVE-2021-3715.patch
new file mode 100644
index 0000000..da30361
--- /dev/null
+++ b/SOURCES/CVE-2021-3715.patch
@@ -0,0 +1,99 @@
+From: Artem Savkov <asavkov@redhat.com>
+Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable
+Date: Mon, 30 Aug 2021 17:33:51 +0200
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+
+Changes since last build:
+arches: x86_64 ppc64le
+cls_route.o: changed function: route4_change
+---------------------------
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+
+Modifications: none
+Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251
+
+commit f4e1814eb56167451ddd819fccb951178f97660b
+Author: Ivan Vecera <ivecera@redhat.com>
+Date:   Tue Aug 17 12:21:33 2021 +0200
+
+    net_sched: cls_route: remove the right filter from hashtable
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926
+
+    commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359
+    Author: Cong Wang <xiyou.wangcong@gmail.com>
+    Date:   Fri Mar 13 22:29:54 2020 -0700
+
+        net_sched: cls_route: remove the right filter from hashtable
+
+        route4_change() allocates a new filter and copies values from
+        the old one. After the new filter is inserted into the hash
+        table, the old filter should be removed and freed, as the final
+        step of the update.
+
+        However, the current code mistakenly removes the new one. This
+        looks apparently wrong to me, and it causes double "free" and
+        use-after-free too, as reported by syzbot.
+
+        Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
+        Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
+        Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
+        Fixes: 1109c00547fc ("net: sched: RCU cls_route")
+        Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+        Cc: Jiri Pirko <jiri@resnulli.us>
+        Cc: John Fastabend <john.fastabend@gmail.com>
+        Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+        Signed-off-by: David S. Miller <davem@davemloft.net>
+
+    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+---
+ net/sched/cls_route.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
+index 7bd464e8d084..2fed29fa504e 100644
+--- a/net/sched/cls_route.c
++++ b/net/sched/cls_route.c
+@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
+ 			fp = &b->ht[h];
+ 			for (pfp = rtnl_dereference(*fp); pfp;
+ 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
+-				if (pfp == f) {
+-					*fp = f->next;
++				if (pfp == fold) {
++					rcu_assign_pointer(*fp, fold->next);
+ 					break;
+ 				}
+ 			}
+-- 
+2.31.1
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index 03130aa..b7e6f27 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -6,7 +6,7 @@
 %define kernel_ver	3.10.0-1160.15.2.el7
 %define kpatch_ver	0.9.2
 %define rpm_ver		1
-%define rpm_rel		7
+%define rpm_rel		8
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
@@ -35,6 +35,9 @@ Source106: CVE-2021-32399.patch
 #
 # https://bugzilla.redhat.com/1980516
 Source107: CVE-2021-22555.patch
+#
+# https://bugzilla.redhat.com/1997195
+Source108: CVE-2021-3715.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -167,6 +170,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Tue Aug 31 2021 Joe Lawrence <joe.lawrence@redhat.com> [1-8.el7]
+- kernel: use-after-free in route4_change() in net/sched/cls_route.c [1997195] {CVE-2021-3715}
+
 * Mon Aug 16 2021 Joe Lawrence <joe.lawrence@redhat.com> [1-7.el7]
 - kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c [1980516] {CVE-2021-22555}
 - kpatch: kernel: race condition for removal of the HCI controller [1971474] {CVE-2021-32399}