From: Jan Beulich Subject: xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross --- The change in question as well as the respective netif.h change went in without any Xen person's ack or R-b; only the corresponding backend change has Paul's R-b. This in particular means that the interface addition is still unofficial (and at risk of colliding with someone else's), for not having been committed to the canonical copy of the header in xen.git. --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -1053,8 +1053,10 @@ static int xennet_get_responses(struct n } } rcu_read_unlock(); -next: + __skb_queue_tail(list, skb); + +next: if (!(rx->flags & XEN_NETRXF_more_data)) break;