From patchwork Sat Sep 16 00:48:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1835326 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RnXcG6Vngz1yhP for ; Sat, 16 Sep 2023 10:53:34 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qhJYr-0001J2-Hv; Sat, 16 Sep 2023 00:53:26 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qhJWb-0007ry-6o for kernel-team@lists.ubuntu.com; Sat, 16 Sep 2023 00:51:06 +0000 Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com [209.85.210.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id E2F963F665 for ; Sat, 16 Sep 2023 00:51:04 +0000 (UTC) Received: by mail-pf1-f199.google.com with SMTP id d2e1a72fcca58-690490bf54bso1170472b3a.0 for ; Fri, 15 Sep 2023 17:51:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694825463; x=1695430263; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0sg5NWtvgg+qWTKawY4hyewcn3jBQXhyCQludp1hwfE=; b=T/dqYtXVxV8qrfRIDG87jFpmlS1eRA9AaC+HEphl/SEoy/fpSgBJKNgTqxH3DAQcG5 tF/q5A+oCf3x+3I9kXVfe+zyR9MJnclGB2ic58BCFcdrW1gRT0oMeYk3SN0NkpHCKrbh OhDL/2xmcJPrAIc6TFETAPeJLoV3b+zAxSBd9uMDfWhKN/pJ/CWuDgqMCt/mOdeCPtJr emQBjprLkMzK7A1WrXRD/lYzj/rhe2VkFuOCb6SCMNiCFdivxVUEIjgXwkE/AiS9WFvQ LewOM1CBxq//Izni5ep3UkDXItjpWIsxzrEQSr6fQJLPgxdTW9+pLls4E7jpxj95G3Ko gkjw== X-Gm-Message-State: AOJu0YzN8w304QO8XqdXaQ/wPhkR/9c8vehu/8xObCo2lXblV4ffURNL sWF8WXlMUrOymjIjgTV4ZH14q4zEHAM01QR18rzE9Hc93R8p2HjeQqnrALnuRhIh9YtI7fTG0Rc V2bmIv0V6ZocoXIWUCGl7V0Pdy/6Qo8THgxjdw+ydUXUyCMf6+Amu X-Received: by 2002:a05:6a21:998a:b0:14e:509:1d7b with SMTP id ve10-20020a056a21998a00b0014e05091d7bmr3805382pzb.8.1694825463230; Fri, 15 Sep 2023 17:51:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGWmLcRZqNAq49jc7xyFFJRNcMtgX7JLUBUA0N5uc3P8r/upCDoTh/DWlj7C7/rHXUsF886Zg== X-Received: by 2002:a05:6a21:998a:b0:14e:509:1d7b with SMTP id ve10-20020a056a21998a00b0014e05091d7bmr3805375pzb.8.1694825462939; Fri, 15 Sep 2023 17:51:02 -0700 (PDT) Received: from localhost (uk.sesame.canonical.com. [185.125.190.60]) by smtp.gmail.com with ESMTPSA id r1-20020a17090a438100b0027480345180sm3180303pjg.2.2023.09.15.17.51.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 17:51:02 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Jammy, OEM-6.0, OEM-6.1, Lunar] netfilter: nft_set_hash: mark set element as dead when deleting from packet path Date: Sat, 16 Sep 2023 03:48:30 +0300 Message-Id: <20230916004839.706452-21-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230916004839.706452-1-cengiz.can@canonical.com> References: <20230916004839.706452-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso Set on the NFT_SET_ELEM_DEAD_BIT flag on this element, instead of performing element removal which might race with an ongoing transaction. Enable gc when dynamic flag is set on since dynset deletion requires garbage collection after this patch. Fixes: d0a8d877da97 ("netfilter: nft_dynset: support for element deletion") Signed-off-by: Pablo Neira Ayuso (cherry picked from commit c92db3030492b8ad1d0faace7a93bbcf53850d0c) CVE-2023-4244 Signed-off-by: Cengiz Can --- net/netfilter/nft_set_hash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 2f067e4596b0..cef5df846000 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -249,7 +249,9 @@ static bool nft_rhash_delete(const struct nft_set *set, if (he == NULL) return false; - return rhashtable_remove_fast(&priv->ht, &he->node, nft_rhash_params) == 0; + nft_set_elem_dead(&he->ext); + + return true; } static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, @@ -412,7 +414,7 @@ static int nft_rhash_init(const struct nft_set *set, return err; INIT_DEFERRABLE_WORK(&priv->gc_work, nft_rhash_gc); - if (set->flags & NFT_SET_TIMEOUT) + if (set->flags & (NFT_SET_TIMEOUT | NFT_SET_EVAL)) nft_rhash_gc_init(set); return 0;