From patchwork Sat Sep 16 00:48:38 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1835335
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RnXds3mxWz1yhP
	for <incoming@patchwork.ozlabs.org>; Sat, 16 Sep 2023 10:54:57 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qhJa7-0002s9-6S; Sat, 16 Sep 2023 00:54:44 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <cengiz.can@canonical.com>)
 id 1qhJXP-00005q-HN
 for kernel-team@lists.ubuntu.com; Sat, 16 Sep 2023 00:51:57 +0000
Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com
 [209.85.210.198])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DCB863F627
 for <kernel-team@lists.ubuntu.com>; Sat, 16 Sep 2023 00:51:54 +0000 (UTC)
Received: by mail-pf1-f198.google.com with SMTP id
 d2e1a72fcca58-68fbd377d60so2742819b3a.1
 for <kernel-team@lists.ubuntu.com>; Fri, 15 Sep 2023 17:51:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694825513; x=1695430313;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=MZCJomEs6XJF8Va5xxQpYu7HQoXi30ltfZ5DX2h9n/E=;
 b=vlg98poq/mFAGvSn+KX1fJKCNKCmlqfgbMSeb/xqjziPGMxygKkk9ocEoGiF0clx+9
 iNxORX/AsS0COkFwD2s5nCIKPSqPZFxQHhyvm4tKHk/VXN9Whn93uHqEyHcV9QBi+qC5
 N1l6HnVegk56mubbenuooSizx+aQsLzxmN9vTk9zADLGo1OdR00iCAEhiVr4q20WxYNa
 CjnUeeOcC1+a3bKRtncA8pAp/PQxkI4C5FlXK8fMqpJf29x/oGrmp4zV5CqUMaOuUAjO
 70TgZ6iLJkH1LTvKWjI+/uT9+wI4kMZ+FEWJvXchKUWA2SCB7W7EJqzrQ/dgkg0tKF7n
 eICA==
X-Gm-Message-State: AOJu0YxKFILMsxdeZPk8JVrta22tnV17WfebCqtcKGj2N8sbP+OsY8no
 d6cdpu5Kp3maWJHI+VZ3Ri7iyxRiedRsI2V9Z2fN2Vyk5RAQ33dkPj70U6lxUI1zdHVKfo5YsAM
 h914StoUZeUpi0LZURx/kg833D43LT8eaK1ivpZEcMNdfSQWCiGBL
X-Received: by 2002:a05:6a21:1f25:b0:141:a70:6c26 with SMTP id
 ry37-20020a056a211f2500b001410a706c26mr3281369pzb.57.1694825513163;
 Fri, 15 Sep 2023 17:51:53 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHQ1rWacqhH6mrnTjA1GkB9Gg8HsKiFTnuw2HoHXge15c69520hhEfvlex0sMjB2fMnmk4O3w==
X-Received: by 2002:a05:6a21:1f25:b0:141:a70:6c26 with SMTP id
 ry37-20020a056a211f2500b001410a706c26mr3281359pzb.57.1694825512911;
 Fri, 15 Sep 2023 17:51:52 -0700 (PDT)
Received: from localhost (uk.sesame.canonical.com. [185.125.190.60])
 by smtp.gmail.com with ESMTPSA id
 n17-20020aa78a51000000b0068fc77a99d3sm3616298pfa.16.2023.09.15.17.51.51
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 15 Sep 2023 17:51:52 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Jammy, OEM-6.0, OEM-6.1,
 Lunar] netfilter: nf_tables: defer gc run if previous batch is still
 pending
Date: Sat, 16 Sep 2023 03:48:38 +0300
Message-Id: <20230916004839.706452-29-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230916004839.706452-1-cengiz.can@canonical.com>
References: <20230916004839.706452-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Florian Westphal <fw@strlen.de>

Don't queue more gc work, else we may queue the same elements multiple
times.

If an element is flagged as dead, this can mean that either the previous
gc request was invalidated/discarded by a transaction or that the previous
request is still pending in the system work queue.

The latter will happen if the gc interval is set to a very low value,
e.g. 1ms, and system work queue is backlogged.

The sets refcount is 1 if no previous gc requeusts are queued, so add
a helper for this and skip gc run if old requests are pending.

Add a helper for this and skip the gc run in this case.

Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 8e51830e29e12670b4c10df070a4ea4c9593e961)
CVE-2023-4244
[cengizcan: fixes the fix commit]
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 include/net/netfilter/nf_tables.h | 5 +++++
 net/netfilter/nft_set_hash.c      | 3 +++
 net/netfilter/nft_set_rbtree.c    | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 169e9859c324..56dde45755fd 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -582,6 +582,11 @@ static inline void *nft_set_priv(const struct nft_set *set)
 	return (void *)set->data;
 }
 
+static inline bool nft_set_gc_is_pending(const struct nft_set *s)
+{
+	return refcount_read(&s->refs) != 1;
+}
+
 static inline struct nft_set *nft_set_container_of(const void *priv)
 {
 	return (void *)priv - offsetof(struct nft_set, data);
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index cef5df846000..524763659f25 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -326,6 +326,9 @@ static void nft_rhash_gc(struct work_struct *work)
 	nft_net = nft_pernet(net);
 	gc_seq = READ_ONCE(nft_net->gc_seq);
 
+	if (nft_set_gc_is_pending(set))
+		goto done;
+
 	gc = nft_trans_gc_alloc(set, gc_seq, GFP_KERNEL);
 	if (!gc)
 		goto done;
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index f9d4c8fcbbf8..c6435e709231 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -611,6 +611,9 @@ static void nft_rbtree_gc(struct work_struct *work)
 	nft_net = nft_pernet(net);
 	gc_seq  = READ_ONCE(nft_net->gc_seq);
 
+	if (nft_set_gc_is_pending(set))
+		goto done;
+
 	gc = nft_trans_gc_alloc(set, gc_seq, GFP_KERNEL);
 	if (!gc)
 		goto done;