From patchwork Sat Sep 16 00:48:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1835323 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RnXc604pSz1yhP for ; Sat, 16 Sep 2023 10:53:26 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qhJYh-00017r-Lx; Sat, 16 Sep 2023 00:53:15 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qhJWG-0007NZ-JO for kernel-team@lists.ubuntu.com; Sat, 16 Sep 2023 00:50:49 +0000 Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 1AF0E3F63C for ; Sat, 16 Sep 2023 00:50:44 +0000 (UTC) Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-2746ce771f7so1998765a91.1 for ; Fri, 15 Sep 2023 17:50:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694825442; x=1695430242; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ief2PUJjy99e58SPrLSQ0ctKwHSwlzqob0a/IlJgN18=; b=RCGf6XtXlo5gkAe2ncP5mbbmfIHpIAfJFSbrGNIfThaJ8+6fnzwTN8UP9ch/z3GnIJ QupgVsofMIkxGLJTTrU70b5+k6R6uhlyAHBrvXSxYDAfj7HcaywORWRFagEqqtAj7V/7 AiFRNTG8GPtuEky1pZFEYHQtLURX27u/qoo3XPpDRewsf+JBaBiZcl5WK4xsMljtrmG/ lW3gFXG0Fp48SE4Ux3WcjrB8wzRyfWMWMNkLJf8GhDQLvcNuvH+XyWyi6gEBqY6xL8aX 7ehCoUH41zmkb78uWL6hDCpS0d66BMTFgtbczOhSX0D8u6zf/0cDzNjExyReTbTgb3PM 5KoQ== X-Gm-Message-State: AOJu0YwsvEjCog5jEhxE3V9vnbGp8IEitLjfIBmSxeNFPwcXS+SKL3qQ RgCh4b5Vv72N5ruo6QEyQAaO/xljZegjx1V8VWfYgpe06OqPe3PiaHIEKzJ5Az+z7ctnPcFdsLc K0qg7XxasJu8KPZbsRSIJK7hQ/bZx3I+KAJdw9h56ldE741PZdUh2 X-Received: by 2002:a17:903:2450:b0:1c4:2b6e:83f8 with SMTP id l16-20020a170903245000b001c42b6e83f8mr3598497pls.53.1694825442418; Fri, 15 Sep 2023 17:50:42 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEc6X3nfXjOtlbJNySnD6xNs9dAMO/t5Ue0eh++HrgZMaQIDva2LZiq3hojoGzTsu7ZQradGQ== X-Received: by 2002:a17:903:2450:b0:1c4:2b6e:83f8 with SMTP id l16-20020a170903245000b001c42b6e83f8mr3598483pls.53.1694825442081; Fri, 15 Sep 2023 17:50:42 -0700 (PDT) Received: from localhost (uk.sesame.canonical.com. [185.125.190.60]) by smtp.gmail.com with ESMTPSA id h14-20020a170902680e00b001b9d8688956sm4123033plk.144.2023.09.15.17.50.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 17:50:41 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.0] netfilter: nft_set_rbtree: skip elements in transaction from garbage collection Date: Sat, 16 Sep 2023 03:48:27 +0300 Message-Id: <20230916004839.706452-18-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230916004839.706452-1-cengiz.can@canonical.com> References: <20230916004839.706452-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso Skip interference with an ongoing transaction, do not perform garbage collection on inactive elements. Reset annotated previous end interval if the expired element is marked as busy (control plane removed the element right before expiration). Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 5d235d6ce75c12a7fdee375eb211e4116f7ab01b) CVE-2023-4244 [cengizcan: prerequisite commit] Signed-off-by: Cengiz Can --- net/netfilter/nft_set_rbtree.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index a8379fe42d27..39956e5341c9 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -575,23 +575,37 @@ static void nft_rbtree_gc(struct work_struct *work) struct nft_rbtree *priv; struct rb_node *node; struct nft_set *set; + struct net *net; + u8 genmask; priv = container_of(work, struct nft_rbtree, gc_work.work); set = nft_set_container_of(priv); + net = read_pnet(&set->net); + genmask = nft_genmask_cur(net); write_lock_bh(&priv->lock); write_seqcount_begin(&priv->count); for (node = rb_first(&priv->root); node != NULL; node = rb_next(node)) { rbe = rb_entry(node, struct nft_rbtree_elem, node); + if (!nft_set_elem_active(&rbe->ext, genmask)) + continue; + + /* elements are reversed in the rbtree for historical reasons, + * from highest to lowest value, that is why end element is + * always visited before the start element. + */ if (nft_rbtree_interval_end(rbe)) { rbe_end = rbe; continue; } if (!nft_set_elem_expired(&rbe->ext)) continue; - if (nft_set_elem_mark_busy(&rbe->ext)) + + if (nft_set_elem_mark_busy(&rbe->ext)) { + rbe_end = NULL; continue; + } if (rbe_prev) { rb_erase(&rbe_prev->node, &priv->root);