[SRU][M 0/4, J 0/1] CVE-2024-26809

[Bethany Jamison]

[Impact]

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nft_set_pipapo: release elements in clone only from destroy path

 Clone already always provides a current view of the lookup table, use it
 to destroy the set, otherwise it is possible to destroy elements twice.

 This fix requires:

  212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
 protocol")

 which came after:

  9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
 abort path").

[Fix]

Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
	was already in stable.
Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.
Focal:	not-affected
Bionic:	not-affected
Xenial:	not-affected
Trusty:	not-affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use netfilter, specifically pipapo (pile 
packet polices), an issue with this fix would be visable via a
memory leak or a system crash.

Florian Westphal (3):
  netfilter: nft_set_pipapo: store index in scratch maps
  netfilter: nft_set_pipapo: add helper to release pcpu scratch area
  netfilter: nft_set_pipapo: remove scratch_aligned pointer

Pablo Neira Ayuso (1):
  netfilter: nft_set_pipapo: release elements in clone only from destroy
    path

 net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
 net/netfilter/nft_set_pipapo.h      |  18 +++--
 net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
 3 files changed, 76 insertions(+), 72 deletions(-)

-- 
2.34.1