APPLIED: [SRU][M 0/4, J 0/1] CVE-2024-26809

[Roxana Nicolescu]

On 12/04/2024 20:49, Bethany Jamison wrote:
> [Impact]
>
>   In the Linux kernel, the following vulnerability has been resolved:
>
>   netfilter: nft_set_pipapo: release elements in clone only from destroy path
>
>   Clone already always provides a current view of the lookup table, use it
>   to destroy the set, otherwise it is possible to destroy elements twice.
>
>   This fix requires:
>
>    212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
>   protocol")
>
>   which came after:
>
>    9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
>   abort path").
>
> [Fix]
>
> Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
> 	was already in stable.
> Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use netfilter, specifically pipapo (pile
> packet polices), an issue with this fix would be visable via a
> memory leak or a system crash.
>
> Florian Westphal (3):
>    netfilter: nft_set_pipapo: store index in scratch maps
>    netfilter: nft_set_pipapo: add helper to release pcpu scratch area
>    netfilter: nft_set_pipapo: remove scratch_aligned pointer
>
> Pablo Neira Ayuso (1):
>    netfilter: nft_set_pipapo: release elements in clone only from destroy
>      path
>
>   net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
>   net/netfilter/nft_set_pipapo.h      |  18 +++--
>   net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
>   3 files changed, 76 insertions(+), 72 deletions(-)
>
Applied to mantic, jammy master-next branches. Thanks!
For mantic, the first 3 patches were already applied.