APPLIED: [SRU][F/J/M][PATCH 0/1] CVE-2024-26643

[Roxana Nicolescu]

On 21/05/2024 02:07, Yuxuan Luo wrote:
> [Impact]
> While the rhashtable set gc runs asynchronously, a race allows it to
> collect elements from anonymous sets with timeouts while it is being
> released from the commit path. Mingi Cho originally reported this issue
> in a different path in 6.1.x with a pipapo set with low timeouts which
> is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use
> timestamp to check for set element timeout"). Fix this by setting on the
> dead flag for anonymous sets to skip async gc in this case. According to
> 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction
> abort"), Florian plans to accelerate abort path by releasing objects via
> workqueue, therefore, this sets on the dead flag for abort path too.
>
> [Backport]
> Clean cherry pick.
>
> [Test]
> Smoke test on nftable via adding and removing an anonymous set.
>
> ```bash
> nft add table ip filter
> nft add chain filter output
>
> # add anonymous set
> nft add rule ip filter output tcp dport {telnet, http, https} accept
> nft list table filter
>
> # flush the chain
> nft flush chain ip filter output
> nft list table filter
> ```
>
> [Where things might go wrong]
> Regression should be limited to cases using nftables to remove an
> anonymous set.
>
>
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: mark set as dead when unbinding anonymous set
>      with timeout
>
>   net/netfilter/nf_tables_api.c | 1 +
>   1 file changed, 1 insertion(+)
>
Applied to mantic:linux, jammy:linux, focal:linux master-next branches. 
Thanks!