[SRU][M/F][PATCH v2] CVE-2024-26925

[Bethany Jamison]

[Impact]

netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.

nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.

[Fix]

Noble:	fixed via stable
Mantic:	Clean cherry-pick from fix and prereq commit
Jammy:	fixed via stable
Focal:	Clean cherry-pick from fix commit with backported prereq commits,
	commit a45e688 backported - context conflict due to extra 
	whitespace in Focal, accepted incoming fix as is,
	commit 03c1f1e backported - context conflict with neighboring
	line outside of the modified if-statement, shouldn't affect the 
	fix, applied fix changes as is
Bionic:	not-affected
Xenial:	not-affected
Trusty: not-affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use the Netfilter framework, an issue with 
this fix would be visible to the user via decreased system performance 
or a system freeze.

v2: 	In my original submission the cover-letter subject line mentioned 
	Mantic/Jammy instead of Mantic/Focal which are the releases getting
	patches in this patchset. This has been corrected in this submission.

Pablo Neira Ayuso (2):
  netfilter: nf_tables: release batch on table validation from abort
    path
  netfilter: nf_tables: release mutex after nft_gc_seq_end from abort
    path

 net/netfilter/nf_tables_api.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

-- 
2.34.1