diff mbox series

[SRU,Jammy,OEM-6.0,OEM-6.1,Lunar] netfilter: nf_tables: GC transaction race with netns dismantle

Message ID 20230916004839.706452-26-cengiz.can@canonical.com
State New
Headers show
Series [SRU,Jammy,OEM-6.0,OEM-6.1,Lunar] netfilter: nf_tables: GC transaction race with netns dismantle | expand

Commit Message

Cengiz Can Sept. 16, 2023, 12:48 a.m. UTC 
From: Pablo Neira Ayuso <pablo@netfilter.org>

Use maybe_get_net() since GC workqueue might race with netns exit path.

Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 02c6c24402bf1c1e986899c14ba22a10b510916b)
CVE-2023-4244
[cengizcan: fixes the fix commit]
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 net/netfilter/nf_tables_api.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0d50c7784ee9..13912f504776 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9088,9 +9088,14 @@  struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
 	if (!trans)
 		return NULL;
 
+	trans->net = maybe_get_net(net);
+	if (!trans->net) {
+		kfree(trans);
+		return NULL;
+	}
+
 	refcount_inc(&set->refs);
 	trans->set = set;
-	trans->net = get_net(net);
 	trans->seq = gc_seq;
 
 	return trans;