From patchwork Wed May 29 14:56:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1941312
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VqCCh0Pl5z20f3
	for <incoming@patchwork.ozlabs.org>; Thu, 30 May 2024 00:57:19 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sCKjn-0001YI-CX; Wed, 29 May 2024 14:57:11 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1sCKjl-0001Wk-F7
 for kernel-team@lists.ubuntu.com; Wed, 29 May 2024 14:57:09 +0000
Received: from mail-oi1-f199.google.com (mail-oi1-f199.google.com
 [209.85.167.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B8C2F3F274
 for <kernel-team@lists.ubuntu.com>; Wed, 29 May 2024 14:57:07 +0000 (UTC)
Received: by mail-oi1-f199.google.com with SMTP id
 5614622812f47-3c9b08d857dso1985970b6e.0
 for <kernel-team@lists.ubuntu.com>; Wed, 29 May 2024 07:57:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716994624; x=1717599424;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=6Zh4LXBuC2gpTWOIztfDhJfn/0+SRF0qLR1CDXxI0hk=;
 b=vwV3AD2GpZkUxacKBmtZRJFCycO9+ROencOdhKqlcGRWTj4EfkEv1C2A60REs5iQcp
 uYFx4L41LKT0K9pd3tu55txQp5rAkD2wVdFl5TSz+dD8Z5h2w+YczHmSBEM3qza3UVid
 vUP25qvRYDFlsEgkUgSMkoutppsQs7AEqZxhHrU/v+LxE4vMEWxVydQolkoPj8OyfjSC
 jrkDIA3rdcbi0Jv+sz+LZCpG3ipTS/onataWviityXRWiQgQ//YCSahARrM9GEZaEKxD
 cownkttsKFc7szg6aJNlSErEGNkZe+pIWjpH00V1GpPzHjmlTUt0a18Mj/rRSXYq2BXm
 S71g==
X-Gm-Message-State: AOJu0YxeImfjSW6oGmcpU0JKJLl+LpF76c2hv3aDr916XI5iX7o7Xc10
 PhCfH7CZdKHmXielzeHz1xkNKDMDtNWYtMjwyVroHdzSPTP2qIhIb9LZ+j7+EhPsWvDsFZX2cF1
 V5mDK8etmUIg5WqnvOqv6gFBsqRWwv3SwGPooQzeJ+JYX+EtaSBybqRGPFkbB7yQ//BcFYa3cLv
 ZoAIW1b3dBDA==
X-Received: by 2002:a54:468d:0:b0:3c9:717b:2fff with SMTP id
 5614622812f47-3d1a5a480f6mr14308470b6e.22.1716994623872;
 Wed, 29 May 2024 07:57:03 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IF7o+r8nwaoXY8SC6wWK7QjP2XDwyWHHbGVkzwGX4AEIqJ0TPHCU5eK11xXukIuluk8oJq+Ew==
X-Received: by 2002:a54:468d:0:b0:3c9:717b:2fff with SMTP id
 5614622812f47-3d1a5a480f6mr14308455b6e.22.1716994623435;
 Wed, 29 May 2024 07:57:03 -0700 (PDT)
Received: from smtp.gmail.com ([2001:67c:1562:8007::aac:48f9])
 by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6ac162f2f35sm54855726d6.77.2024.05.29.07.57.02
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 29 May 2024 07:57:03 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][M][PATCH v2 1/2] netfilter: nf_tables: release batch on table
 validation from abort path
Date: Wed, 29 May 2024 09:56:56 -0500
Message-Id: <20240529145700.19721-2-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240529145700.19721-1-bethany.jamison@canonical.com>
References: <20240529145700.19721-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pablo Neira Ayuso <pablo@netfilter.org>

Unlike early commit path stage which triggers a call to abort, an
explicit release of the batch is required on abort, otherwise mutex is
released and commit_list remains in place.

Add WARN_ON_ONCE to ensure commit_list is empty from the abort path
before releasing the mutex.

After this patch, commit_list is always assumed to be empty before
grabbing the mutex, therefore

  03c1f1ef1584 ("netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()")

only needs to release the pending modules for registration.

Cc: stable@vger.kernel.org
Fixes: c0391b6ab810 ("netfilter: nf_tables: missing validation from the abort path")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit a45e6889575c2067d3c0212b6bc1022891e65b91)
CVE-2024-26925
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 net/netfilter/nf_tables_api.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e908938ef5228..59e0953c0f5f7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10284,10 +10284,11 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 	struct nft_trans *trans, *next;
 	LIST_HEAD(set_update_list);
 	struct nft_trans_elem *te;
+	int err = 0;
 
 	if (action == NFNL_ABORT_VALIDATE &&
 	    nf_tables_validate(net) < 0)
-		return -EAGAIN;
+		err = -EAGAIN;
 
 	list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
 					 list) {
@@ -10478,7 +10479,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 	else
 		nf_tables_module_autoload_cleanup(net);
 
-	return 0;
+	return err;
 }
 
 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
@@ -10491,6 +10492,9 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
 	gc_seq = nft_gc_seq_begin(nft_net);
 	ret = __nf_tables_abort(net, action);
 	nft_gc_seq_end(nft_net, gc_seq);
+
+	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
+
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return ret;
@@ -11288,9 +11292,10 @@ static void __net_exit nf_tables_exit_net(struct net *net)
 
 	gc_seq = nft_gc_seq_begin(nft_net);
 
-	if (!list_empty(&nft_net->commit_list) ||
-	    !list_empty(&nft_net->module_list))
-		__nf_tables_abort(net, NFNL_ABORT_NONE);
+	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
+
+	if (!list_empty(&nft_net->module_list))
+		nf_tables_module_autoload_cleanup(net);
 
 	__nft_release_tables(net);
 

From patchwork Wed May 29 14:56:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1941310
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VqCCh01W0z20Pb
	for <incoming@patchwork.ozlabs.org>; Thu, 30 May 2024 00:57:19 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sCKjk-0001Wp-Qr; Wed, 29 May 2024 14:57:08 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1sCKji-0001WL-1o
 for kernel-team@lists.ubuntu.com; Wed, 29 May 2024 14:57:06 +0000
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com
 [209.85.219.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E477A3F16B
 for <kernel-team@lists.ubuntu.com>; Wed, 29 May 2024 14:57:05 +0000 (UTC)
Received: by mail-qv1-f70.google.com with SMTP id
 6a1803df08f44-6ad706fab2aso24919226d6.1
 for <kernel-team@lists.ubuntu.com>; Wed, 29 May 2024 07:57:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716994624; x=1717599424;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=mlDjRBID5MXrEySEtlnPczB0rArImYpwde03fxa72PY=;
 b=EhBSCLuHiVOPEKqe7rRVZ/tTl2elkQ9B/WVgTXq2uWGCShk3iCcOQM9y1M5xSrrYf+
 /v6dZ/fBDIBpWLEDwB5ckJoPR8soVnXhtRBon/i8oBMLDXCD03Rwd3dWSiOWnmOqad3n
 QBcNBQOpW+YH2oRIyX7D6B3xEwPeiqBUscC40Y0DjGbhdFMNg5u2pJaoqXSkXQ9yddPB
 Hkl7gpd14DKO4yiyr8RWDhYtjNrkGp+UjbkeCkBV6psMa9mkf3skOp2nW1dyTYX5r4uq
 gohT4RmCZuDDbSQ1uPRgcThsAIzEDakL3i/RW/ITgzIbyTuAvvTrkW4HyaKJzv3ayWhB
 v2ug==
X-Gm-Message-State: AOJu0YzqL+2PKIw13GAGhv6W0fn63FvfZQ9BjC6Fn6MPjU7Jx8ygCYHv
 +IfJXTH+Z5uRhwfMP/qrIZdceer0X+i71LFVWfAp+vSoc3Q6JpGZElhCJolKLzB/H452TeX4CSY
 sX86tX2OTEgyXK78lWxnrwQ9BTWR/Is7YZNpY6bhfSuaVB9C894xiENzTlJnh21Sb8vbchBSws/
 tLkEJvB+0g8A==
X-Received: by 2002:a05:6214:21af:b0:6ad:8af3:6100 with SMTP id
 6a1803df08f44-6ad8af3611fmr96362216d6.51.1716994624631;
 Wed, 29 May 2024 07:57:04 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFPFkpDtfBgMGTyn2D0dJnxvd4jG9IOCpDNRgISmsATVp4HkwT20dsuOaTeRCBg4amYPcKiyQ==
X-Received: by 2002:a05:6214:21af:b0:6ad:8af3:6100 with SMTP id
 6a1803df08f44-6ad8af3611fmr96361976d6.51.1716994624240;
 Wed, 29 May 2024 07:57:04 -0700 (PDT)
Received: from smtp.gmail.com ([2001:67c:1562:8007::aac:48f9])
 by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6ac162f2f35sm54855726d6.77.2024.05.29.07.57.03
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 29 May 2024 07:57:04 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][M][PATCH v2 2/2] netfilter: nf_tables: release mutex after
 nft_gc_seq_end from abort path
Date: Wed, 29 May 2024 09:56:57 -0500
Message-Id: <20240529145700.19721-3-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240529145700.19721-1-bethany.jamison@canonical.com>
References: <20240529145700.19721-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pablo Neira Ayuso <pablo@netfilter.org>

The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.

nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.

Cc: stable@vger.kernel.org
Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
Reported-by: Kuan-Ting Chen <hexrabbit@devco.re>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 0d459e2ffb541841714839e8228b845458ed3b27)
CVE-2024-26925
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 net/netfilter/nf_tables_api.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 59e0953c0f5f7..213c479cbb1d3 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10474,11 +10474,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 		nf_tables_abort_release(trans);
 	}
 
-	if (action == NFNL_ABORT_AUTOLOAD)
-		nf_tables_module_autoload(net);
-	else
-		nf_tables_module_autoload_cleanup(net);
-
 	return err;
 }
 
@@ -10495,6 +10490,14 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
 
 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
 
+	/* module autoload needs to happen after GC sequence update because it
+	 * temporarily releases and grabs mutex again.
+	 */
+	if (action == NFNL_ABORT_AUTOLOAD)
+		nf_tables_module_autoload(net);
+	else
+		nf_tables_module_autoload_cleanup(net);
+
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return ret;

From patchwork Wed May 29 14:57:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1941311
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VqCCh0G2Qz20Tw
	for <incoming@patchwork.ozlabs.org>; Thu, 30 May 2024 00:57:19 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sCKjn-0001Xt-13; Wed, 29 May 2024 14:57:11 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1sCKjk-0001Wq-Sn
 for kernel-team@lists.ubuntu.com; Wed, 29 May 2024 14:57:08 +0000
Received: from mail-oi1-f200.google.com (mail-oi1-f200.google.com
 [209.85.167.200])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id B97583F339
 for <kernel-team@lists.ubuntu.com>; Wed, 29 May 2024 14:57:08 +0000 (UTC)
Received: by mail-oi1-f200.google.com with SMTP id
 5614622812f47-3d1ba3543e8so2456761b6e.1
 for <kernel-team@lists.ubuntu.com>; Wed, 29 May 2024 07:57:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716994627; x=1717599427;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=USJE7Bw7JF7mXEP1qkjjdkZ1jNGZfn/hLkgke9kmcKw=;
 b=pk1yDrOEwzhdnCqMZr4mG0W2bdhHa9uy2AtcmOyL53Zvq04otBEIyFTURFPcHQ9lh+
 I3MGMY2jxhmGKWXLVrFaOCGKpkoC4f31XR6I5cDh7aQl/Tn7KqIa9Y+0JAvg+K6C7qSw
 X4ubR29JRtzYPyvNl4ulXPh6laQxlSqZQ0+y/2ehF7Ko3TiaSVyRTrgWRhsyp8In+n4M
 T9kPZWtfJC3sf6K5oTeARH1ZfMBBfsMncE+eJogZ40MhEwn3FKjQG2cdorKgqAYCqNJf
 laMo8kfq19UKaftnrCGtMGHpNw+LIh/Viv79CccIrvDUWE+gOmuL6+XJg0YKlXoNYVi4
 z/yA==
X-Gm-Message-State: AOJu0Yyc/k8f1OmijymnYa0nVZZob/coLPW2i4wdMYs84wULsA8gYtp1
 XbGittwxbH7vF24fPD+/vtMvYLfINfySmOJTF2mLWb7haN3kH7vKCmgsNwWI6SUaPHry+ZORtb5
 L4i+gqSsMV250Sixazdjp8B/omYC78BxARqFbgDde9vziYgHg2GV7ztqG9wKcJXu3O9A5MLchl7
 Hd0SQdfID56A==
X-Received: by 2002:a05:6808:f8b:b0:3c3:d47b:e4cf with SMTP id
 5614622812f47-3d1a745ade9mr19414186b6e.39.1716994627369;
 Wed, 29 May 2024 07:57:07 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFqLnK+N1ncHqeJboRcanOs4OZ+8q6FaUVl4coFONl1+IdWsJ9iVbg6zjkWry0r0XoVIdKe3Q==
X-Received: by 2002:a05:6808:f8b:b0:3c3:d47b:e4cf with SMTP id
 5614622812f47-3d1a745ade9mr19414162b6e.39.1716994626909;
 Wed, 29 May 2024 07:57:06 -0700 (PDT)
Received: from smtp.gmail.com ([2001:67c:1562:8007::aac:48f9])
 by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6ac162f2f35sm54855726d6.77.2024.05.29.07.57.06
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 29 May 2024 07:57:06 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F][PATCH v2 3/3] netfilter: nf_tables: release mutex after
 nft_gc_seq_end from abort path
Date: Wed, 29 May 2024 09:57:00 -0500
Message-Id: <20240529145700.19721-6-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240529145700.19721-1-bethany.jamison@canonical.com>
References: <20240529145700.19721-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pablo Neira Ayuso <pablo@netfilter.org>

The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.

nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.

Cc: stable@vger.kernel.org
Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
Reported-by: Kuan-Ting Chen <hexrabbit@devco.re>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 0d459e2ffb541841714839e8228b845458ed3b27)
CVE-2024-26925
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 net/netfilter/nf_tables_api.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d9848f5edc788..4db8723ed7c51 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7705,11 +7705,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 		nf_tables_abort_release(trans);
 	}
 
-	if (action == NFNL_ABORT_AUTOLOAD)
-		nf_tables_module_autoload(net);
-	else
-		nf_tables_module_autoload_cleanup(net);
-
 	return err;
 }
 
@@ -7726,6 +7721,14 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
 
 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
 
+	/* module autoload needs to happen after GC sequence update because it
+	 * temporarily releases and grabs mutex again.
+	 */
+	if (action == NFNL_ABORT_AUTOLOAD)
+		nf_tables_module_autoload(net);
+	else
+		nf_tables_module_autoload_cleanup(net);
+
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return ret;