git.proxmox.com Git - mirror_ubuntu-kernels.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 16 Sep 2023 00:48:28 +0000 (03:48 +0300)
committer	Roxana Nicolescu <roxana.nicolescu@canonical.com>
	Mon, 2 Oct 2023 15:20:58 +0000 (17:20 +0200)
commit	181c866d9e0e8a262ce35872d246ac336157e0ef
tree	717711ccfc8b002a395cd29b85d748be862ad4cd	tree
parent	51a081500c7d65f2da5d3c85baa299b44070614e	commit \| diff

netfilter: nf_tables: adapt set backend to use GC transaction API

Use the GC transaction API to replace the old and buggy gc API and the
busy mark approach.

No set elements are removed from async garbage collection anymore,
instead the _DEAD bit is set on so the set element is not visible from
lookup path anymore. Async GC enqueues transaction work that might be
aborted and retried later.

rbtree and pipapo set backends does not set on the _DEAD bit from the
sync GC path since this runs in control plane path where mutex is held.
In this case, set elements are deactivated, removed and then released
via RCU callback, sync GC never fails.

Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f6c383b8c31a93752a52697f8430a71dcbc46adf)
CVE-2023-4244
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>

net/netfilter/nf_tables_api.c		diff \| blob \| blame \| history
net/netfilter/nft_set_hash.c		diff \| blob \| blame \| history
net/netfilter/nft_set_pipapo.c		diff \| blob \| blame \| history
net/netfilter/nft_set_rbtree.c		diff \| blob \| blame \| history