[LTS 9.2] netfilter: CVE-2024-27017, CVE-2024-27012 bugfixes #798
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
roxanan1996
requested changes
Jan 5, 2026
Contributor
roxanan1996
left a comment
roxanan1996
left a comment
There was a problem hiding this comment.
Commit "netfilter: nf_tables: missing iterator type in lookup walk" (2nd)
references upstream commit b6603321a74c6371ed1db05e5cfac0623ada8d5d
but this does not exist. Commit efefd4f is the right one here.
Also, was this a clean patch? I believe you ran into the same conflict as for the previous commit.
Otherwise, the patches looked correct.
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-15
branch
from
a40b32d to
233bfe0
Compare
Contributor
Author
Yes, sorry for the mistake. I will look into The pick was clean in my repo. You experienced some conflicts? Can you share? |
Contributor
Would you mind sharing your pain points with it? Because I am also working on extending it and it would be beneficial to include your workflow as well. Thanks!
I just assumed that by looking at the patch. Forgot about the 3way merge. All good. |
Contributor
Author
When composing the final patch I often re-arrange the commits and cherry-pick my own ones with the conflicts already resolved to not have to resolve them again or deal with patches. Other than that there is often a need to use different bases than the upstream, like linux stable branches or CentOS backports. Sometimes I create the commit manually, by editing the files or copying them from some source. The way I see it is that The lowest hanging fruit I guess would be to decouple the body message composition from the operation on git repository. Just printing the message for the user to copy into the commit of his/her own making. |
roxanan1996
previously approved these changes
Jan 6, 2026
Contributor
roxanan1996
left a comment
roxanan1996
left a comment
There was a problem hiding this comment.
You need to update your branch to include the latest changes of 9.2 to pass the pr checks. https://github.com/ctrliq/kernel-src-tree/actions/runs/20717747278/job/59476706444?pr=798
Otherwise, it looks good to me.
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-15
branch
from
233bfe0 to
ca81e12
Compare
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20795793676 |
🔍 Interdiff Analysis
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5475,5 +5475,5 @@
+ args.cb = cb;
args.skb = skb;
- args.reset = dump_ctx->reset;
args.iter.genmask = nft_genmask_cur(net);
args.iter.type = NFT_ITER_READ;
args.iter.skip = cb->args[0];
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -2018,9 +2018,9 @@
{
struct nft_pipapo *priv = nft_set_priv(set);
struct net *net = read_pnet(&set->net);
- const struct nft_pipapo_match *m;
- const struct nft_pipapo_field *f;
- unsigned int i, r;
+ struct nft_pipapo_match *m;
+ struct nft_pipapo_field *f;
+ int i, r;
rcu_read_lock();
if (iter->type == NFT_ITER_READ)
@@ -2021,8 +2021,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nft_set_iter *iter)
{
struct nft_pipapo *priv = nft_set_priv(set);
- struct net *net = read_pnet(&set->net);
struct nft_pipapo_match *m;
struct nft_pipapo_field *f;
int i, r;
@@ -2026,6 +2025,8 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nft_pipapo_field *f;
int i, r;
+ WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
+
rcu_read_lock();
if (iter->genmask == nft_genmask_cur(net))
m = rcu_dereference(priv->match);
@@ -2115,8 +2115,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_set_iter *iter)
{
struct nft_pipapo *priv = nft_set_priv(set);
- struct net *net = read_pnet(&set->net);
const struct nft_pipapo_match *m;
const struct nft_pipapo_field *f;
unsigned int i, r;
@@ -2120,6 +2119,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_pipapo_field *f;
unsigned int i, r;
+ WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
+
rcu_read_lock();
if (iter->genmask == nft_genmask_cur(net))
m = rcu_dereference(priv->match);
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -2022,5 +2022,5 @@
- const struct nft_pipapo_field *f;
- unsigned int i, r;
+ struct nft_pipapo_field *f;
+ int i, r;
WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
iter->type != NFT_ITER_UPDATE);
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -590,6 +590,6 @@
const struct nft_set_iter *iter,
- struct nft_elem_priv *elem_priv)
+ struct nft_set_elem *elem)
{
- nft_setelem_data_deactivate(ctx->net, set, elem_priv);
+ nft_setelem_data_deactivate(ctx->net, set, elem);
return 0;
@@ -593,6 +593,12 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, elem);
return 0;
@@ -594,6 +594,12 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_set_iter *iter,
struct nft_elem_priv *elem_priv)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, elem_priv);
return 0;
@@ -614,6 +613,6 @@
if (!nft_set_elem_active(ext, genmask))
continue;
- nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
+ elem.priv = catchall->elem;
+ nft_setelem_data_deactivate(ctx->net, set, &elem);
break;
- }
@@ -617,6 +623,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_set_elem_change_active(ctx->net, set, ext);
elem.priv = catchall->elem;
nft_setelem_data_deactivate(ctx->net, set, &elem);
break;
@@ -617,6 +623,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
break;
}
@@ -3516,15 +3516,16 @@
.genmask = nft_genmask_next(ctx->net),
};
struct nft_set_elem_catchall *catchall;
+ struct nft_set_elem elem;
struct nft_set_ext *ext;
- int ret = 0;
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, dummy_iter.genmask))
+ if (!nft_set_elem_active(ext, genmask))
continue;
- ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
+ elem.priv = catchall->elem;
+ ret = nft_setelem_validate(ctx, set, NULL, &elem);
if (ret < 0)
return ret;
}
@@ -3526,7 +3538,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
continue;
elem.priv = catchall->elem;
- ret = nft_setelem_validate(ctx, set, NULL, &elem);
+ ret = nft_setelem_validate(ctx, set, &dummy_iter, &elem);
if (ret < 0)
return ret;
}
@@ -3910,8 +3922,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
{
u8 genmask = nft_genmask_next(ctx->net);
struct nft_set_elem_catchall *catchall;
+
struct nft_set_ext *ext;
int ret = 0;
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
@@ -3915,7 +3928,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, genmask))
+ if (!nft_set_elem_active(ext, dummy_iter.genmask))
continue;
ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
@@ -3918,7 +3931,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
- ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
+ ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
if (ret < 0)
return ret;
}
@@ -5003,6 +5015,11 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
return nft_setelem_data_validate(ctx, set, elem);
}
@@ -5097,6 +5114,13 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ /* called from abort path, reverse check to undo changes. */
+ if (nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, elem);
return 0;
@@ -5115,6 +5139,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_clear(ctx->net, ext);
elem.priv = catchall->elem;
nft_setelem_data_activate(ctx->net, set, &elem);
break;
@@ -5387,6 +5412,9 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_set_dump_args *args;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
if (nft_set_elem_expired(ext))
return 0;
@@ -5407,6 +5420,11 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_set_iter *iter,
struct nft_elem_priv *elem_priv)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
return nft_setelem_data_validate(ctx, set, elem_priv);
}
@@ -5499,6 +5517,13 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_set_iter *iter,
struct nft_elem_priv *elem_priv)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+
+ /* called from abort path, reverse check to undo changes. */
+ if (nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, elem_priv);
return 0;
@@ -5516,6 +5541,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, catchall->elem);
break;
}
@@ -5790,6 +5816,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
struct nft_set_dump_args *args;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
return 0;
@@ -6120,7 +6148,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
if (nft_setelem_is_catchall(set, elem)) {
- nft_set_elem_change_active(net, set, ext);
+ nft_clear(net, ext);
} else {
set->ops->activate(net, set, elem);
}
@@ -6640,7 +6669,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
if (nft_setelem_is_catchall(set, elem_priv)) {
- nft_set_elem_change_active(net, set, ext);
+ nft_clear(net, ext);
} else {
set->ops->activate(net, set, elem_priv);
}
@@ -6792,7 +6792,7 @@
const struct nft_set_iter *iter,
- struct nft_elem_priv *elem_priv)
+ struct nft_set_elem *elem)
{
- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
struct nft_trans *trans;
if (!nft_set_elem_active(ext, iter->genmask))
@@ -10061,5 +10061,5 @@
{
- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
if (!nft_set_elem_active(ext, iter->genmask))
return 0;
diff -u b/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c
--- b/net/netfilter/nft_set_bitmap.c
+++ b/net/netfilter/nft_set_bitmap.c
@@ -227,3 +227,3 @@
- iter->err = iter->fn(ctx, set, iter, &be->priv);
+ elem.priv = &be->priv;
diff -u b/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
--- b/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -192,5 +192,5 @@
{
- struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv);
+ struct nft_rhash_elem *he = nft_elem_priv_cast(elem->priv);
nft_clear(net, &he->ext);
}
@@ -282,5 +282,5 @@
if (iter->count < iter->skip)
goto cont;
- iter->err = iter->fn(ctx, set, iter, &he->priv);
- if (iter->err < 0)
+ elem.priv = &he->priv;
+
@@ -592,5 +592,5 @@
{
- struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv);
+ struct nft_hash_elem *he = nft_elem_priv_cast(elem->priv);
nft_clear(net, &he->ext);
}
@@ -649,5 +649,5 @@
if (iter->count < iter->skip)
goto cont;
- iter->err = iter->fn(ctx, set, iter, &he->priv);
- if (iter->err < 0)
+ elem.priv = &he->priv;
+
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1752,5 +1752,5 @@
{
- struct nft_pipapo_elem *e = nft_elem_priv_cast(elem_priv);
+ struct nft_pipapo_elem *e = nft_elem_priv_cast(elem->priv);
nft_clear(net, &e->ext);
}
@@ -2049,9 +2049,9 @@
e = f->mt[r].e;
if (!nft_set_elem_active(&e->ext, iter->genmask))
goto cont;
- iter->err = iter->fn(ctx, set, iter, &e->priv);
- if (iter->err < 0)
- goto out;
+ elem.priv = &e->priv;
+
+ iter->err = iter->fn(ctx, set, iter, &elem);
@@ -2052,9 +2052,6 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
e = f->mt[r].e;
- if (!nft_set_elem_active(&e->ext, iter->genmask))
- goto cont;
-
elem.priv = &e->priv;
iter->err = iter->fn(ctx, set, iter, &elem);
@@ -2149,9 +2149,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
e = f->mt[r].e;
- if (!nft_set_elem_active(&e->ext, iter->genmask))
- goto cont;
-
iter->err = iter->fn(ctx, set, iter, &e->priv);
if (iter->err < 0)
goto out;
diff -u b/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
--- b/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -528,5 +528,5 @@
{
- struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv);
+ struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem->priv);
nft_clear(net, &rbe->ext);
}
@@ -597,5 +597,5 @@
if (iter->count < iter->skip)
goto cont;
- iter->err = iter->fn(ctx, set, iter, &rbe->priv);
- if (iter->err < 0) {
+ elem.priv = &rbe->priv;
+This is an automated interdiff check for backported commits. |
JIRA PR Check Results3 commit(s) with issues found: Commit
|
|
❌ Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20795793676 |
Contributor
Author
|
@kerneltoast can you help me understand how the 1Why isn't gives me: and the reversed arguments call gives the reversed output, as expected: However:
2Why does interdiff show differences in both the changes and the contexts of changes instead of just the changes? I realize the information about the differences around the changes themselves may be useful in manual analysis (though I find myself usually filtering it out as noise), however, the 3What does 4How does the 5Original |
jira VULN-37652 cve CVE-2024-27017 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 29b359c upstream-diff Resolved conflicts in the declarations block in nft_pipapo_walk() function. No actual diffs in the end. The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal. Fixes: 2b84e21 ("netfilter: nft_set_pipapo: .walk does not deal with generations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 29b359c) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-37652 cve-bf CVE-2024-27017 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit efefd4f Add missing decorator type to lookup expression and tighten WARN_ON_ONCE check in pipapo to spot earlier that this is unset. Fixes: 29b359c ("netfilter: nft_set_pipapo: walk over current view on netlink dump") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit efefd4f) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-37622 cve CVE-2024-27012 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit e79b47a upstream-diff Accounted for the missing commit 0e1ea65. From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] <TASK> [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] Fixes: 628bd3e ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit e79b47a) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-15
branch
from
ca81e12 to
8858320
Compare
Contributor
Author
|
This forced push was a rebase onto the latest |
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20908353549 |
🔍 Interdiff Analysis
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5473,5 +5473,5 @@
+ args.cb = cb;
args.skb = skb;
- args.reset = dump_ctx->reset;
args.iter.genmask = nft_genmask_cur(net);
args.iter.type = NFT_ITER_READ;
args.iter.skip = cb->args[0];
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -2018,9 +2018,9 @@
{
struct nft_pipapo *priv = nft_set_priv(set);
struct net *net = read_pnet(&set->net);
- const struct nft_pipapo_match *m;
- const struct nft_pipapo_field *f;
- unsigned int i, r;
+ struct nft_pipapo_match *m;
+ struct nft_pipapo_field *f;
+ int i, r;
rcu_read_lock();
if (iter->type == NFT_ITER_READ)
@@ -2021,8 +2021,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nft_set_iter *iter)
{
struct nft_pipapo *priv = nft_set_priv(set);
- struct net *net = read_pnet(&set->net);
struct nft_pipapo_match *m;
struct nft_pipapo_field *f;
int i, r;
@@ -2026,6 +2025,8 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nft_pipapo_field *f;
int i, r;
+ WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
+
rcu_read_lock();
if (iter->genmask == nft_genmask_cur(net))
m = rcu_dereference(priv->match);
@@ -2115,8 +2115,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_set_iter *iter)
{
struct nft_pipapo *priv = nft_set_priv(set);
- struct net *net = read_pnet(&set->net);
const struct nft_pipapo_match *m;
const struct nft_pipapo_field *f;
unsigned int i, r;
@@ -2120,6 +2119,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_pipapo_field *f;
unsigned int i, r;
+ WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
+
rcu_read_lock();
if (iter->genmask == nft_genmask_cur(net))
m = rcu_dereference(priv->match);
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -2022,5 +2022,5 @@
- const struct nft_pipapo_field *f;
- unsigned int i, r;
+ struct nft_pipapo_field *f;
+ int i, r;
WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
iter->type != NFT_ITER_UPDATE);
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -588,6 +588,6 @@
const struct nft_set_iter *iter,
- struct nft_elem_priv *elem_priv)
+ struct nft_set_elem *elem)
{
- nft_setelem_data_deactivate(ctx->net, set, elem_priv);
+ nft_setelem_data_deactivate(ctx->net, set, elem);
return 0;
@@ -591,6 +591,12 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, elem);
return 0;
@@ -594,6 +594,12 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_set_iter *iter,
struct nft_elem_priv *elem_priv)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, elem_priv);
return 0;
@@ -614,6 +611,6 @@
if (!nft_set_elem_active(ext, genmask))
continue;
- nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
+ elem.priv = catchall->elem;
+ nft_setelem_data_deactivate(ctx->net, set, &elem);
break;
- }
@@ -615,6 +621,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_set_elem_change_active(ctx->net, set, ext);
elem.priv = catchall->elem;
nft_setelem_data_deactivate(ctx->net, set, &elem);
break;
@@ -617,6 +623,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
break;
}
@@ -3514,15 +3514,16 @@
.genmask = nft_genmask_next(ctx->net),
};
struct nft_set_elem_catchall *catchall;
+ struct nft_set_elem elem;
struct nft_set_ext *ext;
- int ret = 0;
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, dummy_iter.genmask))
+ if (!nft_set_elem_active(ext, genmask))
continue;
- ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
+ elem.priv = catchall->elem;
+ ret = nft_setelem_validate(ctx, set, NULL, &elem);
if (ret < 0)
return ret;
}
@@ -3524,7 +3536,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
continue;
elem.priv = catchall->elem;
- ret = nft_setelem_validate(ctx, set, NULL, &elem);
+ ret = nft_setelem_validate(ctx, set, &dummy_iter, &elem);
if (ret < 0)
return ret;
}
@@ -3910,8 +3922,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
{
u8 genmask = nft_genmask_next(ctx->net);
struct nft_set_elem_catchall *catchall;
+
struct nft_set_ext *ext;
int ret = 0;
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
@@ -3915,7 +3928,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, genmask))
+ if (!nft_set_elem_active(ext, dummy_iter.genmask))
continue;
ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
@@ -3918,7 +3931,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
- ret = nft_setelem_validate(ctx, set, NULL, catchall->elem);
+ ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
if (ret < 0)
return ret;
}
@@ -5001,6 +5013,11 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
return nft_setelem_data_validate(ctx, set, elem);
}
@@ -5095,6 +5112,13 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ /* called from abort path, reverse check to undo changes. */
+ if (nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, elem);
return 0;
@@ -5113,6 +5137,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_clear(ctx->net, ext);
elem.priv = catchall->elem;
nft_setelem_data_activate(ctx->net, set, &elem);
break;
@@ -5407,6 +5420,11 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_set_iter *iter,
struct nft_elem_priv *elem_priv)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
return nft_setelem_data_validate(ctx, set, elem_priv);
}
@@ -5499,6 +5517,13 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
const struct nft_set_iter *iter,
struct nft_elem_priv *elem_priv)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+
+ /* called from abort path, reverse check to undo changes. */
+ if (nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, elem_priv);
return 0;
@@ -5516,6 +5541,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, catchall->elem);
break;
}
@@ -6121,7 +6149,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
if (nft_setelem_is_catchall(set, elem)) {
- nft_set_elem_change_active(net, set, ext);
+ nft_clear(net, ext);
} else {
set->ops->activate(net, set, elem);
}
@@ -6643,7 +6672,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
if (nft_setelem_is_catchall(set, elem_priv)) {
- nft_set_elem_change_active(net, set, ext);
+ nft_clear(net, ext);
} else {
set->ops->activate(net, set, elem_priv);
}
@@ -6793,7 +6793,7 @@
const struct nft_set_iter *iter,
- struct nft_elem_priv *elem_priv)
+ struct nft_set_elem *elem)
{
- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
struct nft_trans *trans;
if (!nft_set_elem_active(ext, iter->genmask))
@@ -10066,5 +10066,5 @@
{
- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
if (!nft_set_elem_active(ext, iter->genmask))
return 0;
diff -u b/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c
--- b/net/netfilter/nft_set_bitmap.c
+++ b/net/netfilter/nft_set_bitmap.c
@@ -227,3 +227,3 @@
- iter->err = iter->fn(ctx, set, iter, &be->priv);
+ elem.priv = &be->priv;
diff -u b/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
--- b/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -194,5 +194,5 @@
{
- struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv);
+ struct nft_rhash_elem *he = nft_elem_priv_cast(elem->priv);
nft_clear(net, &he->ext);
}
@@ -284,5 +284,5 @@
if (iter->count < iter->skip)
goto cont;
- iter->err = iter->fn(ctx, set, iter, &he->priv);
- if (iter->err < 0)
+ elem.priv = &he->priv;
+
@@ -608,5 +608,5 @@
{
- struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv);
+ struct nft_hash_elem *he = nft_elem_priv_cast(elem->priv);
nft_clear(net, &he->ext);
}
@@ -665,5 +665,5 @@
if (iter->count < iter->skip)
goto cont;
- iter->err = iter->fn(ctx, set, iter, &he->priv);
- if (iter->err < 0)
+ elem.priv = &he->priv;
+
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1752,5 +1752,5 @@
{
- struct nft_pipapo_elem *e = nft_elem_priv_cast(elem_priv);
+ struct nft_pipapo_elem *e = nft_elem_priv_cast(elem->priv);
nft_clear(net, &e->ext);
}
@@ -2049,9 +2049,9 @@
e = f->mt[r].e;
if (!nft_set_elem_active(&e->ext, iter->genmask))
goto cont;
- iter->err = iter->fn(ctx, set, iter, &e->priv);
- if (iter->err < 0)
- goto out;
+ elem.priv = &e->priv;
+
+ iter->err = iter->fn(ctx, set, iter, &elem);
@@ -2052,9 +2052,6 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
e = f->mt[r].e;
- if (!nft_set_elem_active(&e->ext, iter->genmask))
- goto cont;
-
elem.priv = &e->priv;
iter->err = iter->fn(ctx, set, iter, &elem);
@@ -2149,9 +2149,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
e = f->mt[r].e;
- if (!nft_set_elem_active(&e->ext, iter->genmask))
- goto cont;
-
iter->err = iter->fn(ctx, set, iter, &e->priv);
if (iter->err < 0)
goto out;
diff -u b/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
--- b/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -528,5 +528,5 @@
{
- struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv);
+ struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem->priv);
nft_clear(net, &rbe->ext);
}
@@ -597,5 +597,5 @@
if (iter->count < iter->skip)
goto cont;
- iter->err = iter->fn(ctx, set, iter, &rbe->priv);
- if (iter->err < 0) {
+ elem.priv = &rbe->priv;
+This is an automated interdiff check for backported commits. |
JIRA PR Check Results3 commit(s) with issues found: Commit
|
|
❌ Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20908353549 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 9.2]
CVE-2024-27017 VULN-37652
CVE-2024-27012 VULN-37622
About
This PR is a continuation of the netfilter patch set bugfixes (see also #794). The CVE-2024-27012 fix required relatively wide conflicts resolution which warranted this separate PR to ease the review process. Additionally the backport of 29b359c was included, which was associated with its own CVE-2024-27017.
These two fixes conclude the bugfixing of #668.
Commits
Although cherry-picking e79b47a resulted in many conflicts they all had a single source - the lack of backported 0e1ea65
netfilter: nf_tables: shrink memory consumption of set elements. The CentOS 9 backport 03c356c was not useful, since the 9.6 version it was commited to had that prerequisite in place. The resolved version turned out to be very similar to thelinux-6.6.ybackport 164936b.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed
Reference
kselftests–ciqlts9_2–run1.log
kselftests–ciqlts9_2–run2.log
Patch
kselftests–ciqlts9_2-CVE-batch-15–run1.log
kselftests–ciqlts9_2-CVE-batch-15–run2.log
kselftests–ciqlts9_2-CVE-batch-15–run3.log
Comparison
The tests results for the reference and the patch are the same.