netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

jira LE-1907 cve CVE-2024-26925 Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10 commit-author Pablo Neira Ayuso <[email protected]> commit 0d459e2 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/0d459e2f.failed The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. Cc: [email protected] Fixes: 7203443 ("netfilter: nf_tables: GC transaction race with abort path") Reported-by: Kuan-Ting Chen <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 0d459e2) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # net/netfilter/nf_tables_api.c
ctrliq · Sep 12, 2024 · 36c5406 · 36c5406
1 parent db2f678
commit 36c5406
Showing 1 changed file with 79 additions and 0 deletions.
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/0d459e2f.failed b/ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/0d459e2f.failed
@@ -0,0 +1,79 @@
+netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
+
+jira LE-1907
+cve CVE-2024-26925
+Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10
+commit-author Pablo Neira Ayuso <[email protected]>
+commit 0d459e2ffb541841714839e8228b845458ed3b27
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/0d459e2f.failed
+
+The commit mutex should not be released during the critical section
+between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
+worker could collect expired objects and get the released commit lock
+within the same GC sequence.
+
+nf_tables_module_autoload() temporarily releases the mutex to load
+module dependencies, then it goes back to replay the transaction again.
+Move it at the end of the abort phase after nft_gc_seq_end() is called.
+
+	Cc: [email protected]
+Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
+	Reported-by: Kuan-Ting Chen <[email protected]>
+	Signed-off-by: Pablo Neira Ayuso <[email protected]>
+(cherry picked from commit 0d459e2ffb541841714839e8228b845458ed3b27)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	net/netfilter/nf_tables_api.c
+diff --cc net/netfilter/nf_tables_api.c
+index ddd3e06d5bbf,0d432d0674e1..000000000000
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@@ -8609,17 -10651,7 +8609,21 @@@ static int __nf_tables_abort(struct ne
+  		nf_tables_abort_release(trans);
+  	}
+
+++<<<<<<< HEAD
+ +	if (action == NFNL_ABORT_AUTOLOAD)
+ +		nf_tables_module_autoload(net);
+ +	else
+ +		nf_tables_module_autoload_cleanup(net);
+ +
+ +	return 0;
+ +}
+ +
+ +static void nf_tables_cleanup(struct net *net)
+ +{
+ +	nft_validate_state_update(net, NFT_VALIDATE_SKIP);
+++=======
++ 	return err;
+++>>>>>>> 0d459e2ffb54 (netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path)
+  }
+
+  static int nf_tables_abort(struct net *net, struct sk_buff *skb,
+@@@ -8632,7 -10664,18 +8636,22 @@@
+  	gc_seq = nft_gc_seq_begin(nft_net);
+  	ret = __nf_tables_abort(net, action);
+  	nft_gc_seq_end(nft_net, gc_seq);
+++<<<<<<< HEAD
+ +	mutex_unlock(&net->nft_commit_mutex);
+++=======
++ 
++ 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
++ 
++ 	/* module autoload needs to happen after GC sequence update because it
++ 	 * temporarily releases and grabs mutex again.
++ 	 */
++ 	if (action == NFNL_ABORT_AUTOLOAD)
++ 		nf_tables_module_autoload(net);
++ 	else
++ 		nf_tables_module_autoload_cleanup(net);
++ 
++ 	mutex_unlock(&nft_net->commit_mutex);
+++>>>>>>> 0d459e2ffb54 (netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path)
+
+  	return ret;
+  }
+* Unmerged path net/netfilter/nf_tables_api.c