--- /dev/null
+From c1592a89942e9678f7d9c8030efa777c0d57edab Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 2 May 2023 10:25:24 +0200
+Subject: netfilter: nf_tables: deactivate anonymous set from preparation phase
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit c1592a89942e9678f7d9c8030efa777c0d57edab upstream.
+
+Toggle deleted anonymous sets as inactive in the next generation, so
+users cannot perform any update on it. Clear the generation bitmask
+in case the transaction is aborted.
+
+The following KASAN splat shows a set element deletion for a bound
+anonymous set that has been already removed in the same transaction.
+
+[ 64.921510] ==================================================================
+[ 64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables]
+[ 64.924745] Write of size 8 at addr dead000000000122 by task test/890
+[ 64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253
+[ 64.931120] Call Trace:
+[ 64.932699] <TASK>
+[ 64.934292] dump_stack_lvl+0x33/0x50
+[ 64.935908] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
+[ 64.937551] kasan_report+0xda/0x120
+[ 64.939186] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
+[ 64.940814] nf_tables_commit+0xa24/0x1490 [nf_tables]
+[ 64.942452] ? __kasan_slab_alloc+0x2d/0x60
+[ 64.944070] ? nf_tables_setelem_notify+0x190/0x190 [nf_tables]
+[ 64.945710] ? kasan_set_track+0x21/0x30
+[ 64.947323] nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink]
+[ 64.948898] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h | 1 +
+ net/netfilter/nf_tables_api.c | 12 ++++++++++++
+ net/netfilter/nft_dynset.c | 2 +-
+ net/netfilter/nft_lookup.c | 2 +-
+ net/netfilter/nft_objref.c | 2 +-
+ 5 files changed, 16 insertions(+), 3 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -493,6 +493,7 @@ struct nft_set_binding {
+ };
+
+ enum nft_trans_phase;
++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set);
+ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_binding *binding,
+ enum nft_trans_phase phase);
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3909,12 +3909,24 @@ static void nf_tables_unbind_set(const s
+ }
+ }
+
++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
++{
++ if (nft_set_is_anonymous(set))
++ nft_clear(ctx->net, set);
++
++ set->use++;
++}
++EXPORT_SYMBOL_GPL(nf_tables_activate_set);
++
+ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_binding *binding,
+ enum nft_trans_phase phase)
+ {
+ switch (phase) {
+ case NFT_TRANS_PREPARE:
++ if (nft_set_is_anonymous(set))
++ nft_deactivate_next(ctx->net, set);
++
+ set->use--;
+ return;
+ case NFT_TRANS_ABORT:
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -259,7 +259,7 @@ static void nft_dynset_activate(const st
+ {
+ struct nft_dynset *priv = nft_expr_priv(expr);
+
+- priv->set->use++;
++ nf_tables_activate_set(ctx, priv->set);
+ }
+
+ static void nft_dynset_destroy(const struct nft_ctx *ctx,
+--- a/net/netfilter/nft_lookup.c
++++ b/net/netfilter/nft_lookup.c
+@@ -129,7 +129,7 @@ static void nft_lookup_activate(const st
+ {
+ struct nft_lookup *priv = nft_expr_priv(expr);
+
+- priv->set->use++;
++ nf_tables_activate_set(ctx, priv->set);
+ }
+
+ static void nft_lookup_destroy(const struct nft_ctx *ctx,
+--- a/net/netfilter/nft_objref.c
++++ b/net/netfilter/nft_objref.c
+@@ -180,7 +180,7 @@ static void nft_objref_map_activate(cons
+ {
+ struct nft_objref_map *priv = nft_expr_priv(expr);
+
+- priv->set->use++;
++ nf_tables_activate_set(ctx, priv->set);
+ }
+
+ static void nft_objref_map_destroy(const struct nft_ctx *ctx,
projects / thirdparty / kernel / stable-queue.git / commitdiff
