--- /dev/null
+From 3923b1e4406680d57da7e873da77b1683035d83f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 30 May 2022 18:24:05 +0200
+Subject: netfilter: nf_tables: hold mutex on netns pre_exit path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 3923b1e4406680d57da7e873da77b1683035d83f upstream.
+
+clean_net() runs in workqueue while walking over the lists, grab mutex.
+
+Fixes: 767d1216bff8 ("netfilter: nftables: fix possible UAF over chains from packet path in netns")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8983,7 +8983,9 @@ static int __net_init nf_tables_init_net
+
+ static void __net_exit nf_tables_pre_exit_net(struct net *net)
+ {
++ mutex_lock(&net->nft.commit_mutex);
+ __nft_release_hooks(net);
++ mutex_unlock(&net->nft.commit_mutex);
+ }
+
+ static void __net_exit nf_tables_exit_net(struct net *net)
--- /dev/null
+From 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 17 Mar 2022 11:59:26 +0100
+Subject: netfilter: nf_tables: validate registers coming from userspace.
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 upstream.
+
+Bail out in case userspace uses unsupported registers.
+
+Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8483,26 +8483,23 @@ int nft_parse_u32_check(const struct nla
+ }
+ EXPORT_SYMBOL_GPL(nft_parse_u32_check);
+
+-/**
+- * nft_parse_register - parse a register value from a netlink attribute
+- *
+- * @attr: netlink attribute
+- *
+- * Parse and translate a register value from a netlink attribute.
+- * Registers used to be 128 bit wide, these register numbers will be
+- * mapped to the corresponding 32 bit register numbers.
+- */
+-static unsigned int nft_parse_register(const struct nlattr *attr)
++static int nft_parse_register(const struct nlattr *attr, u32 *preg)
+ {
+ unsigned int reg;
+
+ reg = ntohl(nla_get_be32(attr));
+ switch (reg) {
+ case NFT_REG_VERDICT...NFT_REG_4:
+- return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
++ *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
++ break;
++ case NFT_REG32_00...NFT_REG32_15:
++ *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
++ break;
+ default:
+- return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
++ return -ERANGE;
+ }
++
++ return 0;
+ }
+
+ /**
+@@ -8553,7 +8550,10 @@ int nft_parse_register_load(const struct
+ u32 reg;
+ int err;
+
+- reg = nft_parse_register(attr);
++ err = nft_parse_register(attr, ®);
++ if (err < 0)
++ return err;
++
+ err = nft_validate_register_load(reg, len);
+ if (err < 0)
+ return err;
+@@ -8622,7 +8622,10 @@ int nft_parse_register_store(const struc
+ int err;
+ u32 reg;
+
+- reg = nft_parse_register(attr);
++ err = nft_parse_register(attr, ®);
++ if (err < 0)
++ return err;
++
+ err = nft_validate_register_store(ctx, reg, data, type, len);
+ if (err < 0)
+ return err;
--- /dev/null
+From 08a01c11a5bb3de9b0a9c9b2685867e50eda9910 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 25 Jan 2021 23:19:17 +0100
+Subject: netfilter: nftables: statify nft_parse_register()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 08a01c11a5bb3de9b0a9c9b2685867e50eda9910 upstream.
+
+This function is not used anymore by any extension, statify it.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h | 1 -
+ net/netfilter/nf_tables_api.c | 3 +--
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -205,7 +205,6 @@ static inline enum nft_registers nft_typ
+ }
+
+ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
+-unsigned int nft_parse_register(const struct nlattr *attr);
+ int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
+
+ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8492,7 +8492,7 @@ EXPORT_SYMBOL_GPL(nft_parse_u32_check);
+ * Registers used to be 128 bit wide, these register numbers will be
+ * mapped to the corresponding 32 bit register numbers.
+ */
+-unsigned int nft_parse_register(const struct nlattr *attr)
++static unsigned int nft_parse_register(const struct nlattr *attr)
+ {
+ unsigned int reg;
+
+@@ -8504,7 +8504,6 @@ unsigned int nft_parse_register(const st
+ return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
+ }
+ }
+-EXPORT_SYMBOL_GPL(nft_parse_register);
+
+ /**
+ * nft_dump_register - dump a register value to a netlink attribute
drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch
x86-apic-fix-kernel-panic-when-booting-with-intremap.patch
i2c-imx-lpi2c-fix-type-char-overflow-issue-when-calc.patch
+netfilter-nftables-statify-nft_parse_register.patch
+netfilter-nf_tables-validate-registers-coming-from-userspace.patch
+netfilter-nf_tables-hold-mutex-on-netns-pre_exit-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
