From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 25 Apr 2022 12:26:12 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v4.9.312~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=20ada55c3085eac348186a29ce6209f526900966;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	netfilter-nft_ct-fix-use-after-free-when-attaching-zone-template.patch
---

diff --git a/queue-5.15/netfilter-nft_ct-fix-use-after-free-when-attaching-zone-template.patch b/queue-5.15/netfilter-nft_ct-fix-use-after-free-when-attaching-zone-template.patch
new file mode 100644
index 00000000000..db8a5bd1eef
--- /dev/null
+++ b/queue-5.15/netfilter-nft_ct-fix-use-after-free-when-attaching-zone-template.patch
@@ -0,0 +1,41 @@
+From 34243b9ec856309339172b1507379074156947e8 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 23 Jan 2022 15:24:00 +0100
+Subject: netfilter: nft_ct: fix use after free when attaching zone template
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 34243b9ec856309339172b1507379074156947e8 upstream.
+
+The conversion erroneously removed the refcount increment.
+In case we can use the percpu template, we need to increment
+the refcount, else it will be released when the skb gets freed.
+
+In case the slowpath is taken, the new template already has a
+refcount of 1.
+
+Fixes: 719774377622 ("netfilter: conntrack: convert to refcount_t api")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_ct.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -260,9 +260,12 @@ static void nft_ct_set_zone_eval(const s
+ 	ct = this_cpu_read(nft_ct_pcpu_template);
+ 
+ 	if (likely(refcount_read(&ct->ct_general.use) == 1)) {
++		refcount_inc(&ct->ct_general.use);
+ 		nf_ct_zone_add(ct, &zone);
+ 	} else {
+-		/* previous skb got queued to userspace */
++		/* previous skb got queued to userspace, allocate temporary
++		 * one until percpu template can be reused.
++		 */
+ 		ct = nf_ct_tmpl_alloc(nft_net(pkt), &zone, GFP_ATOMIC);
+ 		if (!ct) {
+ 			regs->verdict.code = NF_DROP;
diff --git a/queue-5.15/series b/queue-5.15/series
index a4c6294959a..ea994522881 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -117,3 +117,4 @@ ext4-limit-length-to-bitmap_maxbytes-blocksize-in-punch_hole.patch
 ext4-doc-fix-incorrect-h_reserved-size.patch
 ext4-fix-overhead-calculation-to-account-for-the-reserved-gdt-blocks.patch
 ext4-force-overhead-calculation-if-the-s_overhead_cluster-makes-no-sense.patch
+netfilter-nft_ct-fix-use-after-free-when-attaching-zone-template.patch