From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 27 Feb 2024 13:13:19 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v4.19.308~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e015b459b4995f3bd1af19fea12896fa842ab64;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	netfilter-nf_tables-can-t-schedule-in-nft_chain_validate.patch
---

diff --git a/queue-5.15/netfilter-nf_tables-can-t-schedule-in-nft_chain_validate.patch b/queue-5.15/netfilter-nf_tables-can-t-schedule-in-nft_chain_validate.patch
new file mode 100644
index 00000000000..60c7fd3908c
--- /dev/null
+++ b/queue-5.15/netfilter-nf_tables-can-t-schedule-in-nft_chain_validate.patch
@@ -0,0 +1,59 @@
+From 314c82841602a111c04a7210c21dc77e0d560242 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 18 Jul 2023 01:30:33 +0200
+Subject: netfilter: nf_tables: can't schedule in nft_chain_validate
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 314c82841602a111c04a7210c21dc77e0d560242 upstream.
+
+Can be called via nft set element list iteration, which may acquire
+rcu and/or bh read lock (depends on set type).
+
+BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353
+in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft
+preempt_count: 0, expected: 0
+RCU nest depth: 1, expected: 0
+2 locks held by nft/1232:
+ #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid
+ #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire
+Call Trace:
+ nft_chain_validate
+ nft_lookup_validate_setelem
+ nft_pipapo_walk
+ nft_lookup_validate
+ nft_chain_validate
+ nft_immediate_validate
+ nft_chain_validate
+ nf_tables_validate
+ nf_tables_abort
+
+No choice but to move it to nf_tables_validate().
+
+Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3443,8 +3443,6 @@ int nft_chain_validate(const struct nft_
+ 			if (err < 0)
+ 				return err;
+ 		}
+-
+-		cond_resched();
+ 	}
+ 
+ 	return 0;
+@@ -3468,6 +3466,8 @@ static int nft_table_validate(struct net
+ 		err = nft_chain_validate(&ctx, chain);
+ 		if (err < 0)
+ 			return err;
++
++		cond_resched();
+ 	}
+ 
+ 	return 0;
diff --git a/queue-5.15/series b/queue-5.15/series
index 67384c35493..f66eeb3abe0 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -242,3 +242,4 @@ arp-prevent-overflow-in-arp_req_get.patch
 netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch
 ext4-regenerate-buddy-after-block-freeing-failed-if-under-fc-replay.patch
 ext4-avoid-bb_free-and-bb_fragments-inconsistency-in-mb_free_blocks.patch
+netfilter-nf_tables-can-t-schedule-in-nft_chain_validate.patch