# Patch performance monitoring restrictions to allow further hardening
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
+ # https://bugzilla.ipfire.org/show_bug.cgi?id=12760
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
+
ifeq "$(BUILD_ARCH)" "armv6l"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
--- /dev/null
+From 4ecd5474b7a19aa84158f8e727fa6dbfc9464191 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 23 Mar 2022 11:01:39 +0000
+Subject: [PATCH] NFQUEUE: Hold RCU read lock while calling nf_reinject
+
+nf_reinject requires the called to hold the RCU read-side lock which
+wasn't the case in nfqnl_reinject.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ net/netfilter/nfnetlink_queue.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 8787d0613ad8..b12cc5d21310 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -228,19 +228,20 @@ static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
+ struct nf_ct_hook *ct_hook;
+ int err;
+
++ rcu_read_lock();
++
+ if (verdict == NF_ACCEPT ||
+ verdict == NF_REPEAT ||
+ verdict == NF_STOP) {
+- rcu_read_lock();
+ ct_hook = rcu_dereference(nf_ct_hook);
+ if (ct_hook) {
+ err = ct_hook->update(entry->state.net, entry->skb);
+ if (err < 0)
+ verdict = NF_DROP;
+ }
+- rcu_read_unlock();
+ }
+ nf_reinject(entry, verdict);
++ rcu_read_unlock();
+ }
+
+ static void
+--
+2.30.2
+