From cc84e7da310b15bc8d271c550e7e804d39a3e501 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 22 Jan 2024 15:40:38 -0800 Subject: [PATCH] 5.15-stable patches added patches: netfilter-nf_tables-typo-null-check-in-_clone-function.patch netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch netfilter-nft_last-copy-content-when-cloning-expression.patch netfilter-nft_limit-clone-packet-limits-cost-value.patch netfilter-nft_limit-fix-stateful-object-memory-leak.patch netfilter-nft_quota-copy-content-when-cloning-expression.patch --- ...s-typo-null-check-in-_clone-function.patch | 71 +++++++++++++++++++ ...mit-memleak-if-nf_ct_netns_get-fails.patch | 46 ++++++++++++ ...copy-content-when-cloning-expression.patch | 37 ++++++++++ ...limit-clone-packet-limits-cost-value.patch | 31 ++++++++ ...imit-fix-stateful-object-memory-leak.patch | 63 ++++++++++++++++ ...copy-content-when-cloning-expression.patch | 41 +++++++++++ queue-5.15/series | 6 ++ 7 files changed, 295 insertions(+) create mode 100644 queue-5.15/netfilter-nf_tables-typo-null-check-in-_clone-function.patch create mode 100644 queue-5.15/netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch create mode 100644 queue-5.15/netfilter-nft_last-copy-content-when-cloning-expression.patch create mode 100644 queue-5.15/netfilter-nft_limit-clone-packet-limits-cost-value.patch create mode 100644 queue-5.15/netfilter-nft_limit-fix-stateful-object-memory-leak.patch create mode 100644 queue-5.15/netfilter-nft_quota-copy-content-when-cloning-expression.patch diff --git a/queue-5.15/netfilter-nf_tables-typo-null-check-in-_clone-function.patch b/queue-5.15/netfilter-nf_tables-typo-null-check-in-_clone-function.patch new file mode 100644 index 00000000000..aedacb09094 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-typo-null-check-in-_clone-function.patch @@ -0,0 +1,71 @@ +From 51edb2ff1c6fc27d3fa73f0773a31597ecd8e230 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 10 Jan 2022 20:48:17 +0100 +Subject: netfilter: nf_tables: typo NULL check in _clone() function + +From: Pablo Neira Ayuso + +commit 51edb2ff1c6fc27d3fa73f0773a31597ecd8e230 upstream. + +This should check for NULL in case memory allocation fails. + +Reported-by: Julian Wiedmann +Fixes: 3b9e2ea6c11b ("netfilter: nft_limit: move stateful fields out of expression data") +Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data") +Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data") +Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20220110194817.53481-1-pablo@netfilter.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_connlimit.c | 2 +- + net/netfilter/nft_last.c | 2 +- + net/netfilter/nft_limit.c | 2 +- + net/netfilter/nft_quota.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nft_connlimit.c ++++ b/net/netfilter/nft_connlimit.c +@@ -206,7 +206,7 @@ static int nft_connlimit_clone(struct nf + struct nft_connlimit *priv_src = nft_expr_priv(src); + + priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC); +- if (priv_dst->list) ++ if (!priv_dst->list) + return -ENOMEM; + + nf_conncount_list_init(priv_dst->list); +--- a/net/netfilter/nft_last.c ++++ b/net/netfilter/nft_last.c +@@ -106,7 +106,7 @@ static int nft_last_clone(struct nft_exp + struct nft_last_priv *priv_dst = nft_expr_priv(dst); + + priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC); +- if (priv_dst->last) ++ if (!priv_dst->last) + return -ENOMEM; + + return 0; +--- a/net/netfilter/nft_limit.c ++++ b/net/netfilter/nft_limit.c +@@ -150,7 +150,7 @@ static int nft_limit_clone(struct nft_li + priv_dst->invert = priv_src->invert; + + priv_dst->limit = kmalloc(sizeof(*priv_dst->limit), GFP_ATOMIC); +- if (priv_dst->limit) ++ if (!priv_dst->limit) + return -ENOMEM; + + spin_lock_init(&priv_dst->limit->lock); +--- a/net/netfilter/nft_quota.c ++++ b/net/netfilter/nft_quota.c +@@ -237,7 +237,7 @@ static int nft_quota_clone(struct nft_ex + struct nft_quota *priv_dst = nft_expr_priv(dst); + + priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC); +- if (priv_dst->consumed) ++ if (!priv_dst->consumed) + return -ENOMEM; + + atomic64_set(priv_dst->consumed, 0); diff --git a/queue-5.15/netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch b/queue-5.15/netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch new file mode 100644 index 00000000000..ea32ba2462d --- /dev/null +++ b/queue-5.15/netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch @@ -0,0 +1,46 @@ +From 7d70984a1ad4c445dff08edb9aacce8906b6a222 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 13 Jan 2022 12:22:38 +0100 +Subject: netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails + +From: Pablo Neira Ayuso + +commit 7d70984a1ad4c445dff08edb9aacce8906b6a222 upstream. + +Check if nf_ct_netns_get() fails then release the limit object +previously allocated via kmalloc(). + +Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_connlimit.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_connlimit.c ++++ b/net/netfilter/nft_connlimit.c +@@ -62,6 +62,7 @@ static int nft_connlimit_do_init(const s + { + bool invert = false; + u32 flags, limit; ++ int err; + + if (!tb[NFTA_CONNLIMIT_COUNT]) + return -EINVAL; +@@ -84,7 +85,15 @@ static int nft_connlimit_do_init(const s + priv->limit = limit; + priv->invert = invert; + +- return nf_ct_netns_get(ctx->net, ctx->family); ++ err = nf_ct_netns_get(ctx->net, ctx->family); ++ if (err < 0) ++ goto err_netns; ++ ++ return 0; ++err_netns: ++ kfree(priv->list); ++ ++ return err; + } + + static void nft_connlimit_do_destroy(const struct nft_ctx *ctx, diff --git a/queue-5.15/netfilter-nft_last-copy-content-when-cloning-expression.patch b/queue-5.15/netfilter-nft_last-copy-content-when-cloning-expression.patch new file mode 100644 index 00000000000..f8cb1bc9223 --- /dev/null +++ b/queue-5.15/netfilter-nft_last-copy-content-when-cloning-expression.patch @@ -0,0 +1,37 @@ +From 860e874290fb3be08e966c9c8ffc510c5b0f2bd8 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 28 Feb 2023 17:09:03 +0100 +Subject: netfilter: nft_last: copy content when cloning expression + +From: Pablo Neira Ayuso + +commit 860e874290fb3be08e966c9c8ffc510c5b0f2bd8 upstream. + +If the ruleset contains last timestamps, restore them accordingly. +Otherwise, listing after restoration shows never used items. + +Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_last.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nft_last.c ++++ b/net/netfilter/nft_last.c +@@ -104,11 +104,15 @@ static void nft_last_destroy(const struc + static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src) + { + struct nft_last_priv *priv_dst = nft_expr_priv(dst); ++ struct nft_last_priv *priv_src = nft_expr_priv(src); + + priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC); + if (!priv_dst->last) + return -ENOMEM; + ++ priv_dst->last->set = priv_src->last->set; ++ priv_dst->last->jiffies = priv_src->last->jiffies; ++ + return 0; + } + diff --git a/queue-5.15/netfilter-nft_limit-clone-packet-limits-cost-value.patch b/queue-5.15/netfilter-nft_limit-clone-packet-limits-cost-value.patch new file mode 100644 index 00000000000..5f2d28a4501 --- /dev/null +++ b/queue-5.15/netfilter-nft_limit-clone-packet-limits-cost-value.patch @@ -0,0 +1,31 @@ +From 558254b0b602b8605d7246a10cfeb584b1fcabfc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 24 May 2022 14:50:01 +0200 +Subject: netfilter: nft_limit: Clone packet limits' cost value + +From: Phil Sutter + +commit 558254b0b602b8605d7246a10cfeb584b1fcabfc upstream. + +When cloning a packet-based limit expression, copy the cost value as +well. Otherwise the new limit is not functional anymore. + +Fixes: 3b9e2ea6c11bf ("netfilter: nft_limit: move stateful fields out of expression data") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_limit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nft_limit.c ++++ b/net/netfilter/nft_limit.c +@@ -218,6 +218,8 @@ static int nft_limit_pkts_clone(struct n + struct nft_limit_priv_pkts *priv_dst = nft_expr_priv(dst); + struct nft_limit_priv_pkts *priv_src = nft_expr_priv(src); + ++ priv_dst->cost = priv_src->cost; ++ + return nft_limit_clone(&priv_dst->limit, &priv_src->limit); + } + diff --git a/queue-5.15/netfilter-nft_limit-fix-stateful-object-memory-leak.patch b/queue-5.15/netfilter-nft_limit-fix-stateful-object-memory-leak.patch new file mode 100644 index 00000000000..9f98cb63763 --- /dev/null +++ b/queue-5.15/netfilter-nft_limit-fix-stateful-object-memory-leak.patch @@ -0,0 +1,63 @@ +From 1a58f84ea5df7f026bf92a0009f931bf547fe965 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 18 Feb 2022 13:17:05 +0100 +Subject: netfilter: nft_limit: fix stateful object memory leak + +From: Florian Westphal + +commit 1a58f84ea5df7f026bf92a0009f931bf547fe965 upstream. + +We need to provide a destroy callback to release the extra fields. + +Fixes: 3b9e2ea6c11b ("netfilter: nft_limit: move stateful fields out of expression data") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_limit.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/net/netfilter/nft_limit.c ++++ b/net/netfilter/nft_limit.c +@@ -345,11 +345,20 @@ static int nft_limit_obj_pkts_dump(struc + return nft_limit_dump(skb, &priv->limit, NFT_LIMIT_PKTS); + } + ++static void nft_limit_obj_pkts_destroy(const struct nft_ctx *ctx, ++ struct nft_object *obj) ++{ ++ struct nft_limit_priv_pkts *priv = nft_obj_data(obj); ++ ++ nft_limit_destroy(ctx, &priv->limit); ++} ++ + static struct nft_object_type nft_limit_obj_type; + static const struct nft_object_ops nft_limit_obj_pkts_ops = { + .type = &nft_limit_obj_type, + .size = NFT_EXPR_SIZE(sizeof(struct nft_limit_priv_pkts)), + .init = nft_limit_obj_pkts_init, ++ .destroy = nft_limit_obj_pkts_destroy, + .eval = nft_limit_obj_pkts_eval, + .dump = nft_limit_obj_pkts_dump, + }; +@@ -383,11 +392,20 @@ static int nft_limit_obj_bytes_dump(stru + return nft_limit_dump(skb, priv, NFT_LIMIT_PKT_BYTES); + } + ++static void nft_limit_obj_bytes_destroy(const struct nft_ctx *ctx, ++ struct nft_object *obj) ++{ ++ struct nft_limit_priv *priv = nft_obj_data(obj); ++ ++ nft_limit_destroy(ctx, priv); ++} ++ + static struct nft_object_type nft_limit_obj_type; + static const struct nft_object_ops nft_limit_obj_bytes_ops = { + .type = &nft_limit_obj_type, + .size = sizeof(struct nft_limit_priv), + .init = nft_limit_obj_bytes_init, ++ .destroy = nft_limit_obj_bytes_destroy, + .eval = nft_limit_obj_bytes_eval, + .dump = nft_limit_obj_bytes_dump, + }; diff --git a/queue-5.15/netfilter-nft_quota-copy-content-when-cloning-expression.patch b/queue-5.15/netfilter-nft_quota-copy-content-when-cloning-expression.patch new file mode 100644 index 00000000000..f8b495977fc --- /dev/null +++ b/queue-5.15/netfilter-nft_quota-copy-content-when-cloning-expression.patch @@ -0,0 +1,41 @@ +From aabef97a35160461e9c576848ded737558d89055 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 28 Feb 2023 20:43:02 +0100 +Subject: netfilter: nft_quota: copy content when cloning expression + +From: Pablo Neira Ayuso + +commit aabef97a35160461e9c576848ded737558d89055 upstream. + +If the ruleset contains consumed quota, restore them accordingly. +Otherwise, listing after restoration shows never used items. + +Restore the user-defined quota and flags too. + +Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_quota.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_quota.c ++++ b/net/netfilter/nft_quota.c +@@ -235,12 +235,16 @@ static void nft_quota_destroy(const stru + static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src) + { + struct nft_quota *priv_dst = nft_expr_priv(dst); ++ struct nft_quota *priv_src = nft_expr_priv(src); ++ ++ priv_dst->quota = priv_src->quota; ++ priv_dst->flags = priv_src->flags; + + priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC); + if (!priv_dst->consumed) + return -ENOMEM; + +- atomic64_set(priv_dst->consumed, 0); ++ *priv_dst->consumed = *priv_src->consumed; + + return 0; + } diff --git a/queue-5.15/series b/queue-5.15/series index 9496e0c4947..cc66b3e95b7 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -366,3 +366,9 @@ ipv6-mcast-fix-data-race-in-ipv6_mc_down-mld_ifc_wor.patch i2c-s3c24xx-fix-read-transfers-in-polling-mode.patch i2c-s3c24xx-fix-transferring-more-than-one-message-i.patch block-remove-special-casing-of-compound-pages.patch +netfilter-nf_tables-typo-null-check-in-_clone-function.patch +netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch +netfilter-nft_limit-fix-stateful-object-memory-leak.patch +netfilter-nft_limit-clone-packet-limits-cost-value.patch +netfilter-nft_last-copy-content-when-cloning-expression.patch +netfilter-nft_quota-copy-content-when-cloning-expression.patch -- 2.47.3