--- /dev/null
+From 3e70489721b6c870252c9082c496703677240f53 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 26 Jun 2023 00:42:18 +0200
+Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 3e70489721b6c870252c9082c496703677240f53 upstream.
+
+Otherwise a dangling reference to a rule object that is gone remains
+in the set binding list.
+
+Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5139,6 +5139,8 @@ void nf_tables_deactivate_set(const stru
+ nft_set_trans_unbind(ctx, set);
+ if (nft_set_is_anonymous(set))
+ nft_deactivate_next(ctx->net, set);
++ else
++ list_del_rcu(&binding->list);
+
+ set->use--;
+ break;
--- /dev/null
+From 1a73f5b8f079fd42a544c1600beface50c63af7c Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Tue, 16 May 2023 22:16:18 +0800
+Subject: ovl: fix null pointer dereference in ovl_permission()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 1a73f5b8f079fd42a544c1600beface50c63af7c upstream.
+
+Following process:
+ P1 P2
+ path_lookupat
+ link_path_walk
+ inode_permission
+ ovl_permission
+ ovl_i_path_real(inode, &realpath)
+ path->dentry = ovl_i_dentry_upper(inode)
+ drop_cache
+ __dentry_kill(ovl_dentry)
+ iput(ovl_inode)
+ ovl_destroy_inode(ovl_inode)
+ dput(oi->__upperdentry)
+ dentry_kill(upperdentry)
+ dentry_unlink_inode
+ upperdentry->d_inode = NULL
+ realinode = d_inode(realpath.dentry) // return NULL
+ inode_permission(realinode)
+ inode->i_sb // NULL pointer dereference
+, will trigger an null pointer dereference at realinode:
+ [ 335.664979] BUG: kernel NULL pointer dereference,
+ address: 0000000000000002
+ [ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0
+ [ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0
+ [ 335.678939] Call Trace:
+ [ 335.679165] <TASK>
+ [ 335.679371] ovl_permission+0xde/0x320
+ [ 335.679723] inode_permission+0x15e/0x2c0
+ [ 335.680090] link_path_walk+0x115/0x550
+ [ 335.680771] path_lookupat.isra.0+0xb2/0x200
+ [ 335.681170] filename_lookup+0xda/0x240
+ [ 335.681922] vfs_statx+0xa6/0x1f0
+ [ 335.682233] vfs_fstatat+0x7b/0xb0
+
+Fetch a reproducer in [Link].
+
+Use the helper ovl_i_path_realinode() to get realinode and then do
+non-nullptr checking.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217405
+Fixes: 4b7791b2e958 ("ovl: handle idmappings in ovl_permission()")
+Cc: <stable@vger.kernel.org> # v5.19
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Suggested-by: Christian Brauner <brauner@kernel.org>
+Suggested-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/inode.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -286,8 +286,8 @@ int ovl_permission(struct user_namespace
+ int err;
+
+ /* Careful in RCU walk mode */
+- ovl_i_path_real(inode, &realpath);
+- if (!realpath.dentry) {
++ realinode = ovl_i_path_real(inode, &realpath);
++ if (!realinode) {
+ WARN_ON(!(mask & MAY_NOT_BLOCK));
+ return -ECHILD;
+ }
+@@ -300,7 +300,6 @@ int ovl_permission(struct user_namespace
+ if (err)
+ return err;
+
+- realinode = d_inode(realpath.dentry);
+ old_cred = ovl_override_creds(inode->i_sb);
+ if (!upperinode &&
+ !special_file(realinode->i_mode) && mask & MAY_WRITE) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
