Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync fips legacy 8 compliant 4.18.0 425.13.1.el8.ciqfipscompliant.36.1 #15

Open
wants to merge 49 commits into
base: FIPS-8-plus
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
68493d8
ionic: clean interrupt before enabling queue to avoid credit race
gvrose8192 Oct 28, 2024
70b1b0a
ionic: fix use after netif_napi_del()
gvrose8192 Oct 7, 2024
8a1d1bd
netfilter: nftables: add catch-all set element support
gvrose8192 Oct 17, 2024
1f7885f
netfilter: nf_tables: Remove spurious code
gvrose8192 Oct 27, 2024
fab4dfd
netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event noti…
gvrose8192 Oct 18, 2024
8ec9ab0
netfilter: nf_tables: integrate pipapo into commit protocol
gvrose8192 Oct 21, 2024
e147d6a
netfilter: nf_tables: disallow element updates of bound anonymous sets
gvrose8192 Oct 21, 2024
d42d3d6
netfilter: nf_tables: disallow updates of anonymous sets
gvrose8192 Oct 21, 2024
0891f13
netfilter: nf_tables: disallow timeout for anonymous sets
gvrose8192 Oct 21, 2024
b318769
netfilter: nf_tables: add nft_chain_add()
gvrose8192 Oct 21, 2024
76baffa
netfilter: nf_tables: report use refcount overflow
gvrose8192 Oct 22, 2024
7221a94
netfilter: nf_tables: fix spurious set element insertion failure
gvrose8192 Oct 22, 2024
a32ff5b
netfilter: nf_tables: don't skip expired elements during walk
gvrose8192 Oct 22, 2024
d6cf9a9
netfilter: nftables: rename set element data activation/deactivation …
gvrose8192 Oct 22, 2024
c720248
netfilter: nftables: add nft_pernet() helper function
gvrose8192 Oct 22, 2024
b6ecc9d
netfilter: nf_tables: GC transaction API to avoid race with control p…
gvrose8192 Oct 22, 2024
a3c9441
netfilter: nf_tables: adapt set backend to use GC transaction API
gvrose8192 Oct 23, 2024
3ca5985
netfilter: nf_tables: remove busy mark and gc batch API
gvrose8192 Oct 23, 2024
2dbe733
netfilter: nf_tables: fix false-positive lockdep splat
gvrose8192 Oct 23, 2024
ae0997d
netfilter: nf_tables: fix kdoc warnings after gc rework
gvrose8192 Oct 23, 2024
ef98a42
netfilter: nf_tables: don't fail inserts if duplicate has expired
gvrose8192 Oct 23, 2024
9ea9c18
netfilter: nf_tables: fix GC transaction races with netns and netlink…
gvrose8192 Oct 23, 2024
c84dcb7
netfilter: nf_tables: GC transaction race with netns dismantle
gvrose8192 Oct 23, 2024
9e3b392
netfilter: nf_tables: GC transaction race with abort path
gvrose8192 Oct 29, 2024
8cfad08
netfilter: nf_tables: use correct lock to protect gc_list
gvrose8192 Oct 23, 2024
7ca4ba0
netfilter: nf_tables: fix out of memory error handling
gvrose8192 Oct 23, 2024
dc9592f
netfilter: nf_tables: defer gc run if previous batch is still pending
gvrose8192 Oct 23, 2024
f2de13a
netfilter: nf_tables: fix nft_trans type confusion
gvrose8192 Oct 24, 2024
9d0955c
netfilter: nf_tables: disallow element removal on anonymous sets
gvrose8192 Oct 24, 2024
10c7204
netfilter: nftables: update table flags from the commit phase
gvrose8192 Oct 24, 2024
ca03502
netfilter: nf_tables: fix table flag updates
gvrose8192 Oct 24, 2024
0bbef03
netfilter: nf_tables: disable toggling dormant table state more than …
gvrose8192 Oct 24, 2024
92adac9
netfilter: nf_tables: fix memleak when more than 255 elements expired
gvrose8192 Oct 24, 2024
2d7983e
netfilter: nf_tables: mark set as dead when unbinding anonymous set w…
gvrose8192 Oct 26, 2024
4227fa3
netfilter: nf_tables: set backend .flush always succeeds
gvrose8192 Oct 31, 2024
24e2355
netfilter: nf_tables: bail out on mismatching dynset and set expressions
gvrose8192 Nov 4, 2024
224cc99
netfilter: nf_tables: disallow anonymous set with timeout flag
gvrose8192 Nov 4, 2024
c80ea03
netfilter: nf_tables: use timestamp to check for set element timeout
gvrose8192 Nov 5, 2024
e37bce7
netfilter: nf_tables: honor table dormant flag from netdev release ev…
gvrose8192 Nov 8, 2024
032cc7d
netfilter: nf_tables: release batch on table validation from abort path
gvrose8192 Nov 8, 2024
c792aca
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
gvrose8192 Nov 8, 2024
2e6ba1c
netfilter: nf_tables: __nft_expr_type_get() selects specific family type
gvrose8192 Nov 8, 2024
3d347ad
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
gvrose8192 Nov 8, 2024
004ecc1
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
gvrose8192 Nov 8, 2024
e788218
netfilter: nf_tables: do not compare internal table flags on updates
gvrose8192 Nov 8, 2024
f8d9f6b
netfilter: nf_tables: flush pending destroy work before exit_net release
gvrose8192 Nov 8, 2024
3bd9bb3
netfilter: nf_tables: reject new basechain after table flag update
gvrose8192 Nov 8, 2024
3d7f9ca
netfilter: nf_tables: reject table flag and netdev basechain updates
gvrose8192 Nov 14, 2024
7100e30
netfilter: nf_tables: discard table flag update with pending basechai…
gvrose8192 Nov 14, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
jira VULN-4961
cve CVE-2024-27019
commit-author Ziyang Xuan <william.xuanziyang@huawei.com>
commit d78d867dcea69c328db30df665be5be7d0148484
upstream-diff The cherry-pick tried to pull in extra cruft not
part of the upstream patch.  I have resolved the conflicts in
favor of the 4.18.0-553.16.1 tagged code.

nft_unregister_obj() can concurrent with __nft_obj_type_get(),
and there is not any protection when iterate over nf_tables_objects
list in __nft_obj_type_get(). Therefore, there is potential data-race
of nf_tables_objects list entry.

Use list_for_each_entry_rcu() to iterate over nf_tables_objects
list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
nft_obj_type_get() to protect the entire type query process.

Fixes: e50092404c1b ("netfilter: nf_tables: add stateful objects")
	Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit d78d867dcea69c328db30df665be5be7d0148484)
	Signed-off-by: Greg Rose <g.v.rose@ciq.com>

Conflicts:
	net/netfilter/nf_tables_api.c
  • Loading branch information
gvrose8192 authored and PlaidCat committed Nov 22, 2024
commit 004ecc1e56ddf46e31b9fd501db20c53f9ecb6cf
8 changes: 6 additions & 2 deletions net/netfilter/nf_tables_api.c
Original file line number Diff line number Diff line change
Expand Up @@ -6137,7 +6137,7 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
{
const struct nft_object_type *type;

list_for_each_entry(type, &nf_tables_objects, list) {
list_for_each_entry_rcu(type, &nf_tables_objects, list) {
if (objtype == type->type)
return type;
}
Expand All @@ -6149,9 +6149,13 @@ nft_obj_type_get(struct net *net, u32 objtype)
{
const struct nft_object_type *type;

rcu_read_lock();
type = __nft_obj_type_get(objtype);
if (type != NULL && try_module_get(type->owner))
if (type != NULL && try_module_get(type->owner)) {
rcu_read_unlock();
return type;
}
rcu_read_unlock();

lockdep_nfnl_nft_mutex_not_held();
#ifdef CONFIG_MODULES
Expand Down