Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync fips legacy 8 compliant 4.18.0 425.13.1.el8.ciqfipscompliant.36.1 #15

Open
wants to merge 49 commits into
base: FIPS-8-plus
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
68493d8
ionic: clean interrupt before enabling queue to avoid credit race
gvrose8192 Oct 28, 2024
70b1b0a
ionic: fix use after netif_napi_del()
gvrose8192 Oct 7, 2024
8a1d1bd
netfilter: nftables: add catch-all set element support
gvrose8192 Oct 17, 2024
1f7885f
netfilter: nf_tables: Remove spurious code
gvrose8192 Oct 27, 2024
fab4dfd
netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event noti…
gvrose8192 Oct 18, 2024
8ec9ab0
netfilter: nf_tables: integrate pipapo into commit protocol
gvrose8192 Oct 21, 2024
e147d6a
netfilter: nf_tables: disallow element updates of bound anonymous sets
gvrose8192 Oct 21, 2024
d42d3d6
netfilter: nf_tables: disallow updates of anonymous sets
gvrose8192 Oct 21, 2024
0891f13
netfilter: nf_tables: disallow timeout for anonymous sets
gvrose8192 Oct 21, 2024
b318769
netfilter: nf_tables: add nft_chain_add()
gvrose8192 Oct 21, 2024
76baffa
netfilter: nf_tables: report use refcount overflow
gvrose8192 Oct 22, 2024
7221a94
netfilter: nf_tables: fix spurious set element insertion failure
gvrose8192 Oct 22, 2024
a32ff5b
netfilter: nf_tables: don't skip expired elements during walk
gvrose8192 Oct 22, 2024
d6cf9a9
netfilter: nftables: rename set element data activation/deactivation …
gvrose8192 Oct 22, 2024
c720248
netfilter: nftables: add nft_pernet() helper function
gvrose8192 Oct 22, 2024
b6ecc9d
netfilter: nf_tables: GC transaction API to avoid race with control p…
gvrose8192 Oct 22, 2024
a3c9441
netfilter: nf_tables: adapt set backend to use GC transaction API
gvrose8192 Oct 23, 2024
3ca5985
netfilter: nf_tables: remove busy mark and gc batch API
gvrose8192 Oct 23, 2024
2dbe733
netfilter: nf_tables: fix false-positive lockdep splat
gvrose8192 Oct 23, 2024
ae0997d
netfilter: nf_tables: fix kdoc warnings after gc rework
gvrose8192 Oct 23, 2024
ef98a42
netfilter: nf_tables: don't fail inserts if duplicate has expired
gvrose8192 Oct 23, 2024
9ea9c18
netfilter: nf_tables: fix GC transaction races with netns and netlink…
gvrose8192 Oct 23, 2024
c84dcb7
netfilter: nf_tables: GC transaction race with netns dismantle
gvrose8192 Oct 23, 2024
9e3b392
netfilter: nf_tables: GC transaction race with abort path
gvrose8192 Oct 29, 2024
8cfad08
netfilter: nf_tables: use correct lock to protect gc_list
gvrose8192 Oct 23, 2024
7ca4ba0
netfilter: nf_tables: fix out of memory error handling
gvrose8192 Oct 23, 2024
dc9592f
netfilter: nf_tables: defer gc run if previous batch is still pending
gvrose8192 Oct 23, 2024
f2de13a
netfilter: nf_tables: fix nft_trans type confusion
gvrose8192 Oct 24, 2024
9d0955c
netfilter: nf_tables: disallow element removal on anonymous sets
gvrose8192 Oct 24, 2024
10c7204
netfilter: nftables: update table flags from the commit phase
gvrose8192 Oct 24, 2024
ca03502
netfilter: nf_tables: fix table flag updates
gvrose8192 Oct 24, 2024
0bbef03
netfilter: nf_tables: disable toggling dormant table state more than …
gvrose8192 Oct 24, 2024
92adac9
netfilter: nf_tables: fix memleak when more than 255 elements expired
gvrose8192 Oct 24, 2024
2d7983e
netfilter: nf_tables: mark set as dead when unbinding anonymous set w…
gvrose8192 Oct 26, 2024
4227fa3
netfilter: nf_tables: set backend .flush always succeeds
gvrose8192 Oct 31, 2024
24e2355
netfilter: nf_tables: bail out on mismatching dynset and set expressions
gvrose8192 Nov 4, 2024
224cc99
netfilter: nf_tables: disallow anonymous set with timeout flag
gvrose8192 Nov 4, 2024
c80ea03
netfilter: nf_tables: use timestamp to check for set element timeout
gvrose8192 Nov 5, 2024
e37bce7
netfilter: nf_tables: honor table dormant flag from netdev release ev…
gvrose8192 Nov 8, 2024
032cc7d
netfilter: nf_tables: release batch on table validation from abort path
gvrose8192 Nov 8, 2024
c792aca
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
gvrose8192 Nov 8, 2024
2e6ba1c
netfilter: nf_tables: __nft_expr_type_get() selects specific family type
gvrose8192 Nov 8, 2024
3d347ad
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
gvrose8192 Nov 8, 2024
004ecc1
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
gvrose8192 Nov 8, 2024
e788218
netfilter: nf_tables: do not compare internal table flags on updates
gvrose8192 Nov 8, 2024
f8d9f6b
netfilter: nf_tables: flush pending destroy work before exit_net release
gvrose8192 Nov 8, 2024
3bd9bb3
netfilter: nf_tables: reject new basechain after table flag update
gvrose8192 Nov 8, 2024
3d7f9ca
netfilter: nf_tables: reject table flag and netdev basechain updates
gvrose8192 Nov 14, 2024
7100e30
netfilter: nf_tables: discard table flag update with pending basechai…
gvrose8192 Nov 14, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
netfilter: nf_tables: GC transaction race with abort path
jira VULN-597
subsystem-sync netfilter:nf_tables 4.18.0-534
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 720344340fb9be2765bbaab7b292ece0a4570eae
upstream-diff Some minor differences due to pernet goo - not important.

Abort path is missing a synchronization point with GC transactions. Add
GC sequence number hence any GC transaction losing race will be
discarded.

Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry-picked from commit 720344340fb9be2765bbaab7b292ece0a4570eae)
	Signed-off-by: Greg Rose <g.v.rose@ciq.com>
  • Loading branch information
gvrose8192 authored and PlaidCat committed Nov 22, 2024
commit 9e3b392ceb24a93ab6741da11b7e73ae207bb18e
6 changes: 6 additions & 0 deletions net/netfilter/nf_tables_api.c
Original file line number Diff line number Diff line change
Expand Up @@ -8601,6 +8601,12 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
enum nfnl_abort_action action)
{
struct nftables_pernet *nft_net = nft_pernet(net);
unsigned int gc_seq;
int ret;

gc_seq = nft_gc_seq_begin(nft_net);
ret = __nf_tables_abort(net, action);
nft_gc_seq_end(nft_net, gc_seq);

mutex_unlock(&net->nft_commit_mutex);

Expand Down