From 2c1870b137001d1da0d7acce8c48cb7a21ab8981 Mon Sep 17 00:00:00 2001 From: Alex Lohr Date: Wed, 10 May 2023 21:59:28 +0200 Subject: [PATCH] linux6.2: update to 6.2.14 --- .../patches/nf_tables_no_anonymous_set.patch | 119 ++++++++++++++++++ srcpkgs/linux6.2/template | 4 +- 2 files changed, 121 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/linux6.2/patches/nf_tables_no_anonymous_set.patch diff --git a/srcpkgs/linux6.2/patches/nf_tables_no_anonymous_set.patch b/srcpkgs/linux6.2/patches/nf_tables_no_anonymous_set.patch new file mode 100644 index 000000000000..53599f3c2d09 --- /dev/null +++ b/srcpkgs/linux6.2/patches/nf_tables_no_anonymous_set.patch @@ -0,0 +1,119 @@ +From c1592a89942e9678f7d9c8030efa777c0d57edab Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 2 May 2023 10:25:24 +0200 +Subject: [PATCH] netfilter: nf_tables: deactivate anonymous set from + preparation phase + +Toggle deleted anonymous sets as inactive in the next generation, so +users cannot perform any update on it. Clear the generation bitmask +in case the transaction is aborted. + +The following KASAN splat shows a set element deletion for a bound +anonymous set that has been already removed in the same transaction. + +[ 64.921510] ================================================================== +[ 64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.924745] Write of size 8 at addr dead000000000122 by task test/890 +[ 64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253 +[ 64.931120] Call Trace: +[ 64.932699] +[ 64.934292] dump_stack_lvl+0x33/0x50 +[ 64.935908] ? nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.937551] kasan_report+0xda/0x120 +[ 64.939186] ? nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.940814] nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.942452] ? __kasan_slab_alloc+0x2d/0x60 +[ 64.944070] ? nf_tables_setelem_notify+0x190/0x190 [nf_tables] +[ 64.945710] ? kasan_set_track+0x21/0x30 +[ 64.947323] nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink] +[ 64.948898] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] + +Signed-off-by: Pablo Neira Ayuso +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 12 ++++++++++++ + net/netfilter/nft_dynset.c | 2 +- + net/netfilter/nft_lookup.c | 2 +- + net/netfilter/nft_objref.c | 2 +- + 5 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 3ed21d2d565901..2e24ea1d744c25 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -619,6 +619,7 @@ struct nft_set_binding { + }; + + enum nft_trans_phase; ++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set); + void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8b6c61a2196cb2..59fb8320ab4d77 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5127,12 +5127,24 @@ static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, + } + } + ++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ if (nft_set_is_anonymous(set)) ++ nft_clear(ctx->net, set); ++ ++ set->use++; ++} ++EXPORT_SYMBOL_GPL(nf_tables_activate_set); ++ + void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase) + { + switch (phase) { + case NFT_TRANS_PREPARE: ++ if (nft_set_is_anonymous(set)) ++ nft_deactivate_next(ctx->net, set); ++ + set->use--; + return; + case NFT_TRANS_ABORT: +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 274579b1696e0c..bd19c7aec92ee7 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -342,7 +342,7 @@ static void nft_dynset_activate(const struct nft_ctx *ctx, + { + struct nft_dynset *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_dynset_destroy(const struct nft_ctx *ctx, +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index cecf8ab90e58f7..03ef4fdaa460b6 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -167,7 +167,7 @@ static void nft_lookup_activate(const struct nft_ctx *ctx, + { + struct nft_lookup *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_lookup_destroy(const struct nft_ctx *ctx, +diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c +index cb37169608babd..a48dd5b5d45b13 100644 +--- a/net/netfilter/nft_objref.c ++++ b/net/netfilter/nft_objref.c +@@ -185,7 +185,7 @@ static void nft_objref_map_activate(const struct nft_ctx *ctx, + { + struct nft_objref_map *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_objref_map_destroy(const struct nft_ctx *ctx, diff --git a/srcpkgs/linux6.2/template b/srcpkgs/linux6.2/template index 12ae8bdcc9aa..804edbd3ad17 100644 --- a/srcpkgs/linux6.2/template +++ b/srcpkgs/linux6.2/template @@ -1,6 +1,6 @@ # Template file for 'linux6.2' pkgname=linux6.2 -version=6.2.13 +version=6.2.14 revision=1 short_desc="Linux kernel and modules (${version%.*} series)" maintainer="John " @@ -14,7 +14,7 @@ if [ "${version##*.}" != 0 ]; then fi checksum="74862fa8ab40edae85bb3385c0b71fe103288bce518526d63197800b3cbdecb1 - 1f2e2fdf1ed70fa586cacba2f69ece086a5dda19e46e8a5922cae6890cbe67bd" + d4f34f8438c90dd37b38bc8252a38ce94ba2449bed0a82614162690e05dc5577" python_version=3 # XXX Restrict archs until a proper -dotconfig is available in FILESDIR.