iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,225,626 Commits 104 Branches 1,843 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Florian Westphal 55a40406aa netfilter: nf_tables: unconditionally flush pending work before notifier 
[ Upstream commit 9f6958ba2e902f9820c594869bd710ba74b7c4c0 ]

syzbot reports:

KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831
KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530
KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45
[..]
Workqueue: events nf_tables_trans_destroy_work
Call Trace:
 nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]
 nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]
 nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597

Problem is that the notifier does a conditional flush, but its possible
that the table-to-be-removed is still referenced by transactions being
processed by the worker, so we need to flush unconditionally.

We could make the flush_work depend on whether we found a table to delete
in nf-next to avoid the flush for most cases.

AFAICS this problem is only exposed in nf-next, with
commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"),
with this commit applied there is an unconditional fetch of
table->family which is whats triggering the above splat.

Fixes: 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier")
Reported-and-tested-by: syzbot+4fd66a69358fc15ae2ad@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4fd66a69358fc15ae2ad
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-07-11 12:49:13 +02:00
arch
riscv: kexec: Avoid deadlock in kexec crash path
2024-07-11 12:49:13 +02:00
block
block/ioctl: prefer different overflow check
2024-06-27 13:49:01 +02:00
certs
certs: Reference revocation list for all keyrings
2023-08-17 20:12:41 +00:00
crypto
crypto: aead,cipher - zeroize key buffer after use
2024-07-11 12:49:04 +02:00
Documentation
kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates
2024-07-05 09:33:56 +02:00
drivers
wifi: wilc1000: fix ies_len type in connect path
2024-07-11 12:49:13 +02:00
fs
btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation warning
2024-07-11 12:49:09 +02:00
include
net: phy: phy_device: Fix PHY LED blinking code comment
2024-07-11 12:49:11 +02:00
init
smp: Provide 'setup_max_cpus' definition on UP too
2024-06-16 13:47:49 +02:00
io_uring
io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed
2024-06-27 13:49:10 +02:00
ipc
Add x86 shadow stack support
2023-08-31 12:20:12 -07:00
kernel
vhost_task: Handle SIGKILL by flushing work and exiting
2024-07-11 12:49:10 +02:00
lib
kunit: Fix timeout message
2024-07-11 12:49:08 +02:00
LICENSES
LICENSES: Add the copyleft-next-0.3.1 license
2022-11-08 15:44:01 +01:00
mm
mm/page_alloc: Separate THP PCP into movable and non-movable categories
2024-07-05 09:34:05 +02:00
net
netfilter: nf_tables: unconditionally flush pending work before notifier
2024-07-11 12:49:13 +02:00
rust
rust: kernel: require Send for Module implementations
2024-05-17 12:01:56 +02:00
samples
work around gcc bugs with 'asm goto' with outputs
2024-02-23 09:24:47 +01:00
scripts
kbuild: Install dtb files as 0644 in Makefile.dtbinst
2024-07-05 09:34:02 +02:00
security
ima: Fix use-after-free on a dentry's dname.name
2024-06-21 14:38:48 +02:00
sound
ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook 645/665 G11.
2024-07-05 09:34:00 +02:00
tools
tools/power turbostat: Remember global max_die_id
2024-07-11 12:49:10 +02:00
usr
initramfs: Encode dependency on KBUILD_BUILD_TIMESTAMP
2023-06-06 17:54:49 +09:00
virt
KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
2024-06-27 13:49:11 +02:00
.clang-format
iommu: Add for_each_group_device()
2023-05-23 08:15:51 +02:00
.cocciconfig
.get_maintainer.ignore
get_maintainer: add Alan to .get_maintainer.ignore
2022-08-20 15:17:44 -07:00
.gitattributes
.gitattributes: set diff driver for Rust source code files
2023-05-31 17:48:25 +02:00
.gitignore
kbuild: rpm-pkg: rename binkernel.spec to kernel.spec
2023-07-25 00:59:33 +09:00
.mailmap
20 hotfixes. 12 are cc:stable and the remainder address post-6.5 issues
2023-10-24 09:52:16 -10:00
.rustfmt.toml
rust: add .rustfmt.toml
2022-09-28 09:02:20 +02:00
COPYING
COPYING: state that all contributions really are covered by this file
2020-02-10 13:32:20 -08:00
CREDITS
USB: Remove Wireless USB and UWB documentation
2023-08-09 14:17:32 +02:00
Kbuild
Kbuild updates for v6.1
2022-10-10 12:00:45 -07:00
Kconfig
kbuild: ensure full rebuild when the compiler is updated
2020-05-12 13:28:33 +09:00
MAINTAINERS
pwm: Rename pwm_apply_state() to pwm_apply_might_sleep()
2024-06-12 11:12:24 +02:00
Makefile
Linux 6.6.38
2024-07-09 11:44:29 +02:00
README
Drop all 00-INDEX files from Documentation/
2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.
Description
No description provided
Readme 5.7 GiB
Languages
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%