[SRU][F/J/M][PATCH 0/1] CVE-2024-26643

[Yuxuan Luo]

[Impact]
While the rhashtable set gc runs asynchronously, a race allows it to
collect elements from anonymous sets with timeouts while it is being
released from the commit path. Mingi Cho originally reported this issue
in a different path in 6.1.x with a pipapo set with low timeouts which
is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use
timestamp to check for set element timeout"). Fix this by setting on the
dead flag for anonymous sets to skip async gc in this case. According to
08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction
abort"), Florian plans to accelerate abort path by releasing objects via
workqueue, therefore, this sets on the dead flag for abort path too.

[Backport]
Clean cherry pick.

[Test]
Smoke test on nftable via adding and removing an anonymous set.

```bash
nft add table ip filter
nft add chain filter output

# add anonymous set
nft add rule ip filter output tcp dport {telnet, http, https} accept
nft list table filter

# flush the chain
nft flush chain ip filter output
nft list table filter
```

[Where things might go wrong]
Regression should be limited to cases using nftables to remove an
anonymous set.


Pablo Neira Ayuso (1):
  netfilter: nf_tables: mark set as dead when unbinding anonymous set
    with timeout

 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.34.1