NACK: [SRU][M 0/2, J 0/3] CVE-2024-26925

[Bethany Jamison]

cover letter header say M/J but the patches are for M/F -- will resend 
correction

On 5/28/24 5:32 PM, Bethany Jamison wrote:
> [Impact]
>
> netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
>
> The commit mutex should not be released during the critical section
> between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
> worker could collect expired objects and get the released commit lock
> within the same GC sequence.
>
> nf_tables_module_autoload() temporarily releases the mutex to load
> module dependencies, then it goes back to replay the transaction again.
> Move it at the end of the abort phase after nft_gc_seq_end() is called.
>
> [Fix]
>
> Noble:	fixed via stable
> Mantic:	Clean cherry-pick from fix and prereq commit
> Jammy:	fixed via stable
> Focal:	Clean cherry-pick from fix commit with backported prereq commits,
> 	commit a45e688 backported - context conflict due to extra
> 	whitespace in Focal, accepted incoming fix as is,
> 	commit 03c1f1e backported - context conflict with neighboring
> 	line outside of the modified if-statement, shouldn't affect the
> 	fix, applied fix changes as is
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty: not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use the Netfilter framework, an issue with
> this fix would be visible to the user via decreased system performance
> or a system freeze.
>
> Pablo Neira Ayuso (2):
>    netfilter: nf_tables: release batch on table validation from abort
>      path
>    netfilter: nf_tables: release mutex after nft_gc_seq_end from abort
>      path
>
>   net/netfilter/nf_tables_api.c | 28 ++++++++++++++++++----------
>   1 file changed, 18 insertions(+), 10 deletions(-)
>