[SRU][J/N/Q][PATCH 0/1] CVE-2026-23274

[Tim Whisonant]

SRU Justification:

[Impact]

netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels

IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.

If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.

Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.

[Fix]

Questing: cherry picked from upstream
Noble:    applied Jammy patch
Jammy:    cherry picked from upstream
Focal:    not affected
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the Netfilter module for manipulating
timers on packet match, fixing a potential kernel panic
when panic_on_warn is set. Any issues would affect clients
of the type of timers created with XT_IDLETIMER_ALARM.

Yuan Tan (1):
  netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels

 net/netfilter/xt_IDLETIMER.c | 6 ++++++
 1 file changed, 6 insertions(+)

-- 
2.43.0