ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23274
Yufeng Gao
yufeng.gao at canonical.com
Thu Mar 26 00:58:18 UTC 2026
On 26/3/26 10:51, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
>
> IDLETIMER revision 0 rules reuse existing timers by label and always call
> mod_timer() on timer->timer.
>
> If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
> the object uses alarm timer semantics and timer->timer is never initialized.
> Reusing that object from revision 0 causes mod_timer() on an uninitialized
> timer_list, triggering debugobjects warnings and possible panic when
> panic_on_warn=1.
>
> Fix this by rejecting revision 0 rule insertion when an existing timer with
> the same label is of ALARM type.
>
> [Fix]
>
> Questing: cherry picked from upstream
> Noble: applied Jammy patch
> Jammy: cherry picked from upstream
> Focal: not affected
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the Netfilter module for manipulating
> timers on packet match, fixing a potential kernel panic
> when panic_on_warn is set. Any issues would affect clients
> of the type of timers created with XT_IDLETIMER_ALARM.
>
> Yuan Tan (1):
> netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
>
> net/netfilter/xt_IDLETIMER.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
Acked-by: Yufeng Gao <yufeng.gao at canonical.com>
More information about the kernel-team
mailing list