mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
994,626 Commits 103 Branches 5,024 Tags 5.4 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Go to file
Florian Westphal e3b887a9c1 netfilter: nft_set_pipapo: do not free live element 
[ Upstream commit 3cfc9ec039 ]

Pablo reports a crash with large batches of elements with a
back-to-back add/remove pattern.  Quoting Pablo:

  add_elem("00000000") timeout 100 ms
  ...
  add_elem("0000000X") timeout 100 ms
  del_elem("0000000X") <---------------- delete one that was just added
  ...
  add_elem("00005000") timeout 100 ms

  1) nft_pipapo_remove() removes element 0000000X
  Then, KASAN shows a splat.

Looking at the remove function there is a chance that we will drop a
rule that maps to a non-deactivated element.

Removal happens in two steps, first we do a lookup for key k and return the
to-be-removed element and mark it as inactive in the next generation.
Then, in a second step, the element gets removed from the set/map.

The _remove function does not work correctly if we have more than one
element that share the same key.

This can happen if we insert an element into a set when the set already
holds an element with same key, but the element mapping to the existing
key has timed out or is not active in the next generation.

In such case its possible that removal will unmap the wrong element.
If this happens, we will leak the non-deactivated element, it becomes
unreachable.

The element that got deactivated (and will be freed later) will
remain reachable in the set data structure, this can result in
a crash when such an element is retrieved during lookup (stale
pointer).

Add a check that the fully matching key does in fact map to the element
that we have marked as inactive in the deactivation step.
If not, we need to continue searching.

Add a bug/warn trap at the end of the function as well, the remove
function must not ever be called with an invisible/unreachable/non-existent
element.

v2: avoid uneeded temporary variable (Stefano)

Fixes: 3c4287f620 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-05-02 16:23:36 +02:00
Documentation x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled 2024-04-13 12:59:13 +02:00
LICENSES LICENSES/deprecated: add Zlib license text 2020-09-16 14:33:49 +02:00
arch riscv: process: Fix kernel gp leakage 2024-05-02 16:23:36 +02:00
block block: prevent division by zero in blk_rq_stat_sum() 2024-04-13 12:59:49 +02:00
certs certs/blacklist_hashes.c: fix const confusion in certs blacklist 2022-06-22 14:13:17 +02:00
crypto crypto: api - Disallow identical driver names 2024-02-23 08:41:52 +01:00
drivers vhost: Add smp_rmb() in vhost_vq_avail_empty() 2024-05-02 16:23:35 +02:00
fs btrfs: record delayed inode root in transaction 2024-05-02 16:23:36 +02:00
include irqflags: Explicitly ignore lockdep_hrtimer_exit() argument 2024-05-02 16:23:36 +02:00
init init: open /initrd.image with O_LARGEFILE 2024-04-13 12:59:02 +02:00
io_uring io_uring: ensure '0' is returned on file registration success 2024-04-13 12:59:22 +02:00
ipc ipc/sem: Fix dangling sem_array access in semtimedop race 2022-12-08 11:24:00 +01:00
kernel Revert "tracing/trigger: Fix to return error if failed to alloc snapshot" 2024-05-02 16:23:36 +02:00
lib net: blackhole_dev: fix build warning for ethh set but not used 2024-03-26 18:21:50 -04:00
mm x86/mm/pat: fix VM_PAT handling in COW mappings 2024-04-13 12:59:56 +02:00
net netfilter: nft_set_pipapo: do not free live element 2024-05-02 16:23:36 +02:00
samples samples/hw_breakpoint: fix building without module unloading 2023-09-23 11:01:09 +02:00
scripts kbuild: dummy-tools: adjust to stricter stackprotector check 2024-04-13 12:59:57 +02:00
security smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() 2024-04-13 12:58:00 +02:00
sound ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone 2024-04-13 12:59:34 +02:00
tools selftests/ftrace: Limit length in subsystem-enable tests 2024-05-02 16:23:36 +02:00
usr usr/include/Makefile: add linux/nfc.h to the compile-test coverage 2022-02-01 17:25:48 +01:00
virt KVM: Always flush async #PF workqueue when vCPU is being destroyed 2024-04-13 12:58:04 +02:00
.clang-format RDMA 5.10 pull request 2020-10-17 11:18:18 -07:00
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore kbuild: generate Module.symvers only when vmlinux exists 2021-05-19 10:12:59 +02:00
.mailmap mailmap: add two more addresses of Uwe Kleine-König 2020-12-06 10:19:07 -08:00
COPYING
CREDITS MAINTAINERS: Move Jason Cooper to CREDITS 2020-11-30 10:20:34 +01:00
Kbuild
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS Remove DECnet support from kernel 2023-06-21 15:45:38 +02:00
Makefile Linux 5.10.215 2024-04-13 12:59:59 +02:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.