| Description: | In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: mark set as dead when unbinding anonymous set
with timeout While the rhashtable set gc runs asynchronously, a race
allows it to collect elements from anonymous sets with timeouts while
it is being released from the commit path. Mingi Cho originally
reported this issue in a different path in 6.1.x with a pipapo set
with low timeouts which is not possible upstream since 7395dfacfff6
("netfilter: nf_tables: use timestamp to check for set element
timeout"). Fix this by setting on the dead flag for anonymous sets to
skip async gc in this case. According to 08e4c8c5919f ("netfilter:
nf_tables: mark newset as dead on transaction abort"), Florian plans
to accelerate abort path by releasing objects via workqueue,
therefore, this sets on the dead flag for abort path too.
|
