From e7bf1c3e1b7261afc7ed30887da1255a207da4bc Mon Sep 17 00:00:00 2001
From: Michal Kubecek <mkubecek@suse.cz>
Date: Apr 02 2024 07:02:40 +0000
Subject: netfilter: nf_tables: skip set commit for deleted/destroyed sets

(CVE-2024-0193 bsc#1218495).

---

diff --git a/patches.suse/netfilter-nf_tables-skip-set-commit-for-deleted-dest.patch b/patches.suse/netfilter-nf_tables-skip-set-commit-for-deleted-dest.patch
new file mode 100644
index 0000000..b77ac83
--- /dev/null
+++ b/patches.suse/netfilter-nf_tables-skip-set-commit-for-deleted-dest.patch
@@ -0,0 +1,32 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 19 Dec 2023 19:44:49 +0100
+Subject: netfilter: nf_tables: skip set commit for deleted/destroyed sets
+Patch-mainline: v6.7
+Git-commit: 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a
+References: CVE-2024-0193 bsc#1218495
+
+NFT_MSG_DELSET deactivates all elements in the set, skip
+set->ops->commit() to avoid the unnecessary clone (for the pipapo case)
+as well as the sync GC cycle, which could deactivate again expired
+elements in such set.
+
+Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
+Reported-by: Kevin Rich <kevinrich1337@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9758,7 +9758,7 @@ static void nft_set_commit_update(struct list_head *set_update_list)
+ 	list_for_each_entry_safe(set, next, set_update_list, pending_update) {
+ 		list_del_init(&set->pending_update);
+ 
+-		if (!set->ops->commit)
++		if (!set->ops->commit || set->dead)
+ 			continue;
+ 
+ 		set->ops->commit(set);
diff --git a/series.conf b/series.conf
index 41b82c1..247abb7 100644
--- a/series.conf
+++ b/series.conf
@@ -17340,6 +17340,7 @@
 	patches.suse/nfc-Do-not-send-datagram-if-socket-state-isn-t-LLCP_.patch
 	patches.suse/octeontx2-af-Fix-marking-couple-of-structure-as-__pa.patch
 	patches.suse/wifi-iwlwifi-pcie-don-t-synchronize-IRQs-from-IRQ.patch
+	patches.suse/netfilter-nf_tables-skip-set-commit-for-deleted-dest.patch
 	patches.suse/mlxbf_gige-fix-receive-packet-race-condition.patch
 	patches.suse/r8169-Fix-PCI-error-on-system-resume.patch
 	patches.suse/connector-Fix-proc_event_num_listeners-count-not-cle.patch