From: Pablo Neira Ayuso <pablo@netfilter.org> mainline inclusion from mainline-v7.0-rc5 commit 36eae0956f659e48d5366d9b083d9417f3263ddc category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14592 CVE: CVE-2026-43060 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies. Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") Reported-by: Yiming Qian <yimingqian591@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Conflicts: net/netfilter/nft_ct.c [openEuler-1.0-LTS nft_ct.c differs from mainline: - lacks nft_ct_pcpu_mutex (introduced by commit e3245a7b7b34) - NFT_CT_ZONE case missing break statement - nf_ct_l4proto_put() present in nft_ct_timeout_obj_destroy() Adapted manually without introducing unsupported symbols] Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- net/netfilter/nft_ct.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 5dd87748afa8..b17604b5b48b 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -24,6 +24,7 @@ #include <net/netfilter/nf_conntrack_labels.h> #include <net/netfilter/nf_conntrack_timeout.h> #include <net/netfilter/nf_conntrack_l4proto.h> +#include "nf_internals.h" struct nft_ct { enum nft_ct_keys key:8; @@ -514,6 +515,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) #endif #ifdef CONFIG_NF_CONNTRACK_ZONES case NFT_CT_ZONE: + nf_queue_nf_hook_drop(ctx->net); if (--nft_ct_pcpu_template_refcnt == 0) nft_ct_tmpl_put_pcpu(); #endif @@ -900,6 +902,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, struct nft_ct_timeout_obj *priv = nft_obj_data(obj); struct nf_ct_timeout *timeout = priv->timeout; + nf_queue_nf_hook_drop(ctx->net); nf_ct_untimeout(ctx->net, timeout); nf_ct_l4proto_put(timeout->l4proto); nf_ct_netns_put(ctx->net, ctx->family); @@ -1033,6 +1036,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, { struct nft_ct_helper_obj *priv = nft_obj_data(obj); + nf_queue_nf_hook_drop(ctx->net); if (priv->helper4) nf_conntrack_helper_put(priv->helper4); if (priv->helper6) -- 2.43.0