From: Yuan Tan <tanyuan98@outlook.com> mainline inclusion from mainline-v7.0-rc2 commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13902 CVE: CVE-2026-23274 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type. Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") Co-developed-by: Yifan Wu <yifanwucs@gmail.com> Signed-off-by: Yifan Wu <yifanwucs@gmail.com> Co-developed-by: Juefei Pu <tomapufckgml@gmail.com> Signed-off-by: Juefei Pu <tomapufckgml@gmail.com> Signed-off-by: Yuan Tan <tanyuan98@outlook.com> Signed-off-by: Xin Liu <dstsmallbird@foxmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Conflicts: net/netfilter/xt_IDLETIMER.c [commit f4293c2baf6f is not backport] Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- net/netfilter/xt_IDLETIMER.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c index 2f7cf5ecebf4..d35ff0a2cad8 100644 --- a/net/netfilter/xt_IDLETIMER.c +++ b/net/netfilter/xt_IDLETIMER.c @@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) info->timer = __idletimer_tg_find_by_label(info->label); if (info->timer) { + if (info->timer->timer_type & XT_IDLETIMER_ALARM) { + pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); + mutex_unlock(&list_mutex); + return -EINVAL; + } + info->timer->refcnt++; mod_timer(&info->timer->timer, msecs_to_jiffies(info->timeout * 1000) + jiffies); -- 2.25.1