From 9f1742e9e4c7ee2fcd691cc336355e942eee6b00 Mon Sep 17 00:00:00 2001
From: Brett Mastbergen <bmastbergen@ciq.com>
Date: Wed, 9 Apr 2025 09:15:21 -0400
Subject: [PATCH 1/3] net/sched: cls_route: No longer copy tcf_result on update
 to avoid use-after-free

jira VULN-34673
jira VULN-8844
cve CVE-2023-4206
cve CVE-2023-4218
commit-author valis <sec@valis.email>
commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8

When route4_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: 1109c00547fc ("net: sched: RCU cls_route")
	Reported-by: valis <sec@valis.email>
	Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
	Signed-off-by: valis <sec@valis.email>
	Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Reviewed-by: Victor Nogueira <victor@mojatatu.com>
	Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
	Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-4-jhs@mojatatu.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
---
 net/sched/cls_route.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index 48712bc51bda7..194468d0355a1 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -511,7 +511,6 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
 	if (fold) {
 		f->id = fold->id;
 		f->iif = fold->iif;
-		f->res = fold->res;
 		f->handle = fold->handle;
 
 		f->tp = fold->tp;

From 0f445217b09bf29f00841d82a9910a7819930a23 Mon Sep 17 00:00:00 2001
From: Brett Mastbergen <bmastbergen@ciq.com>
Date: Wed, 9 Apr 2025 09:06:04 -0400
Subject: [PATCH 2/3] net/sched: cls_fw: No longer copy tcf_result on update to
 avoid use-after-free

jira VULN-34673
jira VULN-8842
cve CVE-2023-4207
cve CVE-2023-4218
commit-author valis <sec@valis.email>
commit 76e42ae831991c828cffa8c37736ebfb831ad5ec

When fw_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: e35a8ee5993b ("net: sched: fw use RCU")
	Reported-by: valis <sec@valis.email>
	Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
	Signed-off-by: valis <sec@valis.email>
	Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Reviewed-by: Victor Nogueira <victor@mojatatu.com>
	Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
	Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 76e42ae831991c828cffa8c37736ebfb831ad5ec)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
---
 net/sched/cls_fw.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index ea52c320f67c4..a2f53aee39097 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -265,7 +265,6 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
 			return -ENOBUFS;
 
 		fnew->id = f->id;
-		fnew->res = f->res;
 		fnew->ifindex = f->ifindex;
 		fnew->tp = f->tp;
 

From 70ad667c10f48925e7a4fe6b4db9b9467faf2cda Mon Sep 17 00:00:00 2001
From: Brett Mastbergen <bmastbergen@ciq.com>
Date: Wed, 9 Apr 2025 09:07:33 -0400
Subject: [PATCH 3/3] net/sched: cls_u32: No longer copy tcf_result on update
 to avoid use-after-free

jira VULN-34673
jira VULN-8840
cve CVE-2023-4208
cve CVE-2023-4218
commit-author valis <sec@valis.email>
commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81

When u32_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: de5df63228fc ("net: sched: cls_u32 changes to knode must appear atomic to readers")
	Reported-by: valis <sec@valis.email>
	Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
	Signed-off-by: valis <sec@valis.email>
	Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Reviewed-by: Victor Nogueira <victor@mojatatu.com>
	Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
	Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
---
 net/sched/cls_u32.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 4d27300c287c4..6318cf9a9c08c 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -811,7 +811,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
 
 	new->ifindex = n->ifindex;
 	new->fshift = n->fshift;
-	new->res = n->res;
 	new->flags = n->flags;
 	RCU_INIT_POINTER(new->ht_down, ht);