Patch "netfilter: nf_tables: skip bound chain on rule flush" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: skip bound chain on rule flush

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit dcc7e01ee2a877f6891ba56d1c4572f13efba902
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Thu Jul 20 09:17:21 2023 +0200

    netfilter: nf_tables: skip bound chain on rule flush
    
    [ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ]
    
    Skip bound chain when flushing table rules, the rule that owns this
    chain releases these objects.
    
    Otherwise, the following warning is triggered:
    
      WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
      CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1
      RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
    
    Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
    Reported-by: Kevin Rich <kevinrich1337@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e3049c7db9041..ccf0b3d80fd97 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4086,6 +4086,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
 		list_for_each_entry(chain, &table->chains, list) {
 			if (!nft_is_active_next(net, chain))
 				continue;
+			if (nft_chain_is_bound(chain))
+				continue;
 
 			ctx.chain = chain;
 			err = nft_delrule_by_chain(&ctx);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux