Patch "netfilter: nf_tables: disallow element removal on anonymous sets" has been added to the 6.5-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 24 Sep 2023 15:30:18 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: disallow element removal on anonymous sets

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-disallow-element-removal-on-anon.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3914e52a79b4cefb00a7d252a46c927fbd9b9a9f
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Sun Sep 10 19:04:45 2023 +0200

    netfilter: nf_tables: disallow element removal on anonymous sets
    
    [ Upstream commit 23a3bfd4ba7acd36abf52b78605f61b21bdac216 ]
    
    Anonymous sets need to be populated once at creation and then they are
    bound to rule since 938154b93be8 ("netfilter: nf_tables: reject unbound
    anonymous set before commit phase"), otherwise transaction reports
    EINVAL.
    
    Userspace does not need to delete elements of anonymous sets that are
    not yet bound, reject this with EOPNOTSUPP.
    
    From flush command path, skip anonymous sets, they are expected to be
    bound already. Otherwise, EINVAL is hit at the end of this transaction
    for unbound sets.
    
    Fixes: 96518518cc41 ("netfilter: add nftables")
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index db0a56b2da705..018cf368f6a5f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1446,8 +1446,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
 		if (!nft_is_active_next(ctx->net, set))
 			continue;
 
-		if (nft_set_is_anonymous(set) &&
-		    !list_empty(&set->bindings))
+		if (nft_set_is_anonymous(set))
 			continue;
 
 		err = nft_delset(ctx, set);
@@ -7188,8 +7187,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
 	if (IS_ERR(set))
 		return PTR_ERR(set);
 
-	if (!list_empty(&set->bindings) &&
-	    (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+	if (nft_set_is_anonymous(set))
+		return -EOPNOTSUPP;
+
+	if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
 		return -EBUSY;
 
 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);






