Patch "netfilter: nf_tables: disable toggling dormant table state more than once" has been added to the 6.5-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 24 Sep 2023 15:34:06 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: disable toggling dormant table state more than once

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-disable-toggling-dormant-table-s.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 766286e5da4ab8a1cfef2a12c2adb9e104421733
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Fri Sep 15 15:18:11 2023 +0200

    netfilter: nf_tables: disable toggling dormant table state more than once
    
    [ Upstream commit c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1 ]
    
    nft -f -<<EOF
    add table ip t
    add table ip t { flags dormant; }
    add chain ip t c { type filter hook input priority 0; }
    add table ip t
    EOF
    
    Triggers a splat from nf core on next table delete because we lose
    track of right hook register state:
    
    WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook
    RIP: 0010:__nf_unregister_net_hook+0x41b/0x570
     nf_unregister_net_hook+0xb4/0xf0
     __nf_tables_unregister_hook+0x160/0x1d0
    [..]
    
    The above should have table in *active* state, but in fact no
    hooks were registered.
    
    Reject on/off/on games rather than attempting to fix this.
    
    Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
    Reported-by: "Lee, Cherie-Anne" <cherie.lee@xxxxxxxxxxx>
    Cc: Bing-Jhong Billy Jheng <billy@xxxxxxxxxxx>
    Cc: info@xxxxxxxxxxx
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3e6839c03bccc..976a9b763b9bb 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1219,6 +1219,10 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
 	     flags & NFT_TABLE_F_OWNER))
 		return -EOPNOTSUPP;
 
+	/* No dormant off/on/off/on games in single transaction */
+	if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
+		return -EINVAL;
+
 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
 				sizeof(struct nft_trans_table));
 	if (trans == NULL)






