Patch "netfilter: nf_tables: skip netdev hook unregistration if table is dormant" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 3 Apr 2024 12:05:28 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: skip netdev hook unregistration if table is dormant

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-skip-netdev-hook-unregistration-.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7b4d3e97822dd0eef36b5e3880c64f1e2efab7a7
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Thu Mar 21 01:28:07 2024 +0100

    netfilter: nf_tables: skip netdev hook unregistration if table is dormant
    
    [ Upstream commit 216e7bf7402caf73f4939a8e0248392e96d7c0da ]
    
    Skip hook unregistration when adding or deleting devices from an
    existing netdev basechain. Otherwise, commit/abort path try to
    unregister hooks which not enabled.
    
    Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
    Fixes: 7d937b107108 ("netfilter: nf_tables: support for deleting devices in an existing netdev chain")
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6e4e22a10a826..b2ef7e37f11cd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10083,9 +10083,11 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 			if (nft_trans_chain_update(trans)) {
 				nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
 						       &nft_trans_chain_hooks(trans));
-				nft_netdev_unregister_hooks(net,
-							    &nft_trans_chain_hooks(trans),
-							    true);
+				if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
+					nft_netdev_unregister_hooks(net,
+								    &nft_trans_chain_hooks(trans),
+								    true);
+				}
 			} else {
 				nft_chain_del(trans->ctx.chain);
 				nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
@@ -10357,9 +10359,11 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 			break;
 		case NFT_MSG_NEWCHAIN:
 			if (nft_trans_chain_update(trans)) {
-				nft_netdev_unregister_hooks(net,
-							    &nft_trans_chain_hooks(trans),
-							    true);
+				if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
+					nft_netdev_unregister_hooks(net,
+								    &nft_trans_chain_hooks(trans),
+								    true);
+				}
 				free_percpu(nft_trans_chain_stats(trans));
 				kfree(nft_trans_chain_name(trans));
 				nft_trans_destroy(trans);







