This is a note to let you know that I've just added the patch titled
netfilter: nft_payload: rebuild vlan header when needed
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-nft_payload-rebuild-vlan-header-when-neede.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 28983bb95aecb8c0f0a2498ad54cd548b637f5b6
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Tue Jun 6 09:38:42 2023 +0200
netfilter: nft_payload: rebuild vlan header when needed
[ Upstream commit de6843be3082d416eaf2a00b72dad95c784ca980 ]
Skip rebuilding the vlan header when accessing destination and source
mac address.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Stable-dep-of: 33c563ebf8d3 ("netfilter: nft_payload: skbuff vlan metadata mangle support")
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index e5f0d33a27e61..b1745304dbd22 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -127,7 +127,8 @@ void nft_payload_eval(const struct nft_expr *expr,
if (!skb_mac_header_was_set(skb) || skb_mac_header_len(skb) == 0)
goto err;
- if (skb_vlan_tag_present(skb)) {
+ if (skb_vlan_tag_present(skb) &&
+ priv->offset >= offsetof(struct ethhdr, h_proto)) {
if (!nft_payload_copy_vlan(dest, skb,
priv->offset, priv->len))
goto err;
