On Tue, Dec 12, 2017 at 12:36:35AM +0000, Banerjee, Debabrata wrote: > > From: Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx] > > On Mon, Dec 11, 2017 at 06:30:24PM -0500, Debabrata Banerjee wrote: > > > + } else { > > > + /* Implicit handling for NF_STOLEN, as well as any other > > > + * non conventional verdicts. > > > + */ > > > + ret = 0; > > > > Another possibility (more simple?) would be this: > > > > int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) { > > struct nf_hook_entry *entry; > > unsigned int verdict; > > - int ret = 0; > > + int ret; > > > > entry = rcu_dereference(state->hook_entries); > > next_hook: > > + ret = 0; > > > > Basically, make sure ret is set to zero when jumping to the next_hook label. > > Many ways to fix it, but I thought including the comment was appropriate. > Happy to change it if we want simpler instead. OK, let's take this one. Please, send a patch in git-format-patch, that we can pass to -stable. Cc netfilter-devel@xxxxxxxxxxxxxxx and stable@xxxxxxxxxxxxxxx should be fine, you can also include gregkh@xxxxxxxxxxxxxxxxxxx since he maintains 4.9-stable. I'll ack this by when you send it. Thanks!