5.15-stable patches

added patches:
	netfilter-nf_tables-reject-tables-of-unsupported-family.patch

diff --git a/queue-5.15/netfilter-nf_tables-reject-tables-of-unsupported-family.patch b/queue-5.15/netfilter-nf_tables-reject-tables-of-unsupported-family.patch
new file mode 100644 (file)
index 0000000..61ec05a
--- /dev/null
+++ b/queue-5.15/netfilter-nf_tables-reject-tables-of-unsupported-family.patch
@@ -0,0 +1,65 @@
+From f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 16 Feb 2022 15:55:38 +0100
+Subject: netfilter: nf_tables: Reject tables of unsupported family
+
+From: Phil Sutter <phil@nwl.cc>
+
+commit f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 upstream.
+
+An nftables family is merely a hollow container, its family just a
+number and such not reliant on compile-time options other than nftables
+support itself. Add an artificial check so attempts at using a family
+the kernel can't support fail as early as possible. This helps user
+space detect kernels which lack e.g. NFPROTO_INET.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |   27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1247,6 +1247,30 @@ static int nft_objname_hash_cmp(struct r
+       return strcmp(obj->key.name, k->name);
+ }
+ 
++static bool nft_supported_family(u8 family)
++{
++      return false
++#ifdef CONFIG_NF_TABLES_INET
++              || family == NFPROTO_INET
++#endif
++#ifdef CONFIG_NF_TABLES_IPV4
++              || family == NFPROTO_IPV4
++#endif
++#ifdef CONFIG_NF_TABLES_ARP
++              || family == NFPROTO_ARP
++#endif
++#ifdef CONFIG_NF_TABLES_NETDEV
++              || family == NFPROTO_NETDEV
++#endif
++#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
++              || family == NFPROTO_BRIDGE
++#endif
++#ifdef CONFIG_NF_TABLES_IPV6
++              || family == NFPROTO_IPV6
++#endif
++              ;
++}
++
+ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
+                             const struct nlattr * const nla[])
+ {
+@@ -1261,6 +1285,9 @@ static int nf_tables_newtable(struct sk_
+       u32 flags = 0;
+       int err;
+ 
++      if (!nft_supported_family(family))
++              return -EOPNOTSUPP;
++
+       lockdep_assert_held(&nft_net->commit_mutex);
+       attr = nla[NFTA_TABLE_NAME];
+       table = nft_table_lookup(net, attr, family, genmask,

diff --git a/queue-5.15/series b/queue-5.15/series
index 0974b511249f9ae6aaa33856d8da7464d22664e2..86480d4fbe9e012941b1cd7367fc68f7fdb9148a 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -52,3 +52,4 @@ mmc-sdhci-sprd-fix-emmc-init-failure-after-hw-reset.patch
 net-tls-update-curr-on-splice-as-well.patch
 ipv6-remove-max_size-check-inline-with-ipv4.patch
 perf-inject-fix-gen_elf_text_offset-for-jit.patch
+netfilter-nf_tables-reject-tables-of-unsupported-family.patch