From: Sasha Levin Date: Wed, 4 Oct 2023 14:10:56 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.5.6~23^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a343634f339276c17b8b1f9dce7ca392629244d1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/netfilter-nf_tables-disallow-rule-removal-from-chain.patch b/queue-6.1/netfilter-nf_tables-disallow-rule-removal-from-chain.patch new file mode 100644 index 00000000000..433c9c4701e --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-disallow-rule-removal-from-chain.patch @@ -0,0 +1,102 @@ +From 039413a400387eb691901b4309fa8730ae776efc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 08:22:33 +0200 +Subject: netfilter: nf_tables: disallow rule removal from chain binding + +From: Pablo Neira Ayuso + +[ Upstream commit f15f29fd4779be8a418b66e9d52979bb6d6c2325 ] + +Chain binding only requires the rule addition/insertion command within +the same transaction. Removal of rules from chain bindings within the +same transaction makes no sense, userspace does not utilize this +feature. Replace nft_chain_is_bound() check to nft_chain_binding() in +rule deletion commands. Replace command implies a rule deletion, reject +this command too. + +Rule flush command can also safely rely on this nft_chain_binding() +check because unbound chains are not allowed since 62e1e94b246e +("netfilter: nf_tables: reject unbound chain set before commit phase"). + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Kevin Rich +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1d6a37430ff6b..52b81dc1fcf5b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1427,7 +1427,7 @@ static int nft_flush_table(struct nft_ctx *ctx) + if (!nft_is_active_next(ctx->net, chain)) + continue; + +- if (nft_chain_is_bound(chain)) ++ if (nft_chain_binding(chain)) + continue; + + ctx->chain = chain; +@@ -1471,7 +1471,7 @@ static int nft_flush_table(struct nft_ctx *ctx) + if (!nft_is_active_next(ctx->net, chain)) + continue; + +- if (nft_chain_is_bound(chain)) ++ if (nft_chain_binding(chain)) + continue; + + ctx->chain = chain; +@@ -2792,6 +2792,9 @@ static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, + return PTR_ERR(chain); + } + ++ if (nft_chain_binding(chain)) ++ return -EOPNOTSUPP; ++ + if (info->nlh->nlmsg_flags & NLM_F_NONREC && + chain->use > 0) + return -EBUSY; +@@ -3771,6 +3774,11 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + } + + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { ++ if (nft_chain_binding(chain)) { ++ err = -EOPNOTSUPP; ++ goto err_destroy_flow_rule; ++ } ++ + err = nft_delrule(&ctx, old_rule); + if (err < 0) + goto err_destroy_flow_rule; +@@ -3874,7 +3882,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); + return PTR_ERR(chain); + } +- if (nft_chain_is_bound(chain)) ++ if (nft_chain_binding(chain)) + return -EOPNOTSUPP; + } + +@@ -3904,7 +3912,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, + list_for_each_entry(chain, &table->chains, list) { + if (!nft_is_active_next(net, chain)) + continue; +- if (nft_chain_is_bound(chain)) ++ if (nft_chain_binding(chain)) + continue; + + ctx.chain = chain; +@@ -10664,7 +10672,7 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + ctx.family = table->family; + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { +- if (nft_chain_is_bound(chain)) ++ if (nft_chain_binding(chain)) + continue; + + ctx.chain = chain; +-- +2.40.1 + diff --git a/queue-6.1/series b/queue-6.1/series index 14de272cd4b..11250567e45 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -206,3 +206,4 @@ nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch smack-record-transmuting-in-smk_transmuted.patch smack-retrieve-transmuting-information-in-smack_inod.patch iommu-arm-smmu-v3-fix-soft-lockup-triggered-by-arm_s.patch +netfilter-nf_tables-disallow-rule-removal-from-chain.patch