From f4f9150ccf2daca91d8fa7472fb8c830fc26811d Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Wed, 4 Oct 2023 10:10:57 -0400
Subject: [PATCH] Fixes for 5.15

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...les-disallow-rule-removal-from-chain.patch | 102 ++++++++++++++++++
 queue-5.15/series                             |   1 +
 2 files changed, 103 insertions(+)
 create mode 100644 queue-5.15/netfilter-nf_tables-disallow-rule-removal-from-chain.patch

diff --git a/queue-5.15/netfilter-nf_tables-disallow-rule-removal-from-chain.patch b/queue-5.15/netfilter-nf_tables-disallow-rule-removal-from-chain.patch
new file mode 100644
index 00000000000..437e7da77ff
--- /dev/null
+++ b/queue-5.15/netfilter-nf_tables-disallow-rule-removal-from-chain.patch
@@ -0,0 +1,102 @@
+From 8f4146781a5c9deceed14cb8b22e94313bcd3966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 08:22:33 +0200
+Subject: netfilter: nf_tables: disallow rule removal from chain binding
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f15f29fd4779be8a418b66e9d52979bb6d6c2325 ]
+
+Chain binding only requires the rule addition/insertion command within
+the same transaction. Removal of rules from chain bindings within the
+same transaction makes no sense, userspace does not utilize this
+feature. Replace nft_chain_is_bound() check to nft_chain_binding() in
+rule deletion commands. Replace command implies a rule deletion, reject
+this command too.
+
+Rule flush command can also safely rely on this nft_chain_binding()
+check because unbound chains are not allowed since 62e1e94b246e
+("netfilter: nf_tables: reject unbound chain set before commit phase").
+
+Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
+Reported-by: Kevin Rich <kevinrich1337@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 2f7d8e0e47de8..8a4cd1c16e0e4 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1348,7 +1348,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
+ 		if (!nft_is_active_next(ctx->net, chain))
+ 			continue;
+ 
+-		if (nft_chain_is_bound(chain))
++		if (nft_chain_binding(chain))
+ 			continue;
+ 
+ 		ctx->chain = chain;
+@@ -1392,7 +1392,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
+ 		if (!nft_is_active_next(ctx->net, chain))
+ 			continue;
+ 
+-		if (nft_chain_is_bound(chain))
++		if (nft_chain_binding(chain))
+ 			continue;
+ 
+ 		ctx->chain = chain;
+@@ -2697,6 +2697,9 @@ static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
+ 		return PTR_ERR(chain);
+ 	}
+ 
++	if (nft_chain_binding(chain))
++		return -EOPNOTSUPP;
++
+ 	if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
+ 	    chain->use > 0)
+ 		return -EBUSY;
+@@ -3674,6 +3677,11 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
+ 	}
+ 
+ 	if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
++		if (nft_chain_binding(chain)) {
++			err = -EOPNOTSUPP;
++			goto err_destroy_flow_rule;
++		}
++
+ 		err = nft_delrule(&ctx, old_rule);
+ 		if (err < 0)
+ 			goto err_destroy_flow_rule;
+@@ -3777,7 +3785,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
+ 			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
+ 			return PTR_ERR(chain);
+ 		}
+-		if (nft_chain_is_bound(chain))
++		if (nft_chain_binding(chain))
+ 			return -EOPNOTSUPP;
+ 	}
+ 
+@@ -3807,7 +3815,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
+ 		list_for_each_entry(chain, &table->chains, list) {
+ 			if (!nft_is_active_next(net, chain))
+ 				continue;
+-			if (nft_chain_is_bound(chain))
++			if (nft_chain_binding(chain))
+ 				continue;
+ 
+ 			ctx.chain = chain;
+@@ -10458,7 +10466,7 @@ static void __nft_release_table(struct net *net, struct nft_table *table)
+ 	ctx.family = table->family;
+ 	ctx.table = table;
+ 	list_for_each_entry(chain, &table->chains, list) {
+-		if (nft_chain_is_bound(chain))
++		if (nft_chain_binding(chain))
+ 			continue;
+ 
+ 		ctx.chain = chain;
+-- 
+2.40.1
+
diff --git a/queue-5.15/series b/queue-5.15/series
index 383bcbc335c..b43f4fc5395 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -155,3 +155,4 @@ smack-record-transmuting-in-smk_transmuted.patch
 smack-retrieve-transmuting-information-in-smack_inod.patch
 smack-use-overlay-inode-label-in-smack_inode_copy_up.patch
 iommu-arm-smmu-v3-fix-soft-lockup-triggered-by-arm_s.patch
+netfilter-nf_tables-disallow-rule-removal-from-chain.patch
-- 
2.47.3