From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 14/26] netfilter: nf_tables: disallow element updates of bound anonymous sets
Date: Mon, 26 Jun 2023 20:11:16 +0200 [thread overview]
Message-ID: <20230626180734.233600450@linuxfoundation.org> (raw)
In-Reply-To: <20230626180733.699092073@linuxfoundation.org>
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit c88c535b592d3baeee74009f3eceeeaf0fdd5e1b ]
Anonymous sets come with NFT_SET_CONSTANT from userspace. Although API
allows to create anonymous sets without NFT_SET_CONSTANT, it makes no
sense to allow to add and to delete elements for bound anonymous sets.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 241a3032d0e66..e091c552b0b92 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4220,7 +4220,8 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
return PTR_ERR(set);
}
- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
+ if (!list_empty(&set->bindings) &&
+ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
return -EBUSY;
nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
@@ -4399,7 +4400,9 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
genmask);
if (IS_ERR(set))
return PTR_ERR(set);
- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
+
+ if (!list_empty(&set->bindings) &&
+ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
return -EBUSY;
if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
--
2.39.2
next prev parent reply other threads:[~2023-06-26 18:13 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-26 18:11 [PATCH 4.14 00/26] 4.14.320-rc1 review Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 01/26] serial: lantiq: add missing interrupt ack Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 02/26] nilfs2: reject devices with insufficient block count Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 03/26] nilfs2: fix buffer corruption due to concurrent device reads Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 04/26] Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 05/26] cgroup: Do not corrupt task iteration when rebinding subsystem Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 06/26] nilfs2: prevent general protection fault in nilfs_clear_dirty_page() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 07/26] xfrm: Linearize the skb after offloading if needed Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 08/26] net: qca_spi: Avoid high load if QCA7000 is not available Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 09/26] mmc: mtk-sd: fix deferred probing Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 10/26] mmc: omap: " Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 11/26] mmc: omap_hsmmc: " Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 12/26] mmc: usdhi60rol0: " Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 13/26] be2net: Extend xmit workaround to BE3 chip Greg Kroah-Hartman
2023-06-26 18:11 ` Greg Kroah-Hartman [this message]
2023-06-26 18:11 ` [PATCH 4.14 15/26] scsi: target: iscsi: Prevent login threads from racing between each other Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 16/26] HID: wacom: Add error check to wacom_parse_and_register() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 17/26] arm64: Add missing Set/Way CMO encodings Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 18/26] nfcsim.c: Fix error checking for debugfs_create_dir Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 19/26] fbdev: imsttfb: Release framebuffer and dealloc cmap on error path Greg Kroah-Hartman
2023-06-28 21:41 ` Helge Deller
2023-06-29 7:06 ` Greg Kroah-Hartman
2023-06-29 9:39 ` Helge Deller
2023-06-26 18:11 ` [PATCH 4.14 20/26] usb: gadget: udc: fix NULL dereference in remove() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 21/26] s390/cio: unregister device when the only path is gone Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 22/26] drm/exynos: vidi: fix a wrong error return Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 23/26] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 24/26] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 25/26] x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 4.14 26/26] i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle Greg Kroah-Hartman
2023-06-27 9:04 ` [PATCH 4.14 00/26] 4.14.320-rc1 review Jon Hunter
2023-06-27 20:05 ` Chris Paterson
2023-06-27 21:31 ` Harshit Mogalapalli
2023-06-27 21:33 ` Guenter Roeck
2023-06-28 7:17 ` Naresh Kamboju
2023-06-28 13:34 ` Known bad patches from AUTOSEL was " Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230626180734.233600450@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=pablo@netfilter.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.