From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Andrew Fasano <andrew.fasano@nist.gov>,
Florian Westphal <fw@strlen.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 102/113] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
Date: Mon, 9 Feb 2026 15:24:11 +0100 [thread overview]
Message-ID: <20260209142313.841124477@linuxfoundation.org> (raw)
In-Reply-To: <20260209142310.204833231@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Fasano <andrew.fasano@nist.gov>
[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ]
nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Signed-off-by: Andrew Fasano <andrew.fasano@nist.gov>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c3613d8e7d725..3bf88c137868a 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5700,7 +5700,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx,
list_for_each_entry(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, genmask))
+ if (nft_set_elem_active(ext, genmask))
continue;
nft_clear(ctx->net, ext);
--
2.51.0
next prev parent reply other threads:[~2026-02-09 14:41 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 14:22 [PATCH 6.12 000/113] 6.12.70-rc1 review Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 001/113] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 002/113] x86/vmware: Fix hypercall clobbers Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 003/113] x86/kfence: fix booting on 32bit non-PAE systems Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 004/113] platform/x86: intel_telemetry: Fix swapped arrays in PSS output Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 005/113] ALSA: aloop: Fix racy access at PCM trigger Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 006/113] pmdomain: qcom: rpmpd: fix off-by-one error in clamping to the highest state Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 007/113] pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system wakeup Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 008/113] pmdomain: imx: gpcv2: Fix the imx8mm gpu hang due to wrong adb400 reset Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 009/113] pmdomain: imx8mp-blk-ctrl: Keep usb phy power domain on for system wakeup Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 010/113] pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 011/113] mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 012/113] ceph: fix NULL pointer dereference in ceph_mds_auth_match() Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 013/113] rbd: check for EOD after exclusive lock is ensured to be held Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 014/113] ARM: 9468/1: fix memset64() on big-endian Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 015/113] ceph: fix oops due to invalid pointer for kfree() in parse_longname() Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 016/113] gve: Fix stats report corruption on queue count change Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 017/113] gve: Correct ethtool rx_dropped calculation Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 018/113] mm, shmem: prevent infinite loop on truncate race Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 019/113] Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 020/113] KVM: Dont clobber irqfd routing type when deassigning irqfd Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 021/113] PCI/ERR: Ensure error recoverability at all times Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 022/113] tools/power turbostat: fix GCC9 build regression Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 023/113] ublk: fix deadlock when reading partition table Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 024/113] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 025/113] binder: fix BR_FROZEN_REPLY error log Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 026/113] binderfs: fix ida_alloc_max() upper bound Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 027/113] KVM: selftests: Add -U_FORTIFY_SOURCE to avoid some unpredictable test failures Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 028/113] procfs: avoid fetching build ID while holding VMA lock Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 029/113] tracing: Fix ftrace event field alignments Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 030/113] wifi: mac80211: ocb: skip rx_no_sta when interface is not joined Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 031/113] wifi: wlcore: ensure skb headroom before skb_push Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 032/113] net: usb: sr9700: support devices with virtual driver CD Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 033/113] block,bfq: fix aux stat accumulation destination Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 034/113] smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 035/113] LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 036/113] md: suspend array while updating raid_disks via sysfs Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 037/113] smb/server: fix refcount leak in smb2_open() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 038/113] LoongArch: Enable exception fixup for specific ADE subcode Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 039/113] smb/server: fix refcount leak in parse_durable_handle_context() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 040/113] HID: intel-ish-hid: Update ishtp bus match to support device ID table Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 041/113] HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 042/113] btrfs: fix reservation leak in some error paths when inserting inline extent Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 043/113] riscv: Sanitize syscall table indexing under speculation Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 044/113] HID: intel-ish-hid: Reset enum_devices_done before enumeration Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 045/113] HID: playstation: Center initial joystick axes to prevent spurious events Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 046/113] ALSA: hda/realtek: Add quirk for Acer Nitro AN517-55 Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 047/113] ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 048/113] PCI: qcom: Remove ASPM L0s support for MSM8996 SoC Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 049/113] netfilter: replace -EEXIST with -EBUSY Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 050/113] HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 051/113] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 052/113] HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 053/113] drm/amd/pm: Disable MMIO access during SMU Mode 1 reset Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 054/113] ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 055/113] HID: logitech: add HID++ support for Logitech MX Anywhere 3S Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 056/113] wifi: mac80211: collect station statistics earlier when disconnect Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 057/113] ASoC: davinci-evm: Fix reference leak in davinci_evm_probe Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 058/113] ASoC: simple-card-utils: Check device node before overwrite direction Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 059/113] nvme-fc: release admin tagset if init fails Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 060/113] nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 061/113] ASoC: amd: yc: Fix microphone on ASUS M6500RE Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 062/113] ASoC: tlv320adcx140: Propagate error codes during probe Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 063/113] spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi debugfs initialization Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 064/113] regmap: maple: free entry on mas_store_gfp() failure Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 065/113] wifi: cfg80211: Fix bitrate calculation overflow for HE rates Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 066/113] scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 067/113] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 068/113] scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 069/113] wifi: mac80211: correctly check if CSA is active Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 070/113] wifi: mac80211: dont increment crypto_tx_tailroom_needed_cnt twice Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 071/113] btrfs: reject new transactions if the fs is fully read-only Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 072/113] ALSA: hda/realtek: ALC269 fixup for Lenovo Yoga Book 9i 13IRU8 audio Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 073/113] platform/x86: toshiba_haps: Fix memory leaks in add/remove routines Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 074/113] platform/x86: intel_telemetry: Fix PSS event register mask Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 075/113] platform/x86: hp-bioscfg: Skip empty attribute names Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 076/113] platform/x86/intel/tpmi/plr: Make the file domain<n>/status writeable Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 077/113] smb/client: fix memory leak in smb2_open_file() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 078/113] net: add skb_header_pointer_careful() helper Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 079/113] net/sched: cls_u32: use skb_header_pointer_careful() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 080/113] dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 081/113] net: liquidio: Initialize netdev pointer before queue setup Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 082/113] net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 083/113] net: liquidio: Fix off-by-one error in VF " Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 084/113] dpaa2-switch: add bounds check for if_id in IRQ handler Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 085/113] net: phy: add phy_interface_weight() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 086/113] net: phy: add phy_interface_copy() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 087/113] net: sfp: pre-parse the module support Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 088/113] net: sfp: convert sfp quirks to modify struct sfp_module_support Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 089/113] net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 090/113] macvlan: fix error recovery in macvlan_common_newlink() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 091/113] net: usb: r8152: fix resume reset deadlock Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 092/113] net: dont touch dev->stats in BPF redirect paths Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 093/113] tipc: use kfree_sensitive() for session key material Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 094/113] drm/amd/display: fix wrong color value mapping on MCM shaper LUT Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 095/113] net: ethernet: adi: adin1110: Check return value of devm_gpiod_get_optional() in adin1110_check_spi() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 096/113] net: gro: fix outer network offset Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 097/113] drm/mgag200: fix mgag200_bmc_stop_scanout() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 098/113] drm/xe/query: Fix topology query pointer advance Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 099/113] drm/xe/pm: Also avoid missing outer rpm warning on system suspend Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 100/113] drm/xe/pm: Disable D3Cold for BMG only on specific platforms Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 101/113] hwmon: (occ) Mark occ_init_attribute() as __printf Greg Kroah-Hartman
2026-02-09 14:24 ` Greg Kroah-Hartman [this message]
2026-02-09 14:24 ` [PATCH 6.12 103/113] ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 104/113] ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 105/113] ASoC: amd: fix memory leak in acp3x pdm dma ops Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 106/113] spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 107/113] spi: tegra210-quad: Move curr_xfer read inside spinlock Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 108/113] spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 109/113] spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 110/113] spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 111/113] spi: tegra: Fix a memory leak in tegra_slink_probe() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 112/113] spi: tegra114: Preserve SPI mode bits in def_command1_reg Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 113/113] ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-09 16:31 ` [PATCH 6.12 000/113] 6.12.70-rc1 review Francesco Dolcini
2026-02-09 18:16 ` Brett A C Sheffield
2026-02-09 20:36 ` Peter Schneider
2026-02-09 20:53 ` Hardik Garg
2026-02-09 20:54 ` Souleymane Conte
2026-02-09 20:55 ` Jon Hunter
2026-02-10 3:00 ` Florian Fainelli
2026-02-10 6:00 ` Harshit Mogalapalli
2026-02-10 7:53 ` Ron Economos
2026-02-10 13:00 ` Mark Brown
2026-02-10 15:55 ` Jeffrin Thalakkottoor
2026-02-11 4:26 ` Shung-Hsi Yu
2026-02-11 13:45 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260209142313.841124477@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrew.fasano@nist.gov \
--cc=fw@strlen.de \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.