[PATCH net 0/1] netfilter: update for net

[PATCH net 0/1] netfilter: update for net

[Florian Westphal]

Hi,

This is one last-minute crash fix for nf_tables, from Andrew Fasano:

Logical check is inverted, this makes kernel fail to correctly undo
the transaction, leading to a use-after-free.

Please, pull this change from:
The following changes since commit 7d6ba706ae5ef7d3d00b67140d2873ae1da6d41f:

  Merge tag 'wireless-2026-02-04' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless (2026-02-04 20:29:53 -0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-02-05

for you to fetch changes up to f41c5d151078c5348271ffaf8e7410d96f2d82f8:

  netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (2026-02-05 08:36:59 +0100)

----------------------------------------------------------------
netfilter pull request nf-26-02-05

----------------------------------------------------------------

Andrew Fasano (1):
  netfilter: nf_tables: fix inverted genmask check in
    nft_map_catchall_activate()

 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.52.0

[PATCH net 1/1] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

[Florian Westphal]

From: Andrew Fasano <andrew.fasano@nist.gov>

nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

  nft_mapelem_activate():
    if (nft_set_elem_active(ext, iter->genmask))
        return 0;   /* skip active, process inactive */

With the buggy catchall version:

  nft_map_catchall_activate():
    if (!nft_set_elem_active(ext, genmask))
        continue;   /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.

Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Signed-off-by: Andrew Fasano <andrew.fasano@nist.gov>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 729a92781a1a..be92750e2af3 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5914,7 +5914,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx,
 
 	list_for_each_entry(catchall, &set->catchall_list, list) {
 		ext = nft_set_elem_ext(set, catchall->elem);
-		if (!nft_set_elem_active(ext, genmask))
+		if (nft_set_elem_active(ext, genmask))
 			continue;
 
 		nft_clear(ctx->net, ext);
-- 
2.52.0

Re: [PATCH net 1/1] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:

On Thu,  5 Feb 2026 08:44:50 +0100 you wrote:
> From: Andrew Fasano <andrew.fasano@nist.gov>
> 
> nft_map_catchall_activate() has an inverted element activity check
> compared to its non-catchall counterpart nft_mapelem_activate() and
> compared to what is logically required.
> 
> nft_map_catchall_activate() is called from the abort path to re-activate
> catchall map elements that were deactivated during a failed transaction.
> It should skip elements that are already active (they don't need
> re-activation) and process elements that are inactive (they need to be
> restored). Instead, the current code does the opposite: it skips inactive
> elements and processes active ones.
> 
> [...]

Here is the summary with links:
  - [net,1/1] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
    https://git.kernel.org/netdev/net/c/f41c5d151078

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html