[3.16.y-ckt stable] Patch "netfilter: nf_tables: fix error handling of rule replacement" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Wed May 20 12:31:47 UTC 2015 

This is a note to let you know that I have just added a patch titled

    netfilter: nf_tables: fix error handling of rule replacement

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt12.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From c55a5bde671d3600e010e155dd49fe94de5a29fc Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed, 4 Mar 2015 17:55:27 +0100
Subject: netfilter: nf_tables: fix error handling of rule replacement

commit 59900e0a019e7c2bdb7809a03ed5742d311b15b3 upstream.

In general, if a transaction object is added to the list successfully,
we can rely on the abort path to undo what we've done. This allows us to
simplify the error handling of the rule replacement path in
nf_tables_newrule().

This implicitly fixes an unnecessary removal of the old rule, which
needs to be left in place if we fail to replace.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/netfilter/nf_tables_api.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e1cf0f89748d..e8624c751ec6 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1857,12 +1857,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,

 err3:
 	list_del_rcu(&rule->list);
-	if (trans) {
-		list_del_rcu(&nft_trans_rule(trans)->list);
-		nft_rule_clear(net, nft_trans_rule(trans));
-		nft_trans_destroy(trans);
-		chain->use++;
-	}
 err2:
 	nf_tables_rule_destroy(&ctx, rule);
 err1:

More information about the kernel-team mailing list