netfilter: nf_tables: fix spurious set element insertion failure
stable inclusion from stable-v5.10.188 commit 533193a23914558127190e7bf7cb505ab6389acd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8KYFP Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=533193a23914558127190e7bf7cb505ab6389acd -------------------------------- [ Upstream commit ddbd8be6 ] On some platforms there is a padding hole in the nft_verdict structure, between the verdict code and the chain pointer. On element insertion, if the new element clashes with an existing one and NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as the data associated with duplicated element is the same as the existing one. The data equality check uses memcmp. For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT padding area leads to spurious failure even if the verdict data is the same. This then makes the insertion fail with 'already exists' error, even though the new "key : data" matches an existing entry and userspace told the kernel that it doesn't want to receive an error indication. Fixes: c016c7e4 ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") Signed-off-by:Florian Westphal <fw@strlen.de> Signed-off-by:
Loading
Please sign in to comment