[lvc-project] [PATCH 6.1/6.12] netfilter: nft_socket: remove WARN_ON_ONCE with huge level value
Denis Zubov
d.zubov at tssltd.ru
Fri Jul 3 15:08:38 MSK 2026
From: Pablo Neira Ayuso <pablo at netfilter.org>
commit 1dee968d22eaeb3eede70df513ab3f8dd1712e3e upstream.
syzbot managed to reach this WARN_ON_ONCE by passing a huge level
value, remove it.
Reported-by: syzbot+a225fea35d7baf8dbdc3 at syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Fixes: 7f3287db6543 ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces")
Signed-off-by: Denis Zubov <d.zubov at tssltd.ru>
---
net/netfilter/nft_socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 2d33674e9e5e..03092c61eda1 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -217,7 +217,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
level += err;
/* Implies a giant cgroup tree */
- if (WARN_ON_ONCE(level > 255))
+ if (level > 255)
return -EOPNOTSUPP;
priv->level = level;
--
2.53.0
More information about the lvc-project
mailing list