[lvc-project] [PATCH 6.1/6.12] netfilter: nft_socket: remove WARN_ON_ONCE with huge level value

Denis Zubov d.zubov at tssltd.ru
Fri Jul 3 15:08:38 MSK 2026


From: Pablo Neira Ayuso <pablo at netfilter.org>

commit 1dee968d22eaeb3eede70df513ab3f8dd1712e3e upstream.

syzbot managed to reach this WARN_ON_ONCE by passing a huge level
value, remove it.

Reported-by: syzbot+a225fea35d7baf8dbdc3 at syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

Fixes: 7f3287db6543 ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces")
Signed-off-by: Denis Zubov <d.zubov at tssltd.ru>
---
 net/netfilter/nft_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 2d33674e9e5e..03092c61eda1 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -217,7 +217,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
 
 		level += err;
 		/* Implies a giant cgroup tree */
-		if (WARN_ON_ONCE(level > 255))
+		if (level > 255)
 			return -EOPNOTSUPP;
 
 		priv->level = level;
-- 
2.53.0




More information about the lvc-project mailing list