netfilter: nf_tables: mask out non-verdict bits when checking return value

Florian Westphal · Florian Westphal · commit 4d26ab0086aa · 2023-10-18T10:26:43.000+02:00
nftables trace infra must mask out the non-verdict bit parts of the
return value, else followup changes that 'return errno &lt;&lt; 8 | NF_STOLEN'
will cause breakage.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
@@ -115,7 +115,7 @@ static noinline void __nft_trace_verdict(const struct nft_pktinfo *pkt,
 {
 	enum nft_trace_types type;
 
-	switch (regs->verdict.code) {
+	switch (regs->verdict.code & NF_VERDICT_MASK) {
 	case NFT_CONTINUE:
 	case NFT_RETURN:
 		type = NFT_TRACETYPE_RETURN;
diff --git a/net/netfilter/nf_tables_trace.c b/net/netfilter/nf_tables_trace.c
@@ -258,17 +258,21 @@ void nft_trace_notify(const struct nft_pktinfo *pkt,
 	case __NFT_TRACETYPE_MAX:
 		break;
 	case NFT_TRACETYPE_RETURN:
-	case NFT_TRACETYPE_RULE:
+	case NFT_TRACETYPE_RULE: {
+		unsigned int v;
+
 		if (nft_verdict_dump(skb, NFTA_TRACE_VERDICT, verdict))
 			goto nla_put_failure;
 
 		/* pkt->skb undefined iff NF_STOLEN, disable dump */
-		if (verdict->code == NF_STOLEN)
+		v = verdict->code & NF_VERDICT_MASK;
+		if (v == NF_STOLEN)
 			info->packet_dumped = true;
 		else
 			mark = pkt->skb->mark;
 
 		break;
+	}
 	case NFT_TRACETYPE_POLICY:
 		mark = pkt->skb->mark;
 

Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ static noinline void __nft_trace_verdict(const struct nft_pktinfo *pkt,`
`115`	`115`	`{`
`116`	`116`	`enum nft_trace_types type;`
`117`	`117`
`118`		`- switch (regs->verdict.code) {`
	`118`	`+ switch (regs->verdict.code & NF_VERDICT_MASK) {`
`119`	`119`	`case NFT_CONTINUE:`
`120`	`120`	`case NFT_RETURN:`
`121`	`121`	`type = NFT_TRACETYPE_RETURN;`