hulk inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14141 CVE: CVE-2026-23272 -------------------------------- The initialization process of elem is missing in nft_add_set_elem(), which lead to null-ptr-deref of nft_setelem_remove as below. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000014 Call trace: nft_setelem_remove+0x28/0xe0 [nf_tables] __nf_tables_abort+0x5f8/0xbe8 [nf_tables] nf_tables_abort+0x64/0x1c8 [nf_tables] nfnetlink_rcv_batch+0x2d8/0x850 [nfnetlink] nfnetlink_rcv+0x168/0x1a8 [nfnetlink] netlink_unicast_kernel+0x7c/0x160 netlink_unicast+0x1ac/0x250 netlink_sendmsg+0x21c/0x458 __sock_sendmsg+0x4c/0xa8 ____sys_sendmsg+0x280/0x300 ___sys_sendmsg+0x8c/0xf8 __sys_sendmsg+0x74/0xe0 __arm64_sys_sendmsg+0x2c/0x40 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x48/0x78 el0_slow_syscall+0x44/0x1b8 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x188/0x190 Initialize elem to fix it. Fixes: e7a6bffde0fe ("netfilter: nf_tables: unconditionally bump set->nelems before insertion") Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index d8057efc777d..ef4f6f8c7a3f 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -7144,6 +7144,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, goto err_element_clash; } + nft_trans_elem(trans) = elem; nft_trans_commit_list_add_tail(ctx->net, trans); return set_full ? -ENFILE : 0; -- 2.25.1