From: Florian Westphal Batch support design attempts to process the entire batch, even after a call has returned an error. The advantage is that userspace gets all errors in one go. The disadvantages are: 1. ->call() needs to cope with bad-state-due-to-previous-error 2. One error can trigger a cascade of followup errors which can obfuscate the real problem. Make -ENOMEM fatal, if we cannot allocate some object there is a high chance we're going to report followup errors that are nonsensical from userspace point of view. Fixes: 0628b123c96d ("netfilter: nfnetlink: add batch support and use it from nf_tables") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nfnetlink.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 47f3ed441f64..a1d480e4789c 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -531,6 +531,13 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, status |= NFNL_BATCH_REPLAY; goto done; } + + /* No point in further processing; followup errors can + * be bogus (e.g. -ENOENT because object that next + * rule/element wants could not be inserted). + */ + if (err == -ENOMEM) + goto ack; } ack: if (nlh->nlmsg_flags & NLM_F_ACK || err) { -- 2.47.3