Re: [syzbot] [netfilter?] WARNING in nft_socket_init (2)

[Pablo Neira Ayuso]

On Fri, Jul 25, 2025 at 05:46:30AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    94619ea2d933 Merge tag 'ipsec-next-2025-07-23' of git://gi..
> git tree:       net-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14bf10a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ceda48240b85ec34
> dashboard link: https://syzkaller.appspot.com/bug?extid=a225fea35d7baf8dbdc3
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12bf10a2580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13d27fd4580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/afd64d9816ee/disk-94619ea2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e1755ce1f83b/vmlinux-94619ea2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2061dff2fbf4/bzImage-94619ea2.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a225fea35d7baf8dbdc3@xxxxxxxxxxxxxxxxxxxxxxxxx

Attached patch should fix this.
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 35d0409b0095..36affbb697c2 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -217,7 +217,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
 
 		level += err;
 		/* Implies a giant cgroup tree */
-		if (WARN_ON_ONCE(level > 255))
+		if (level > 255)
 			return -EOPNOTSUPP;
 
 		priv->level = level;