tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'nf-25-08-13' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for *net*:

1) I managed to add a null dereference crash in nft_set_pipapo
in the current development cycle, was not caught by CI
because the avx2 implementation is fine, but selftest
splats when run on non-avx2 host.

2) Fix the ipvs estimater kthread affinity, was incorrect
since 6.14. From Frederic Weisbecker.

3) nf_tables should not allow to add a device to a flowtable
or netdev chain more than once -- reject this.
From Pablo Neira Ayuso. This has been broken for long time,
blamed commit dates from v5.8.

* tag 'nf-25-08-13' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
netfilter: nf_tables: reject duplicate device on updates
ipvs: Fix estimator kthreads preferred affinity
netfilter: nft_set_pipapo: fix null deref for empty set
====================

Link: https://patch.msgid.link/20250813113800.20775-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 3bfc7782 d7e82594

+48 -4
+13
include/net/ip_vs.h
··· 1163 1163 return housekeeping_cpumask(HK_TYPE_KTHREAD); 1164 1164 } 1165 1165 1166 + static inline const struct cpumask *sysctl_est_preferred_cpulist(struct netns_ipvs *ipvs) 1167 + { 1168 + if (ipvs->est_cpulist_valid) 1169 + return ipvs->sysctl_est_cpulist; 1170 + else 1171 + return NULL; 1172 + } 1173 + 1166 1174 static inline int sysctl_est_nice(struct netns_ipvs *ipvs) 1167 1175 { 1168 1176 return ipvs->sysctl_est_nice; ··· 1276 1268 static inline const struct cpumask *sysctl_est_cpulist(struct netns_ipvs *ipvs) 1277 1269 { 1278 1270 return housekeeping_cpumask(HK_TYPE_KTHREAD); 1271 + } 1272 + 1273 + static inline const struct cpumask *sysctl_est_preferred_cpulist(struct netns_ipvs *ipvs) 1274 + { 1275 + return NULL; 1279 1276 } 1280 1277 1281 1278 static inline int sysctl_est_nice(struct netns_ipvs *ipvs)
+1
kernel/kthread.c
··· 893 893 894 894 return ret; 895 895 } 896 + EXPORT_SYMBOL_GPL(kthread_affine_preferred); 896 897 897 898 /* 898 899 * Re-affine kthreads according to their preferences
+2 -1
net/netfilter/ipvs/ip_vs_est.c
··· 265 265 } 266 266 267 267 set_user_nice(kd->task, sysctl_est_nice(ipvs)); 268 - set_cpus_allowed_ptr(kd->task, sysctl_est_cpulist(ipvs)); 268 + if (sysctl_est_preferred_cpulist(ipvs)) 269 + kthread_affine_preferred(kd->task, sysctl_est_preferred_cpulist(ipvs)); 269 270 270 271 pr_info("starting estimator thread %d...\n", kd->id); 271 272 wake_up_process(kd->task);
+30
net/netfilter/nf_tables_api.c
··· 2803 2803 struct nft_chain *chain = ctx->chain; 2804 2804 struct nft_chain_hook hook = {}; 2805 2805 struct nft_stats __percpu *stats = NULL; 2806 + struct nftables_pernet *nft_net; 2806 2807 struct nft_hook *h, *next; 2807 2808 struct nf_hook_ops *ops; 2808 2809 struct nft_trans *trans; ··· 2846 2845 if (nft_hook_list_find(&basechain->hook_list, h)) { 2847 2846 list_del(&h->list); 2848 2847 nft_netdev_hook_free(h); 2848 + continue; 2849 + } 2850 + 2851 + nft_net = nft_pernet(ctx->net); 2852 + list_for_each_entry(trans, &nft_net->commit_list, list) { 2853 + if (trans->msg_type != NFT_MSG_NEWCHAIN || 2854 + trans->table != ctx->table || 2855 + !nft_trans_chain_update(trans)) 2856 + continue; 2857 + 2858 + if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) { 2859 + nft_chain_release_hook(&hook); 2860 + return -EEXIST; 2861 + } 2849 2862 } 2850 2863 } 2851 2864 } else { ··· 9075 9060 { 9076 9061 const struct nlattr * const *nla = ctx->nla; 9077 9062 struct nft_flowtable_hook flowtable_hook; 9063 + struct nftables_pernet *nft_net; 9078 9064 struct nft_hook *hook, *next; 9079 9065 struct nf_hook_ops *ops; 9080 9066 struct nft_trans *trans; ··· 9092 9076 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 9093 9077 list_del(&hook->list); 9094 9078 nft_netdev_hook_free(hook); 9079 + continue; 9080 + } 9081 + 9082 + nft_net = nft_pernet(ctx->net); 9083 + list_for_each_entry(trans, &nft_net->commit_list, list) { 9084 + if (trans->msg_type != NFT_MSG_NEWFLOWTABLE || 9085 + trans->table != ctx->table || 9086 + !nft_trans_flowtable_update(trans)) 9087 + continue; 9088 + 9089 + if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) { 9090 + err = -EEXIST; 9091 + goto err_flowtable_update_hook; 9092 + } 9095 9093 } 9096 9094 } 9097 9095
+2 -3
net/netfilter/nft_set_pipapo.c
··· 426 426 427 427 local_bh_disable(); 428 428 429 - if (unlikely(!raw_cpu_ptr(m->scratch))) 430 - goto out; 431 - 432 429 scratch = *raw_cpu_ptr(m->scratch); 430 + if (unlikely(!scratch)) 431 + goto out; 433 432 434 433 map_index = scratch->map_index; 435 434