Commit d6f6c6d9 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-26-01-02' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*:

1) Fix overlap detection for nf_tables with concatenated ranges.
   There are cases where element could not be added due to a conflict
   with existing range, while kernel reports success to userspace.
2) update selftest to cover this bug.
3) synproxy update path should use READ/WRITE once as we replace
   config struct while packet path might read it in parallel.
   This relies on said config struct to fit sizeof(long).
   From Fernando Fernandez Mancera.
4) Don't return -EEXIST from xtables in module load path, a pending
   patch to module infra will spot a warning if this happens.
   From Daniel Gomez.
5) Fix a memory leak in nf_tables when chain hits 2**32 users
   and rule is to be hw-offloaded, from Zilin Guan.
6) Avoid infinite list growth when insert rate is high in nf_conncount,
   also from Fernando.

* tag 'nf-26-01-02' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_conncount: update last_gc only when GC has been performed
  netfilter: nf_tables: fix memory leak in nf_tables_newrule()
  netfilter: replace -EEXIST with -EBUSY
  netfilter: nft_synproxy: avoid possible data-race on update operation
  selftests: netfilter: nft_concat_range.sh: add check for overlap detection bug
  netfilter: nft_set_pipapo: fix range overlap detection
====================

Link: https://patch.msgid.link/20260102114128.7007-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 2ef02ac3 7811ba45

net/bridge/netfilter/ebtables.c

+1 −1
Original line number Diff line number Diff line
@@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne 
	list_for_each_entry(tmpl, &template_tables, list) {

		if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) {

			mutex_unlock(&ebt_mutex);

			return -EEXIST;

			return -EBUSY;

		}

	}

net/netfilter/nf_conncount.c

+1 −1
Original line number Diff line number Diff line
@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net, 


		nf_ct_put(found_ct);

	}

	list->last_gc = (u32)jiffies;



add_new_node:

	if (WARN_ON_ONCE(list->count > INT_MAX)) {
@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net, 
	conn->jiffies32 = (u32)jiffies;

	list_add_tail(&conn->node, &list->head);

	list->count++;

	list->last_gc = (u32)jiffies;



out_put:

	if (refcounted)

net/netfilter/nf_log.c

+2 −2
Original line number Diff line number Diff line
@@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) 
	if (pf == NFPROTO_UNSPEC) {

		for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) {

			if (rcu_access_pointer(loggers[i][logger->type])) {

				ret = -EEXIST;

				ret = -EBUSY;

				goto unlock;

			}

		}
@@ -97,7 +97,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) 
			rcu_assign_pointer(loggers[i][logger->type], logger);

	} else {

		if (rcu_access_pointer(loggers[pf][logger->type])) {

			ret = -EEXIST;

			ret = -EBUSY;

			goto unlock;

		}

		rcu_assign_pointer(loggers[pf][logger->type], logger);

net/netfilter/nf_tables_api.c

+2 −1
Original line number Diff line number Diff line
@@ -4439,7 +4439,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 


	if (!nft_use_inc(&chain->use)) {

		err = -EMFILE;

		goto err_release_rule;

		goto err_destroy_flow;

	}



	if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
@@ -4489,6 +4489,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 


err_destroy_flow_rule:

	nft_use_dec_restore(&chain->use);

err_destroy_flow:

	if (flow)

		nft_flow_rule_destroy(flow);

err_release_rule:

net/netfilter/nft_set_pipapo.c

+2 −2
Original line number Diff line number Diff line
@@ -1317,8 +1317,8 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, 
		else

			dup_end = dup_key;



		if (!memcmp(start, dup_key->data, sizeof(*dup_key->data)) &&

		    !memcmp(end, dup_end->data, sizeof(*dup_end->data))) {

		if (!memcmp(start, dup_key->data, set->klen) &&

		    !memcmp(end, dup_end->data, set->klen)) {

			*elem_priv = &dup->priv;

			return -EEXIST;

		}