netfilter pull request nf-25-08-13

-----BEGIN PGP SIGNATURE----- iQJBBAABCAArFiEEgKkgxbID4Gn1hq6fcJGo2a1f9gAFAmicWlINHGZ3QHN0cmxl bi5kZQAKCRBwkajZrV/2AFcpD/957FdnCNXL9HLbxNaeh+bGPS/t4SSVx9miAKJa lBBr8Xka2bT7SSWDzigjgdxPOI8dWP0b50pp1hiAmFN/ZiAgIZvYJkkLN0wrwpKB lQftsxXHCu4U5rkr+dZobgJyt3mLI/UP4L9Aigb2jZihsdMq1cnuXwA2HLVr2tjl VH8Xk266uHHluB3JarNA4EIIWpXi0VXVLeuWCzcSgjsCKfdyh8POHn3XFzcdJUAz 3g3/25e0U+S+/QU7fjfOryUr1smLw4oXk/gKwvbJZO9Spqo3Sr5V9/z2jxzp3+aB e/VfJhcXr/TmhnQH4y91Fgg3WWbh0p2yQNIAKzVGOdpNMXi2XSvL3IlANIXS5CbJ pnAjwlq31ANi5SML2UsUFaBTAwew7ptJdTXoSD0ydgUwvA69lQ6Nv9SCMibMIu9u drawMjlNwQ6vzpl02JqUMG5n7hsd4QHytHai/Ih3GUQaXUjDvXzNYWraRdoSrYNW 7vcA/VWm+zAAhIa57AiAm4UsfzJu7iZ4p/8d0bR801y75xnrDZK9yRHee725oZV3 JCIRg0II7K+c2hgA0UzBLysp5MPcpc4Ofw3lgVa1+uRxmrQciSZ6EEIAd4BwgwYf kzeZ1gwUIwBpyg8IVLoUolEgA7T6jFpfcVhJtID21ryOhepD5vZ3d8QR/33OffcF rmcATQ== =jWzU -----END PGP SIGNATURE----- Merge tag 'nf-25-08-13' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Florian Westphal says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for *net*: 1) I managed to add a null dereference crash in nft_set_pipapo in the current development cycle, was not caught by CI because the avx2 implementation is fine, but selftest splats when run on non-avx2 host. 2) Fix the ipvs estimater kthread affinity, was incorrect since 6.14. From Frederic Weisbecker. 3) nf_tables should not allow to add a device to a flowtable or netdev chain more than once -- reject this. From Pablo Neira Ayuso. This has been broken for long time, blamed commit dates from v5.8. * tag 'nf-25-08-13' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: reject duplicate device on updates ipvs: Fix estimator kthreads preferred affinity netfilter: nft_set_pipapo: fix null deref for empty set ==================== Link: https://patch.msgid.link/20250813113800.20775-1-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-08-15 14:11:42 +02:00 · 2025-08-13 14:51:51 -07:00 · 2025-08-13 14:51:51 -07:00 · 3bfc778297
commit 3bfc778297
parent d7e82594a4 cf5fb87fcd
5 changed files with 48 additions and 4 deletions
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@ -1163,6 +1163,14 @@ static inline const struct cpumask *sysctl_est_cpulist(struct netns_ipvs *ipvs)
 		return housekeeping_cpumask(HK_TYPE_KTHREAD);
 }

+static inline const struct cpumask *sysctl_est_preferred_cpulist(struct netns_ipvs *ipvs)
+{
+	if (ipvs->est_cpulist_valid)
+		return ipvs->sysctl_est_cpulist;
+	else
+		return NULL;
+}
+
 static inline int sysctl_est_nice(struct netns_ipvs *ipvs)
 {
 	return ipvs->sysctl_est_nice;
@ -1270,6 +1278,11 @@ static inline const struct cpumask *sysctl_est_cpulist(struct netns_ipvs *ipvs)
 	return housekeeping_cpumask(HK_TYPE_KTHREAD);
 }

+static inline const struct cpumask *sysctl_est_preferred_cpulist(struct netns_ipvs *ipvs)
+{
+	return NULL;
+}
+
 static inline int sysctl_est_nice(struct netns_ipvs *ipvs)
 {
 	return IPVS_EST_NICE;
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@ -893,6 +893,7 @@ out:

 	return ret;
 }
+EXPORT_SYMBOL_GPL(kthread_affine_preferred);

 /*
 * Re-affine kthreads according to their preferences
--- a/net/netfilter/ipvs/ip_vs_est.c
+++ b/net/netfilter/ipvs/ip_vs_est.c
@ -265,7 +265,8 @@ int ip_vs_est_kthread_start(struct netns_ipvs *ipvs,
 	}

 	set_user_nice(kd->task, sysctl_est_nice(ipvs));
-	set_cpus_allowed_ptr(kd->task, sysctl_est_cpulist(ipvs));
+	if (sysctl_est_preferred_cpulist(ipvs))
+		kthread_affine_preferred(kd->task, sysctl_est_preferred_cpulist(ipvs));

 	pr_info("starting estimator thread %d...\n", kd->id);
 	wake_up_process(kd->task);
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@ -2803,6 +2803,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 	struct nft_chain *chain = ctx->chain;
 	struct nft_chain_hook hook = {};
 	struct nft_stats __percpu *stats = NULL;
+	struct nftables_pernet *nft_net;
 	struct nft_hook *h, *next;
 	struct nf_hook_ops *ops;
 	struct nft_trans *trans;
@ -2845,6 +2846,20 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 				if (nft_hook_list_find(&basechain->hook_list, h)) {
 					list_del(&h->list);
 					nft_netdev_hook_free(h);
+					continue;
+				}
+
+				nft_net = nft_pernet(ctx->net);
+				list_for_each_entry(trans, &nft_net->commit_list, list) {
+					if (trans->msg_type != NFT_MSG_NEWCHAIN ||
+					    trans->table != ctx->table ||
+					    !nft_trans_chain_update(trans))
+						continue;
+
+					if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) {
+						nft_chain_release_hook(&hook);
+						return -EEXIST;
+					}
 				}
 			}
 		} else {
@ -9060,6 +9075,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
 {
 	const struct nlattr * const *nla = ctx->nla;
 	struct nft_flowtable_hook flowtable_hook;
+	struct nftables_pernet *nft_net;
 	struct nft_hook *hook, *next;
 	struct nf_hook_ops *ops;
 	struct nft_trans *trans;
@ -9076,6 +9092,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
 		if (nft_hook_list_find(&flowtable->hook_list, hook)) {
 			list_del(&hook->list);
 			nft_netdev_hook_free(hook);
+			continue;
+		}
+
+		nft_net = nft_pernet(ctx->net);
+		list_for_each_entry(trans, &nft_net->commit_list, list) {
+			if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
+			    trans->table != ctx->table ||
+			    !nft_trans_flowtable_update(trans))
+				continue;
+
+			if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
+				err = -EEXIST;
+				goto err_flowtable_update_hook;
+			}
 		}
 	}

--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@ -426,10 +426,9 @@ static struct nft_pipapo_elem *pipapo_get(const struct nft_pipapo_match *m,

 	local_bh_disable();

-	if (unlikely(!raw_cpu_ptr(m->scratch)))
-		goto out;
-
 	scratch = *raw_cpu_ptr(m->scratch);
+	if (unlikely(!scratch))
+		goto out;

 	map_index = scratch->map_index;