Linux/linux 2c7c88adrivers/bluetooth btintel_pcie.c, net/bluetooth l2cap_core.c hci_sync.c

Merge tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter, Bluetooth and batman-adv.

  Current release - regressions:

   - bluetooth: fix using chan->conn as indication to no remote netdev

  Current release - new code bugs:

   - netfilter: cap to maximum number of expectation per master on
     updates

  Previous releases - regressions:

   - bluetooth:
      - fix UAF of hci_conn_params in add_device_complete
      - fix null ptr deref in hci_abort_conn()

    [53 lines not shown]
DeltaFile
+109-31net/bluetooth/l2cap_core.c
+121-16net/bluetooth/hci_sync.c
+51-56net/bluetooth/l2cap_sock.c
+52-50drivers/bluetooth/btintel_pcie.c
+56-29net/netfilter/ipset/ip_set_hash_gen.h
+23-61net/bluetooth/6lowpan.c
+412-243106 files not shown
+1,407-745112 files

Linux/linux f508900drivers/net macsec.c

macsec: don't read an unset MAC header in macsec_encrypt()

macsec_encrypt() reads the Ethernet header via eth_hdr(skb)
(skb->head + skb->mac_header) to memmove() the 12 source/destination MAC
bytes forward and make room for the SecTAG.

On the AF_PACKET SOCK_RAW + PACKET_QDISC_BYPASS transmit path the skb
reaches the macsec ndo_start_xmit() with the MAC header unset, so
eth_hdr(skb) resolves to skb->head + (u16)~0 and the read is out of
bounds: a 12-byte heap over-read that is also emitted on the wire as the
frame's outer source/destination MAC. KASAN reports a slab-out-of-bounds
read in macsec_start_xmit() on 6.0; on current mainline a CONFIG_DEBUG_NET
build flags it as an unset mac header in skb_mac_header().

On the TX path the L2 header is at skb->data, so use skb_eth_hdr(), added
by commit 96cc4b69581d ("macvlan: do not assume mac_header is set in
macvlan_broadcast()") for exactly this purpose.

Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")

    [5 lines not shown]
DeltaFile
+1-1drivers/net/macsec.c
+1-11 files

Linux/linux 78237e3drivers/dibs dibs_loopback.c

dibs: loopback: validate offset and size in move_data()

The loopback move_data() performs a memcpy into the registered DMB
without checking whether offset + size exceeds the DMB length.  Unlike
real ISM hardware, which enforces memory region bounds natively, the
software loopback has no such protection.

A peer-supplied out-of-bounds offset or oversized write would result in
an OOB write past the allocated kernel buffer.  Add an explicit bounds
check before the memcpy to reject such requests with -EINVAL.

Fixes: f7a22071dbf3 ("net/smc: implement DMB-related operations of loopback-ism")
Cc: stable at vger.kernel.org
Reported-by: Federico Kirschbaum <federico.kirschbaum at xbow.com>
Signed-off-by: Dust Li <dust.li at linux.alibaba.com>
Reported-by: Baul Lee <baul.lee at xbow.com>
Link: https://patch.msgid.link/20260707074318.1448662-1-dust.li@linux.alibaba.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+5-0drivers/dibs/dibs_loopback.c
+5-01 files

Linux/linux fabb881drivers/net/ethernet/marvell/octeontx2/af rvu_nix.c

octeontx2-af: fix VF bringup affecting PF promiscuous state

Mbox handling of nix_set_rx_mode for a VF with promiscuous and
all_multi flags set to false causes deletion of the PF's promiscuous
and allmulti MCAM rules. This occurs because the APIs that
enable/disable these rules operate only on the PF, even when the
mbox request is made via a VF interface.

Guard both rvu_npc_enable_allmulti_entry() and
rvu_npc_enable_promisc_entry() disable paths with an is_vf() check so
that a VF bringing up or tearing down its interface cannot inadvertently
clear the PF's MCAM rules.

Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet replication feature")
Signed-off-by: Harman Kalra <hkalra at marvell.com>
Signed-off-by: Nitin Shetty J <nshettyj at marvell.com>
Link: https://patch.msgid.link/20260702045616.3002773-2-nshettyj@marvell.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+2-2drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+2-21 files

Linux/linux 24c4c88net/netfilter nfnetlink_log.c nf_flow_table_offload.c, net/netfilter/ipset ip_set_hash_gen.h

Merge tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*.

Most of these are LLM fixes for old issues flagged by sashiko/LLMs.

Many of these trigger drive-by-findings in sashiko. In particular:

- many load/store tearing and missing memory barriers, races
  etc. in ipset, esp. with GC and resizing.
  Keeping the proposed patches spinning for yet-another-iteration
  keeps legit fixes back, so I prefer to add these now and follow
  up with other reports later.
- flowtable work queue still has possible races with teardown,

    [78 lines not shown]
DeltaFile
+56-29net/netfilter/ipset/ip_set_hash_gen.h
+20-11net/netfilter/ipvs/ip_vs_core.c
+17-9net/netfilter/nfnetlink_log.c
+20-2net/netfilter/nf_flow_table_offload.c
+12-9net/netfilter/nf_flow_table_ip.c
+11-8net/netfilter/nf_flow_table_core.c
+136-6810 files not shown
+196-10916 files

Linux/linux b62869anet/ethtool netlink.h rss.c

ethtool: rss: Fix hfunc and input_xfrm parsing on big endian

ETHTOOL_A_RSS_HFUNC and ETHTOOL_A_RSS_INPUT_XFRM are NLA_U32 attributes,
but ethnl_rss_set() and ethnl_rss_create_doit() parse them with
ethnl_update_u8(), which reads a single byte.

On little endian this happens to read the least significant byte and
works as long as the value fits in a byte. On big endian it reads the
most significant byte, so the requested value is parsed incorrectly.

The destination fields in struct ethtool_rxfh_param are u8, so the
attribute can't be read directly with ethnl_update_u32().
Cap the hfunc policy at U8_MAX so an out of range value is rejected
instead of being silently truncated into the u8 field, and add
ethnl_update_u8_u32() to read the full u32 and narrow it into the u8
destination.

Fixes: 82ae67cbc423 ("ethtool: rss: support setting hfunc via Netlink")
Fixes: d3e2c7bab124 ("ethtool: rss: support setting input-xfrm via Netlink")

    [6 lines not shown]
DeltaFile
+28-0net/ethtool/netlink.h
+8-6net/ethtool/rss.c
+36-62 files

Linux/linux c914307drivers/net/ethernet/mellanox/mlx5/core/lib port_tun.c

net/mlx5: Fix L3 tunnel entropy refcount leak

mlx5_tun_entropy_refcount_inc() counts both VXLAN and L2-to-L3
tunnel reformat entries as entropy-enabling users. The matching
decrement path only handled VXLAN, leaving L2-to-L3 tunnel entries
counted after release.

Handle MLX5_REFORMAT_TYPE_L2_TO_L3_TUNNEL in
mlx5_tun_entropy_refcount_dec() as well so the enabling entry
refcount remains balanced.

Fixes: f828ca6a2fb6 ("net/mlx5e: Add support for hw encapsulation of MPLS over UDP")
Signed-off-by: Li RongQing <lirongqing at baidu.com>
Reviewed-by: Simon Horman <horms at kernel.org>
Reviewed-by: Tariq Toukan <tariqt at nvidia.com>
Link: https://patch.msgid.link/20260703141423.1723-1-lirongqing@baidu.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+2-1drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c
+2-11 files

Linux/linux 604e959net/batman-adv mesh-interface.c main.c

Merge tag 'batadv-net-pullrequest-20260708' of https://git.open-mesh.org/batadv

Simon Wunderlich says:

====================
Here are some batman-adv bugfixes, all by Sven Eckelmann:

 - ensure minimal ethernet header on TX

 - fix VLAN priority offset

 - clean untagged VLAN on netdev registration failure

 - tt: avoid request storms during pending request

 - tt: prevent TVLV OOB check overflow

 - frag: free unfragmentable packet


    [20 lines not shown]
DeltaFile
+5-11net/batman-adv/mesh-interface.c
+9-1net/batman-adv/main.c
+5-3net/batman-adv/fragmentation.c
+3-4net/batman-adv/multicast_forw.c
+3-2net/batman-adv/translation-table.c
+2-0net/batman-adv/mesh-interface.h
+27-211 files not shown
+28-227 files

Linux/linux 27f5758drivers/net/ethernet/cadence macb_main.c

net: macb: drop in-flight Tx SKBs on close

The MACB driver has since forever leaked the outgoing SKBs that
have not yet been marked as completed. They live in queue->tx_skb
which gets freed without remorse nor checking.

macb_free_consistent() gets called in a few codepaths, but only close will
trigger the added expressions. In macb_open() and macb_alloc_consistent()
failure cases, queues' tx_skb just got allocated and are empty.

Fixes: 89e5785fc8a6 ("[PATCH] Atmel MACB ethernet driver")
Cc: stable at vger.kernel.org
Reviewed-by: Nicolai Buchwitz <nb at tipi-net.de>
Signed-off-by: Théo Lebrun <theo.lebrun at bootlin.com>
Link: https://patch.msgid.link/20260702-macb-drop-tx-v4-1-1c833eebdbc8@bootlin.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+19-2drivers/net/ethernet/cadence/macb_main.c
+19-21 files

Linux/linux c26c33edrivers/net/ethernet/microsoft/mana mana_en.c, include/net/mana mana.h

Merge branch 'fix-mana-rx-with-bounce-buffering'

Dexuan Cui says:

====================
Fix MANA RX with bounce buffering

With swiotlb=force, the MANA NIC fails to work properly due to commit
730ff06d3f5c ("net: mana: Use page pool fragments for RX buffers instead
of full pages to improve memory efficiency.").

This happens because, with the standard MTU=1500, the aforementioned
commit uses page pool frags with PP_FLAG_DMA_MAP, but fails to call
page_pool_dma_sync_for_cpu() to sync the received packet for CPU acces
before handing the RX buffer to the stack.

Here patch #2 adds the required page_pool_dma_sync_for_cpu().

Patch #1 validates the packet length reported by the NIC. With patch #2,

    [14 lines not shown]
DeltaFile
+50-11drivers/net/ethernet/microsoft/mana/mana_en.c
+8-0include/net/mana/mana.h
+58-112 files

Linux/linux c72a0f0drivers/net/ethernet/microsoft/mana mana_en.c, include/net/mana mana.h

net: mana: Sync page pool RX frags for CPU

MANA allocates RX buffers from page pool fragments when frag_count is
greater than 1. In that case the buffers remain DMA mapped by page pool
and the RX completion path does not call dma_unmap_single(). As a result,
the implicit sync-for-CPU normally performed by dma_unmap_single() is
missing before the packet data is passed to the networking stack.

This breaks RX on configurations which require explicit DMA syncing, for
example when booted with swiotlb=force.

Fix this by recording the page pool page and DMA sync offset when the RX
buffer is allocated, and syncing the received packet range for CPU access
before handing the RX buffer to the stack.

Fixes: 730ff06d3f5c ("net: mana: Use page pool fragments for RX buffers instead of full pages to improve memory efficiency.")
Cc: stable at vger.kernel.org
Reviewed-by: Haiyang Zhang <haiyangz at microsoft.com>
Signed-off-by: Dexuan Cui <decui at microsoft.com>

    [2 lines not shown]
DeltaFile
+33-7drivers/net/ethernet/microsoft/mana/mana_en.c
+8-0include/net/mana/mana.h
+41-72 files

Linux/linux 2e2a83bdrivers/net/ethernet/microsoft/mana mana_en.c

net: mana: Validate the packet length reported by the NIC

Validate the packet length reported in the RX CQE before passing it
to skb processing. The CQE is supplied by the NIC device and should
not be blindly trusted.

Cc: stable at vger.kernel.org
Reviewed-by: Haiyang Zhang <haiyangz at microsoft.com>
Signed-off-by: Dexuan Cui <decui at microsoft.com>
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Link: https://patch.msgid.link/20260702041237.617719-2-decui@microsoft.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+18-5drivers/net/ethernet/microsoft/mana/mana_en.c
+18-51 files

Linux/linux f4ef35etools/testing/selftests/net tcp_mmap.c

selftests/net: fix EVP_MD_CTX leak in tcp_mmap

In tcp_mmap.c, both child_thread() and main() allocate an EVP_MD_CTX
via EVP_MD_CTX_new() when integrity checking is enabled, but neither
function releases the context.  child_thread() misses the free in its
common cleanup block, and main() returns without freeing the context.

This results in a SHA256 context leak on every run that uses the
‑i (integrity) option.  Add the missing EVP_MD_CTX_free() calls to
the appropriate cleanup paths to fix the leak.

Fixes: 5c5945dc695c ("selftests/net: Add SHA256 computation over data sent in tcp_mmap")
Signed-off-by: Wang Yan <wangyan01 at kylinos.cn>
Link: https://patch.msgid.link/20260702025949.442523-1-wangyan01@kylinos.cn
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
DeltaFile
+4-0tools/testing/selftests/net/tcp_mmap.c
+4-01 files

Linux/linux 6bad2e3drivers/hid hid-appleir.c hid-letsketch.c, tools/testing/selftests/hid hid_bpf.c

Merge tag 'hid-for-linus-2026070801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid

Pull HID fixes from Jiri Kosina:

 - OOB, UAF, NULL-deref fixes in core and picolcd, logitech, letsketch,
   appleir and multitouch drivers (Georgiy Osokin, HyeongJun An, Lee
   Jones, Manish Khadka, Maoyi Xie and Trung Nguyen)

 - fix for integer wraparound (and corresponding regression selftest) in
   hid-bpf (Yiyang Chen)

* tag 'hid-for-linus-2026070801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
  selftests/hid: multitouch: test a large ContactCountMaximum
  HID: multitouch: fix out-of-bounds bit access on mt_io_flags
  selftests/hid: Cover hid_bpf_get_data() size overflow
  selftests/hid: Load only requested struct_ops maps
  HID: bpf: Fix hid_bpf_get_data() range check
  HID: lg-g15: cancel pending work on remove to fix a use-after-free
  HID: logitech-dj: Fix maxfield check in DJ short report validation

    [4 lines not shown]
DeltaFile
+114-0tools/testing/selftests/hid/tests/test_multitouch.py
+35-10drivers/hid/hid-appleir.c
+29-7tools/testing/selftests/hid/hid_bpf.c
+33-3drivers/hid/hid-letsketch.c
+20-12drivers/hid/hid-multitouch.c
+16-0drivers/hid/hid-lg-g15.c
+247-326 files not shown
+283-3712 files

Linux/linux 2500fa3net/netfilter/ipvs ip_vs_proto_tcp.c

ipvs: use parsed transport offset in TCP state lookup

TCP state handling reparses the skb to find the TCP header. For IPv6 it
uses sizeof(struct ipv6hdr), while the surrounding IPVS code already
parsed the packet with ip_vs_fill_iph_skb() and has the real
transport-header offset in iph.len.

This makes TCP state handling look at the wrong bytes when an IPv6
packet carries extension headers. Use the parsed transport offset passed
down from ip_vs_set_state() when reading the TCP header.

For IPv4 and for IPv6 packets without extension headers, the passed
offset matches the previous value.

Fixes: 0bbdd42b7efa6 ("IPVS: Extend protocol DNAT/SNAT and state handlers")
Link: https://lore.kernel.org/netdev/20260705125659.37744-1-zhaoyz24@mails.tsinghua.edu.cn/
Reported-by: Yizhou Zhao <zhaoyz24 at mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22 at mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao at seu.edu.cn>

    [7 lines not shown]
DeltaFile
+1-7net/netfilter/ipvs/ip_vs_proto_tcp.c
+1-71 files

Linux/linux 6c5dcabinclude/net/netfilter nf_flow_table.h, net/netfilter nf_flow_table_offload.c nf_flow_table_core.c

netfilter: flowtable: IPIP tunnel hardware offload is not yet support

No driver supports for IPIP tunnels yet, give up early on setting up the
hardware offload for this scenario.

This patch adds a stub that can be enhanced to add more configuration
that are currently not supported. As of now, the offload work is
enqueued to the worker, then ignored if the hardware offload
configuration is not supported.

Check the NF_FLOW_HW flag to know if this entry was already tried once
to be offloaded so this is not retried on refresh when unsupported. Move
NF_FLOW_HW flag check to nf_flow_offload_add(). If this NF_FLOW_HW flag
is unset the _del and _stats variants are never called.

This can be updated later on to skip hardware offload work to be queued
in case hardware offload does not support it.

Fixes: d98103575dcd ("netfilter: flowtable: Add IP6IP6 rx sw acceleration")

    [8 lines not shown]
DeltaFile
+20-2net/netfilter/nf_flow_table_offload.c
+3-4net/netfilter/nf_flow_table_core.c
+2-0include/net/netfilter/nf_flow_table.h
+25-63 files

Linux/linux 724f326net/netfilter/ipset ip_set_hash_gen.h

netfilter: ipset: allocate the proper memory for the generic hash structure

Because a single create function is emitted for every hash type,
from the IPv4 and IPv6 generic hash structure definitions the last
one, i.e. the IPv6 was in effect for IPv4 too. Use the proper size
when allocating the structure. Comment properly that because create()
refers to elements of the generic hash structure, all referred ones
must come before the IPv4/IPv6 dependent 'next' member.

Signed-off-by: Jozsef Kadlecsik <kadlec at netfilter.org>
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+11-2net/netfilter/ipset/ip_set_hash_gen.h
+11-21 files

Linux/linux 2f75c0fnet/netfilter/ipvs ip_vs_proto_sctp.c

ipvs: use parsed transport offset in SCTP state lookup

set_sctp_state() reads the SCTP chunk header again in order to drive the
IPVS SCTP state table. For IPv6 it computes the offset with
sizeof(struct ipv6hdr), while the surrounding IPVS code uses iph.len from
ip_vs_fill_iph_skb(), where ipv6_find_hdr() has already skipped
extension headers and found the real transport header.

This makes the state machine read from the wrong offset for IPv6 SCTP
packets that carry extension headers. For example, an INIT packet with an
8-byte destination options header can be scheduled correctly by
sctp_conn_schedule(), but set_sctp_state() reads the first byte of the
SCTP verification tag as a DATA chunk type. The connection then moves
from NONE to ESTABLISHED instead of INIT1, gets the longer established
timeout, and updates the active/inactive destination counters
incorrectly. This happens even though the SCTP handshake has not
completed.

Use the parsed transport offset passed down from ip_vs_set_state() for

    [16 lines not shown]
DeltaFile
+5-10net/netfilter/ipvs/ip_vs_proto_sctp.c
+5-101 files

Linux/linux 3f7a535net/netfilter/ipvs ip_vs_core.c

ipvs: ensure inner headers in ICMP errors are in headroom

Sashiko points out that after stripping the outer headers
with pskb_pull() we should ensure the inner IP headers
in ICMP errors from tunnels are present in the skb headroom
for functions like ipv4_update_pmtu(), icmp_send() and
IP_VS_DBG().

Also, add more checks for the length of the inner headers.

Fixes: f2edb9f7706d ("ipvs: implement passive PMTUD for IPIP packets")
Link: https://sashiko.dev/#/patchset/20260702073430.67680-1-zhaoyz24%40mails.tsinghua.edu.cn
Signed-off-by: Julian Anastasov <ja at ssi.bg>
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+15-6net/netfilter/ipvs/ip_vs_core.c
+15-61 files

Linux/linux fa7395cinclude/net/netfilter nf_flow_table.h, net/netfilter nf_flow_table_core.c nf_flow_table_ip.c

netfilter: flowtable: support IPIP tunnel with direct xmit

The combination of IPIP tunnel with direct xmit, eg. bridge device,
breaks because no dst_entry is provided to check the skb headroom and to
set the iph->frag_off field. This leads to invalid dst usage and can
trigger a crash in the tunnel transmit path.

Fix this by moving dst_cache and dst_cookie out of the runtime union so
that they can be shared by neighbour, xfrm, and direct tunnel flows.
For FLOW_OFFLOAD_XMIT_DIRECT tuples carrying tunnel metadata, preserve
route state in these shared fields and release it through the common
dst release path.

Since dst_entry is now available to the three supported xmit modes and
dst_release() already deals with NULL dst, remove the xmit type check
in nft_flow_dst_release(). Moreover, skip the check if the dst entry
is NULL in nf_flow_dst_check() which is now the case for the direct
xmit case.


    [11 lines not shown]
DeltaFile
+8-4net/netfilter/nf_flow_table_core.c
+3-2include/net/netfilter/nf_flow_table.h
+1-2net/netfilter/nf_flow_table_ip.c
+12-83 files

Linux/linux da5b584net/ipv6/netfilter nf_conntrack_reasm.c, net/netfilter nfnetlink_log.c xt_u32.c

netfilter: handle unreadable frags

sashiko reports:
 When an skb with unreadable fragments (such as from devmem TCP, where
 skb_frags_readable(skb) returns false) is processed by the u32 module,
 skb_copy_bits() will safely return a negative error code [..]

xt_u32: bail out with hotdrop in this case.
gather_frags: return -1, just as if we had no fragment header.
nfnetlink_queue: restrict to the linear part.
nfnetlink_log: restrict to the linear part.

v2:
 - skb_zerocopy helpers don't copy readable flag, i.e. nfnetlink_queue
 is broken too
 xt_u32 shouldn't return true if hotdrop was set.

Fixes: 65249feb6b3d ("net: add support for skbs with unreadable frags")
Cc: stable at vger.kernel.org

    [2 lines not shown]
DeltaFile
+17-9net/netfilter/nfnetlink_log.c
+11-5net/netfilter/xt_u32.c
+12-4net/netfilter/nfnetlink_queue.c
+1-1net/ipv6/netfilter/nf_conntrack_reasm.c
+41-194 files

Linux/linux c328b90net/netfilter nf_flow_table_ip.c

netfilter: flowtable: use dst in this direction when pushing IPIP header

When pushing the IPIP header, the route of the other direction is used
to calculate the headroom, use the route in this direction. Accessing
the other tuple to set the IP source and destination is fine because
this tuple does not provide such information to avoid storing redundant
information. However, this tuple already provides the dst for this
direction, this went unnoticed because this bug affects headroom and
iph->frag_off only at this stage.

Fixes: d30301ba4b07 ("netfilter: flowtable: Add IPIP tx sw acceleration")
Fixes: 93cf357fa797 ("netfilter: flowtable: Add IP6IP6 tx sw acceleration")
Cc: stable at vger.kernel.org
Acked-by: Lorenzo Bianconi <lorenzo at kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+11-7net/netfilter/nf_flow_table_ip.c
+11-71 files

Linux/linux bae7ce7include/net ip_vs.h, net/netfilter/ipvs ip_vs_core.c ip_vs_proto_sctp.c

ipvs: pass parsed transport offset to state handlers

IPVS callers already parse the packet into struct ip_vs_iphdr before
updating connection state. For IPv6 this records the real
transport-header offset after extension headers in iph.len.

Pass this parsed transport offset through ip_vs_set_state() and the
protocol state_transition() callback so protocol handlers can use the
same packet context as scheduling and NAT handling. This patch only
changes the common callback plumbing and adapts the protocol callback
signatures; TCP and SCTP start using the value in follow-up patches.

Signed-off-by: Yizhou Zhao <zhaoyz24 at mails.tsinghua.edu.cn>
Acked-by: Julian Anastasov <ja at ssi.bg>
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+5-5net/netfilter/ipvs/ip_vs_core.c
+2-1include/net/ip_vs.h
+2-1net/netfilter/ipvs/ip_vs_proto_sctp.c
+2-1net/netfilter/ipvs/ip_vs_proto_tcp.c
+2-1net/netfilter/ipvs/ip_vs_proto_udp.c
+13-95 files

Linux/linux cffcf57net/netfilter/ipset ip_set_hash_gen.h

netfilter: ipset: exclude gc when resize is in progress

Zhengchuan Liang and Eulgyu Kim reported that because resize
does not copy the comment extension into the resized set but
uses it's pointer, ongoing gc can free the extension in the
original set which then results stale pointer in the resized
one. The proposed patch was to recreate the extensions for
every element in the resized set. It is both expensive and
wastes memory, so better exclude gc when resizing in progress
detected: resizing will destroy the original set anyway,
so doing gc on it is unnecessary.

Introduce a new spinlock to exclude parallel gc and resize.
Because we just set and check a bool value, there's no need
for the parameter to be atomic_t and rename it for better
readability.

Reported-by: Yuan Tan <yuantan098 at gmail.com>
Reported-by: Yifan Wu <yifanwucs at gmail.com>

    [6 lines not shown]
DeltaFile
+20-11net/netfilter/ipset/ip_set_hash_gen.h
+20-111 files

Linux/linux 6723213net/netfilter/ipset ip_set_hash_gen.h

netfilter: ipset: cleanup the add/del backlog when resize failed

Sashiko pointed out that the add/del backlog was not cleaned up
when resize failed. Fix it in the corresponding error path. Also,
make sure that the add/del backlog is htable-specific so when
resize creates a new htable, old/new backlog can't be mixed up.

Signed-off-by: Jozsef Kadlecsik <kadlec at netfilter.org>
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+20-8net/netfilter/ipset/ip_set_hash_gen.h
+20-81 files

Linux/linux 5d0c22enet/netfilter/ipset ip_set_hash_gen.h

netfilter: ipset: mark the rcu locked areas properly

When we bump the uref counter, there's no need to keep
the rcu lock because the referred hash table can't
disappear. Also, from the same reason in mtype_gc we
need the rcu lock and not a spinlock.

Signed-off-by: Jozsef Kadlecsik <kadlec at netfilter.org>
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+5-8net/netfilter/ipset/ip_set_hash_gen.h
+5-81 files

Linux/linux e6107a4net/netfilter nft_lookup.c

netfilter: nft_lookup: fix catchall element handling with inverted lookups

nft_lookup_eval() decides whether a lookup matched (`found`) from the
direct set lookup and priv->invert before falling back to the
catchall element used by interval sets (e.g. nft_set_rbtree) for the
open-ended default range. Since `found` is never recomputed after
`ext` is replaced by the catchall lookup, inverted lookups
(NFT_LOOKUP_F_INV, "!= @set") can wrongly match or wrongly skip the
catchall element, producing the wrong verdict. Fold the catchall
lookup into `ext` before computing `found`, matching the order
already used by nft_objref_map_eval().

Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support")
Signed-off-by: Tamaki Yanagawa <ty at 000ty.net>
Assisted-by: Claude:claude-sonnet-5
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+5-5net/netfilter/nft_lookup.c
+5-51 files

Linux/linux 084d23fnet/bridge/netfilter ebtables.c

netfilter: ebtables: module names must be null-terminated

We need to explicitly check the length, else we may pass non-null
terminated string to request_module().

Cc: stable at vger.kernel.org
Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name")
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+3-0net/bridge/netfilter/ebtables.c
+3-01 files

Linux/linux cbfe535net/bridge/netfilter ebtables.c

netfilter: ebtables: zero chainstack array

sashiko reports:
 looking at ebtables table
 translation, could a sparse cpu_possible_mask lead to an uninitialized pointer
 free?

 If cpu_possible_mask is sparse (for example, CPU 0 and CPU 2 are possible,
 but CPU 1 is not), the allocation loop skips CPU 1. If vmalloc_node() fails at
 CPU 2, the cleanup loop will blindly decrement and call vfree() on
 newinfo->chainstack[1].

Not a real-world bug, such allocation isn't expected to fail
in the first place.

Cc: stable at vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Florian Westphal <fw at strlen.de>
DeltaFile
+1-2net/bridge/netfilter/ebtables.c
+1-21 files

Linux/linux 3b08fednet/ipv6/netfilter nf_conntrack_reasm.c

netfilter: nf_conntrack_reasm: guard mac_header adjustment after IPv6 defrag

nf_ct_frag6_reasm() slides the packet head forward to drop the IPv6
fragment header and then unconditionally advances skb->mac_header:

        skb->mac_header += sizeof(struct frag_hdr);

On the NF_INET_LOCAL_OUT defrag path the skb has no link-layer header
yet, so skb->mac_header is still the "not set" sentinel (u16)~0U. Adding
sizeof(struct frag_hdr) wraps it to a small value (0xffff + 8 == 7),
after which skb_mac_header_was_set() wrongly reports a MAC header is
present and skb_mac_header() points into the headroom.

The reassembler has done this unconditional add since it was introduced;
it was harmless while mac_header was a bare pointer, but wrong once
mac_header became a u16 offset whose unset state is the ~0U sentinel
tested by skb_mac_header_was_set(). The sibling net/ipv6/reassembly.c
does the same relocation and does guard the adjustment; mirror the
guard here.

    [7 lines not shown]
DeltaFile
+2-1net/ipv6/netfilter/nf_conntrack_reasm.c
+2-11 files