-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmnFKjQACgkQ1w0aZmrP
KyGH2hAAiIN/e2RNv1b5TvT0FtrNUdBQyAXLQZjq8YfoanVqPBjDX7zgGy1DqVsD
1m+ISwig/PM5yorkpzG79QErfFLeL6eGHU8nPwVAxIoKQtaDexDLAIsSIByLKqg+
RQB8zieFQMYLKilIQh7YfGEGVJsN+hBcL64OH4oFIXuDb88/8gkQSgFhas9oebRA
St+RMFQfXgk+9QMHXTaXNjxJ+VHPAsRvcVc+igr5a+T6yBGjYyKMyhfrArR+TGBg
hyyWzMFZrNxtHC4lHNd9Jwzi+ja/LbBfI7Z6RK+vAMWCF7vpynwNVaJlwUA34djT
DvVLGUSv3kL60BYlL/kqTqbWuLsfYlOL82d2dOoEUCEzpP8kHCv0JaXoU3vOToEP
tLKuJsVRst6jvJGMpotrum4YGUSpuQMupxX2kq/nlTJNYU74csRhlZH6Dlxy6scp
LJfvcCwIWivTU9BK+8BxxlDyMZDw43Hv8utWQnfnlPuVmm2l/rMLD0hF8EIwIoOE
YjKYKwcQBe/ZnAtMQcmMgL0gOxtFPoLbaMC27Hrwxux1zh66VuCckAfD+Rp/Hmiq
+2ZdyHRUD79/57HErJvt+Jr/kPusYr7s2EYgLvZvYDdOWvNXeLYAJnLh6gQ0qKwH
boYFQyzzjTcmxgIzaKh5ScApZMpXqRGcB6eCytHeKU0NU2aRW2w=
=jY77
-----END PGP SIGNATURE-----
Merge tag 'nf-26-03-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says:
====================
Netfilter for net
This is v3, I kept back an ipset fix and another to tigthen the xtables
interface to reject invalid combinations with the NFPROTO_ARP family.
They need a bit more discussion. I fixed the issues reported by AI on
patch 9 (add #ifdef to access ct zone, update nf_conntrack_broadcast
and patch 10 (use better Fixes: tag). Thanks!
The following patchset contains Netfilter fixes for *net*.
Note that most bugs fixed here stem from 2.6 days, the large PR is not
due to an increase in regressions.
1) Fix incorrect reject of set updates with nf_tables pipapo set
avx2 backend. This comes with a regression test in patch 2.
From Florian Westphal.
2) nfnetlink_log needs to zero padding to prevent infoleak to userspace,
from Weiming Shi.
3) xtables ip6t_rt module never validated that addrnr length is within the
allowed array boundary. Reject bogus values. From Ren Wei.
4) Fix high memory usage in rbtree set backend that was unwanted side-effect
of the recently added binary search blob. From Pablo Neira Ayuso.
5) Patches 5 to 10, also from Pablo, address long-standing RCU safety bugs
in conntracks handling of expectations: We can never safely defer
a conntrack extension area without holding a reference. Yet expectation
handling does so in multiple places. Fix this by avoiding the need to
look into the master conntrack to begin with and by extending locked
sections in a few places.
11) Fix use of uninitialized rtp_addr in the sip conntrack helper,
also from Weiming Shi.
12) Add stricter netlink policy checks in ctnetlink, from David Carlier.
This avoids undefined behaviour when userspace provides huge wscale
value.
netfilter pull request 26-03-26
* tag 'nf-26-03-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
netfilter: ctnetlink: use netlink policy range checks
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
netfilter: nf_conntrack_expect: skip expectations in other netns via proc
netfilter: nf_conntrack_expect: store netns and zone in expectation
netfilter: ctnetlink: ensure safe access to master conntrack
netfilter: nf_conntrack_expect: use expect->helper
netfilter: nf_conntrack_expect: honor expectation helper field
netfilter: nft_set_rbtree: revisit array resize logic
netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
selftests: netfilter: nft_concat_range.sh: add check for flush+reload bug
netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
====================
Link: https://patch.msgid.link/20260326125153.685915-1-pablo@netfilter.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
db472c34a7