Merge tag 'nf-25-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

kuba-moo · kuba-moo · commit 8bc251e5d874 · 2025-04-03T16:23:01.000-07:00
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains Netfilter fixes for net: 1) conncount incorrectly removes element for non-dynamic sets, these elements represent a static control plane configuration, leave them in place. 2) syzbot found a way to unregister a basechain that has been never registered from the chain update path, fix from Florian Westphal. 3) Fix incorrect pointer arithmetics in geneve support for tunnel, from Lin Ma. * tag 'nf-25-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_tunnel: fix geneve_opt type confusion addition netfilter: nf_tables: don't unregister hook when table is dormant netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only ==================== Link: https://patch.msgid.link/20250403115752.19608-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -2839,11 +2839,11 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 			err = nft_netdev_register_hooks(ctx->net, &hook.list);
 			if (err < 0)
 				goto err_hooks;
+
+			unregister = true;
 		}
 	}
 
-	unregister = true;
-
 	if (nla[NFTA_CHAIN_COUNTERS]) {
 		if (!nft_is_base_chain(chain)) {
 			err = -EOPNOTSUPP;
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
 
 	nft_setelem_expr_foreach(expr, elem_expr, size) {
 		if (expr->ops->gc &&
-		    expr->ops->gc(read_pnet(&set->net), expr))
+		    expr->ops->gc(read_pnet(&set->net), expr) &&
+		    set->flags & NFT_SET_EVAL)
 			return true;
 	}
 
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
@@ -341,7 +341,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN
 static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
 				      struct nft_tunnel_opts *opts)
 {
-	struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
+	struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);
 	struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
 	int err, data_len;
 
@@ -625,7 +625,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
 		if (!inner)
 			goto failure;
 		while (opts->len > offset) {
-			opt = (struct geneve_opt *)opts->u.data + offset;
+			opt = (struct geneve_opt *)(opts->u.data + offset);
 			if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
 					 opt->opt_class) ||
 			    nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,

Original file line number	Diff line number	Diff line change
`@@ -2839,11 +2839,11 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,`
`2839`	`2839`	`err = nft_netdev_register_hooks(ctx->net, &hook.list);`
`2840`	`2840`	`if (err < 0)`
`2841`	`2841`	`goto err_hooks;`
	`2842`	`+`
	`2843`	`+ unregister = true;`
`2842`	`2844`	`}`
`2843`	`2845`	`}`
`2844`	`2846`
`2845`		`- unregister = true;`
`2846`		`-`
`2847`	`2847`	`if (nla[NFTA_CHAIN_COUNTERS]) {`
`2848`	`2848`	`if (!nft_is_base_chain(chain)) {`
`2849`	`2849`	`err = -EOPNOTSUPP;`
Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,`
`309`	`309`
`310`	`310`	`nft_setelem_expr_foreach(expr, elem_expr, size) {`
`311`	`311`	`if (expr->ops->gc &&`
`312`		`- expr->ops->gc(read_pnet(&set->net), expr))`
	`312`	`+ expr->ops->gc(read_pnet(&set->net), expr) &&`
	`313`	`+ set->flags & NFT_SET_EVAL)`
`313`	`314`	`return true;`
`314`	`315`	`}`
`315`	`316`