| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250924140654.10210-1-fw@strlen.de>
Date: Wed, 24 Sep 2025 16:06:48 +0200
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: Paolo Abeni <pabeni@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
<netfilter-devel@...r.kernel.org>,
pablo@...filter.org
Subject: [PATCH net-next 0/6] netfilter: fixes for net-next
Hi,
The following patchset contains Netfilter fixes for *net-next*:
These fixes target next because the bug is either not severe or has
existed for so long that there is no reason to cram them in at the last
minute.
1) Fix IPVS ftp unregistering during netns cleanup, broken since netns
support was introduced in 2011 in the 2.6.39 kernel.
From Slavin Liu.
2) nfnetlink must reset the 'nlh' pointer back to the original
address when a batch is replayed, else we emit bogus ACK messages
and conceal real errno from userspace. From Fernando Fernandez Mancera.
This was broken since 6.10.
3) Recent fix for nftables 'pipapo' set type was incomplete, it only
made things work for the AVX2 version of the algorithm.
4) Testing revealed another problem with avx2 version that results in
out-of-bounds read access, this bug always existed since feature was
added in 5.7 kernel. This also comes with a selftest update.
Last fix resolves a long-standing bug (since 4.9) in conntrack /proc
interface:
Decrease skip count when we reap an expired entry during dump.
As-is we erronously elide one conntrack entry from dump for every expired
entry seen. From Eric Dumazet.
Please, pull these changes from:
The following changes since commit dc1dea796b197aba2c3cae25bfef45f4b3ad46fe:
tcp: Remove stale locking comment for TFO. (2025-09-23 18:21:36 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-25-09-24
for you to fetch changes up to c5ba345b2d358b07cc4f07253ba1ada73e77d586:
netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack (2025-09-24 11:50:28 +0200)
----------------------------------------------------------------
netfilter pull request nf-next-25-09-24
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack
Fernando Fernandez Mancera (1):
netfilter: nfnetlink: reset nlh pointer during batch replay
Florian Westphal (3):
netfilter: nft_set_pipapo: use 0 genmask for packetpath lookups
netfilter: nft_set_pipapo_avx2: fix skip of expired entries
selftests: netfilter: nft_concat_range.sh: add check for double-create bug
Slavin Liu (1):
ipvs: Defer ip_vs_ftp unregister during netns cleanup
net/netfilter/ipvs/ip_vs_ftp.c | 4 +-
net/netfilter/nf_conntrack_standalone.c | 3 ++
net/netfilter/nfnetlink.c | 2 +
net/netfilter/nft_set_pipapo.c | 9 ++--
net/netfilter/nft_set_pipapo_avx2.c | 9 ++--
.../selftests/net/netfilter/nft_concat_range.sh | 56 +++++++++++++++++++++-
6 files changed, 73 insertions(+), 10 deletions(-)
Powered by blists - more mailing lists