GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.1/patches/2229473/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2229473,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229473/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428090917.3851366-1-minipli@grsecurity.net/",
    "project": {
        "id": 26,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api",
        "name": "Netfilter Development",
        "link_name": "netfilter-devel",
        "list_id": "netfilter-devel.vger.kernel.org",
        "list_email": "netfilter-devel@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null
    },
    "msgid": "<20260428090917.3851366-1-minipli@grsecurity.net>",
    "date": "2026-04-28T09:09:17",
    "name": "[net] netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init()",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "6431a943ff8cc06c89852618a5e7fa6c678a458c",
    "submitter": {
        "id": 85569,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/85569/?format=api",
        "name": "Mathias Krause",
        "email": "minipli@grsecurity.net"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428090917.3851366-1-minipli@grsecurity.net/mbox/",
    "series": [
        {
            "id": 501809,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/501809/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501809",
            "date": "2026-04-28T09:09:17",
            "name": "[net] netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init()",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/501809/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2229473/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2229473/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "\n <netfilter-devel+bounces-12237-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "netfilter-devel@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=grsecurity.net header.i=@grsecurity.net\n header.a=rsa-sha256 header.s=grsec header.b=oxd16e8J;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12237-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net\n header.b=\"oxd16e8J\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.128.52",
            "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=grsecurity.net",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=opensrcsec.com"
        ],
        "Received": [
            "from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4bJD2dYvz1yHX\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 19:49:48 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 230EC30CF519\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 09:11:12 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D0BB43E275C;\n\tTue, 28 Apr 2026 09:09:47 +0000 (UTC)",
            "from mail-wm1-f52.google.com (mail-wm1-f52.google.com\n [209.85.128.52])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 66D4C3E1CE4\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 28 Apr 2026 09:09:45 +0000 (UTC)",
            "by mail-wm1-f52.google.com with SMTP id\n 5b1f17b1804b1-488b8bc6bc9so80329795e9.3\n        for <netfilter-devel@vger.kernel.org>;\n Tue, 28 Apr 2026 02:09:45 -0700 (PDT)",
            "from bell.fritz.box\n (p200300faaf260200051aef03a698a1fc.dip0.t-ipconnect.de.\n [2003:fa:af26:200:51a:ef03:a698:a1fc])\n        by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a775defe4sm29070145e9.7.2026.04.28.02.09.42\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Tue, 28 Apr 2026 02:09:42 -0700 (PDT)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777367387; cv=none;\n b=IaUH5nnMhOVdlQAmWAM8XTrSGw9xOAb0/125H/p1ePqXrbT4d1hWv+9tEqDFMxLlJJ+HkI4nNJjjV4JFXB2RdtFn9hsAlPq4mNPPf0FLlGVZOoKuFM/cSGCgeCnrtzA23U0KnCyA3W5EhCo9EPXXVlKLAqUN0UEeIjS3A01Hvzs=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777367387; c=relaxed/simple;\n\tbh=ndV9HO4TrB7UH4OQaqRqhxadXpb2M84IgFY4mR7mxMY=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;\n b=rInrTjTRTN/BFvfrD8/SKsusNcIoqLMlKTlobSWVJsi2YTwh5MW9FePA3nBlvjEaxINuH2Q1hySMboN5YzTQJeqbXSZ5LCa524/2VYiCXk1xxFko98pCkCDeNEAM8sO+SvIJvLtcZ/K011j9Sw71CAuRRAipaQIRst8ZLb7FCWk=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=grsecurity.net;\n spf=pass smtp.mailfrom=opensrcsec.com;\n dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net\n header.b=oxd16e8J; arc=none smtp.client-ip=209.85.128.52",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=grsecurity.net; s=grsec; t=1777367384; x=1777972184;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:from:to:cc:subject:date:message-id:reply-to;\n        bh=uv+T7Qd810LVMbQvEtvpybibnpScTbWBpv7OZ6oXHZE=;\n        b=oxd16e8JM587DpH50wb73izUKuxGy6KNMTHCm0SnzHK9useMwvOq913/8vzpeiZUNH\n         s6q1s/yrWI/C3elj1lF+DrvrgMnSeURx5pIi9SyTXsn2k3OjEXTBkfKXabQNDBel8CGS\n         g9+4rWSTOYN1sDRr45Y6pWnAYmDUYtKx47v1JElDdv1yQXg2oAtBgsGt9rfRNtxrjOmk\n         rr1WO2LfqavyJPvrOoukwdnx4S04P3jhK4+vHZerVIgPIABYM2uCgNaTbCjct3UBACeq\n         AbaugpzsOAQe1eGu4XddPK+bT7iwZu7GQF6gZtJ+V3pqilFk5zIqexJT5Q7kA+QeFPo4\n         0oVA==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1777367384; x=1777972184;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=uv+T7Qd810LVMbQvEtvpybibnpScTbWBpv7OZ6oXHZE=;\n        b=czo3KoFFQqpufeWfawiGHxvUyyZCVOmyP1Xa96Fr2bXrfmCKG+5RCosJX3yc86Ht5/\n         GSDOdWWHlTFtLeLKVUTOATatoVWoE/EPe1Re+JRNFosshEJsTUtoL/aZfE3eoNKsIBMG\n         pQIxAf/Xt4OEK0Zv4zrq6ZFhSxplfaWw4lgAndVE+S9JchjgDZkqXLZsBhcxQOFdbfWR\n         uRf641INlIXTPI1f6BSvNGgcuoMszCcqZBStVX/sIMkE3kYXq11vScuf6q2Lju3xk0B9\n         EiKCCSgTGJ9wdPwFytOLYatnfxsRNGjCI0cQCo+XO7AUGpoY3mbQfJexfnIyi/ruHO2z\n         z68w==",
        "X-Gm-Message-State": "AOJu0YyRUnQyacts/VguEEkyR89EDCByd9lkh0cgYd1oxkYTreVhXVXt\n\tXpwbITGjxY2LK8xAibFvuVF8nFixoFFG8BpB7JDOyxNxcchUGUvlzb77PZ7IaYwABhYdbfKl7LZ\n\tpUPcT",
        "X-Gm-Gg": "AeBDieulwot7gdoW5S8CpR6uHqcM6YR8WtPi8NzfE1ER2U1yRT8xDFBUxEVI3SNJ2Bm\n\tTlOTfx6hsOVHxnTN59Ut5v/hzcVpUAyZARjCVgdBxFrNPh1lvQ9MnDmF8syCc83uETSh7u44Jla\n\tJqojku1zuU9X/JH3FnUIUDSd+lSMYRLioRU+leZpEC02pEBh/PwAM6XEjFKWEygOZ837ORI+z3L\n\tgAG+W1SAB5jdAArRwN67vTfnh7jCM5a5UWt1SyEFBcCYKUW6bzS16QgQCgaHqXZ25YmqkKi0FRZ\n\tSa07TQUEkBRXrrd8zbJZH+irbQxALZJNmdw+hyY8azx1IvCbg40+F4dy112LI3dPYRowYlNtLh9\n\td9QHeR6Y8RiRNzQYoKw/ZGpaaE/EWJpeilMF7F50RCeiV7uT0gHaWzEYdzUzwKtfHrRg4nUjIeT\n\t72BhPYRTmYcSM3eFgUntmgm+ACwjmBA0pFH8wl1rkhVPy5GS3KrV5zdcsFca/t6uThE68i3dwQf\n\tvZtn1uigRmCcGpMPV0losxK+QcXtw==",
        "X-Received": "by 2002:a05:600c:c177:b0:48a:5301:bb5c with SMTP id\n 5b1f17b1804b1-48a77b12a49mr30418175e9.16.1777367383438;\n        Tue, 28 Apr 2026 02:09:43 -0700 (PDT)",
        "From": "Mathias Krause <minipli@grsecurity.net>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "Pablo Neira Ayuso <pablo@netfilter.org>,\n\tFlorian Westphal <fw@strlen.de>,\n\tnetdev@vger.kernel.org,\n\tMathias Krause <minipli@grsecurity.net>",
        "Subject": "[PATCH net] netfilter: nf_nat: avoid invalid nat_net pointer use on\n failed nf_nat_init()",
        "Date": "Tue, 28 Apr 2026 11:09:17 +0200",
        "Message-ID": "<20260428090917.3851366-1-minipli@grsecurity.net>",
        "X-Mailer": "git-send-email 2.47.3",
        "Precedence": "bulk",
        "X-Mailing-List": "netfilter-devel@vger.kernel.org",
        "List-Id": "<netfilter-devel.vger.kernel.org>",
        "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=UTF-8",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "We ran into below KASAN splat, which is mostly uninteresting, beside\nfor having nf_nat_register_fn() in the call chain as a cause for the\noffending access:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in nf_nat_register_fn+0x5f9/0x640\nRead of size 8 at addr ffff890031e54c20 by task iptables/9510\n\nCPU: 0 UID: 0 PID: 9510 Comm: iptables Not tainted 6.18.18-grsec-full-20260320181326 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n <TASK>\n […] dump_stack_lvl+0xee/0x160 ffff88004117eeb8\n […] print_report+0x6e/0x640 ffff88004117eee0\n […] ? __phys_addr+0x8e/0x140 ffff88004117eef0\n […] ? kasan_addr_to_slab+0x51/0xe0 ffff88004117ef08\n […] ? complete_report_info+0xec/0x1c0 ffff88004117ef20\n […] ? nf_nat_register_fn+0x5f9/0x640 ffff88004117ef48\n […] kasan_report+0xbc/0x140 ffff88004117ef50\n […] ? nf_nat_register_fn+0x5f9/0x640 ffff88004117ef90\n […] nf_nat_register_fn+0x5f9/0x640 ffff88004117eff8\n […] ? nf_nat_icmp_reply_translation+0x6e0/0x6e0 ffff88004117f070\n […] nf_tables_register_hook.part.0+0xa0/0x220 ffff88004117f080\n […] nf_tables_addchain.constprop.0+0x1054/0x1fc0 ffff88004117f0b8\n […] ? nft_chain_lookup.part.0+0x4ce/0xac0 ffff88004117f130\n […] ? nf_tables_abort+0x3d80/0x3d80 ffff88004117f190\n […] ? nf_tables_dumpreset_obj+0x100/0x100 ffff88004117f1c8\n […] ? nft_table_lookup.part.0+0x255/0x300 ffff88004117f310\n […] ? nf_tables_newchain+0x21a4/0x2fa0 ffff88004117f358\n […] nf_tables_newchain+0x21a4/0x2fa0 ffff88004117f360\n […] ? nf_tables_addchain.constprop.0+0x1fc0/0x1fc0 ffff88004117f458\n […] ? nla_get_range_signed+0x4a0/0x4a0 ffff88004117f488\n […] ? lock_acquire+0x16f/0x320 ffff88004117f490\n […] ? find_held_lock+0x3b/0xe0 ffff88004117f4b0\n […] ? __nla_parse+0x45/0x80 ffff88004117f500\n […] nfnetlink_rcv_batch+0xbca/0x19a0 ffff88004117f550\n […] ? nfnetlink_net_exit_batch+0x120/0x120 ffff88004117f618\n […] ? __sanitizer_cov_trace_switch+0x63/0xe0 ffff88004117f720\n […] ? gr_acl_handle_mmap+0x1c4/0x320 ffff88004117f7c0\n […] ? nla_get_range_signed+0x4a0/0x4a0 ffff88004117f7e8\n […] ? gr_is_capable+0x6f/0xe0 ffff88004117f830\n […] ? __nla_parse+0x45/0x80 ffff88004117f860\n […] ? skb_pull+0x103/0x1a0 ffff88004117f880\n […] nfnetlink_rcv+0x3db/0x4a0 ffff88004117f8b0\n […] ? nfnetlink_rcv_batch+0x19a0/0x19a0 ffff88004117f8d8\n […] ? netlink_lookup+0xe2/0x240 ffff88004117f900\n […] netlink_unicast+0x74b/0xb00 ffff88004117f930\n […] ? netlink_attachskb+0xb20/0xb20 ffff88004117f980\n […] ? __check_object_size+0x3e/0xaa0 ffff88004117f998\n […] ? security_netlink_send+0x51/0x160 ffff88004117f9c8\n […] netlink_sendmsg+0xa03/0x1200 ffff88004117f9f8\n […] ? netlink_unicast+0xb00/0xb00 ffff88004117fa70\n […] ? netlink_unicast+0xb00/0xb00 ffff88004117fac8\n […] ? ____sys_sendmsg+0xe2a/0x1040 ffff88004117faf8\n […] ____sys_sendmsg+0xe2a/0x1040 ffff88004117fb00\n […] ? kernel_recvmsg+0x300/0x300 ffff88004117fb60\n […] ? reacquire_held_locks+0xe9/0x260 ffff88004117fbc8\n […] ___sys_sendmsg+0x138/0x200 ffff88004117fbf8\n […] ? do_recvmmsg+0x7e0/0x7e0 ffff88004117fc30\n […] ? lockdep_hardirqs_on_prepare+0x101/0x1e0 ffff88004117fc50\n […] ? lock_acquire+0x16f/0x320 ffff88004117fd20\n […] ? lock_acquire+0x16f/0x320 ffff88004117fd58\n […] ? find_held_lock+0x3b/0xe0 ffff88004117fd70\n […] __sys_sendmsg+0x17a/0x260 ffff88004117fdc8\n […] ? __sys_sendmsg_sock+0x80/0x80 ffff88004117fdf0\n […] ? syscall_trace_enter+0x15e/0x2c0 ffff88004117fe98\n […] do_syscall_64+0x7d/0x400 ffff88004117fec8\n […] entry_SYSCALL_64_safe_stack+0x4a/0x60 ffff88004117fef8\n </TASK>\n==================================================================\n\nThe out-of-bounds report, though, is a red herring as it is for an\naccess that shouldn't have happened in the first place.\n\nWhen nf_nat_init() fails to register its BPF kfuncs, it'll unwind and,\namong others, call unregister_pernet_subsys() to deregister its per-net\nops. This makes the previously allocated net id available for reuse by\nthe next caller of register_pernet_subsys(), in our case, synproxy.\nHowever, 'nat_net_id' will still hold the previously allocated value.\n\nIf nf_nat.o gets build as a module, all this doesn't matter. A failed\ninitialization routine makes the module fail to load and any dependent\nmodule won't be able to load either. However, if nf_nat.o is built-in,\na failing init won't /completely/ make its functionality unavailable to\ndependent modules, namely the code and static data is still there, free\nto be called by modules like nft_chain_nat.ko.\n\nCase in point, nft_chain_nat registers hooks that'll call into nf_nat\nwhich, in our case, failed to initialize and therefore won't have a\nvalid net id nor related net_nat object any more.\n\nCode in nf_nat, namely nf_nat_register_fn() and nf_nat_unregister_fn(),\nstill making use of the reallocated net id, lead to a type confusion as\nthe call to net_generic() will no longer return memory belonging to an\nobject suited to fit 'struct nat_net' but 'struct synproxy_net' instead.\nThe latter is only 24 bytes on 64-bit systems, much smaller than struct\nnat_net which is 176 bytes, perfectly explaining the OOB KASAN report.\n\nDetect and handle a failed nf_nat_init() by testing the 'nf_nat_hook'\npointer which will be reset to NULL on initialization errors to prevent\nthe usage of an invalid nat_net pointer.\n\nAs this check is only needed when nf_nat.o is built-in, guard it by\n'#ifndef MODULE...'.\n\nFixes: cbc1dd5b659f (\"netfilter: nf_nat: Fix possible memory leak in nf_nat_init()\")\nSigned-off-by: Mathias Krause <minipli@grsecurity.net>\n---\n net/netfilter/nf_nat_core.c | 10 ++++++++++\n 1 file changed, 10 insertions(+)",
    "diff": "diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c\nindex 3b5434e4ec9c..76a150b9d418 100644\n--- a/net/netfilter/nf_nat_core.c\n+++ b/net/netfilter/nf_nat_core.c\n@@ -1187,6 +1187,16 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,\n \tstruct nf_hook_ops *nat_ops;\n \tint i, ret;\n \n+#ifndef MODULE\n+\t/* If nf_nat_core is built-in and nf_nat_init() fails, dependent\n+\t * modules like nft_chain_nat.ko may still call this function.\n+\t * However, nat_net would be invalid, likely pointing to some other\n+\t * per-net structure.\n+\t */\n+\tif (WARN_ON_ONCE(!nf_nat_hook))\n+\t\treturn -EOPNOTSUPP;\n+#endif\n+\n \tif (WARN_ON_ONCE(pf >= ARRAY_SIZE(nat_net->nat_proto_net)))\n \t\treturn -EINVAL;\n \n",
    "prefixes": [
        "net"
    ]
}