Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2216443/?format=api
{ "id": 2216443, "url": "http://patchwork.ozlabs.org/api/patches/2216443/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326125153.685915-8-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260326125153.685915-8-pablo@netfilter.org>", "list_archive_url": null, "date": "2026-03-26T12:51:48", "name": "[net,07/12] netfilter: nf_conntrack_expect: use expect->helper", "commit_ref": null, "pull_url": null, "state": "handled-elsewhere", "archived": true, "hash": "4eece697ca84fbfe821787e5c56f06c1ededc921", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326125153.685915-8-pablo@netfilter.org/mbox/", "series": [ { "id": 497584, "url": "http://patchwork.ozlabs.org/api/series/497584/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=497584", "date": "2026-03-26T12:51:41", "name": "[net,01/12] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/497584/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2216443/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2216443/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11446-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=d5tiUS9D;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11446-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"d5tiUS9D\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fhP3s4dczz1yGD\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 23:59:05 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 2E8943105F0E\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 12:52:14 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 87B1328467D;\n\tThu, 26 Mar 2026 12:52:09 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id B26F1271A7C;\n\tThu, 26 Mar 2026 12:52:07 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id B12866026C;\n\tThu, 26 Mar 2026 13:52:05 +0100 (CET)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774529529; cv=none;\n b=BgCXWlHVfgTMl0CkvApYTW2dFg1W5HpTn0cYothn9sxYAGER5n/MufYGHc3ljyVlvLLOaTtXmxOqunpSwi10Iguh8AmwSkb+nNtUZNbyLzUGu44qEH1vBQ4fbI5X9wc2yT7zRdQfxEKQybO2kr6fXuEUXsvWqzhUf02kv4fyegU=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774529529; c=relaxed/simple;\n\tbh=oTUeYgRYY4NGUxknfj9KSKHk9yYz1i9WzvwY/W4UwCU=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=C5dSPhuoxE/Hs8YVpWjy3AHYRijDcyco3aJlmICvDA70aB50GyuHepC3CTkXyVSJJ2Me+omZNAUavP5F9DsmyoKYLWpq6lcESiQnV3KbrzdG9PCqZKhRgYaBhnzshkV7+qosMX62EhJxnlTarERhjS8/ZAOYkfGS+YgNnKV6JbA=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=d5tiUS9D; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774529526;\n\tbh=5z/jDTeSkll46GN1LoH/0wYrBiJ7v6EfR3Ufh7zKngw=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=d5tiUS9DZ1HHIQlRQ6xTwh4ZBm3WHMzNu7j+vf8y2JheE+NQYIK64lWPjsKS7zMpX\n\t nMvtCqu2/lwO56uIqbM98y4tbaOjUVTw+dX80mWaZyDlsi3K/mFuK5cI39mgBTSPAv\n\t EeQXMPFQU71zEzWECuObkG9CvlW7p3SoCn+XPOwoLBuVE5F3dJFrd5oM+uzoxvCZ7D\n\t 2ZKPbzdtleUnJXdFsGM+BbuyTV8MKH7wPSZ6M+3aLsXPMrN0ZIUETh9mQrd37lfKYa\n\t 1PyPxchoFkdK98sRV/Z4jkL3X6NlY+xEEw2Rwy0/+lZ4+Sg3RImPaiHZZWL/KWrtwi\n\t xP1ER5ykl8JCg==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org", "Subject": "[PATCH net 07/12] netfilter: nf_conntrack_expect: use expect->helper", "Date": "Thu, 26 Mar 2026 13:51:48 +0100", "Message-ID": "<20260326125153.685915-8-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<20260326125153.685915-1-pablo@netfilter.org>", "References": "<20260326125153.685915-1-pablo@netfilter.org>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Use expect->helper in ctnetlink and /proc to dump the helper name.\nUsing nfct_help() without holding a reference to the master conntrack\nis unsafe.\n\nUse exp->master->helper in ctnetlink path if userspace does not provide\nan explicit helper when creating an expectation to retain the existing\nbehaviour. The ctnetlink expectation path holds the reference on the\nmaster conntrack and nf_conntrack_expect lock and the nfnetlink glue\npath refers to the master ct that is attached to the skb.\n\nReported-by: Hyunwoo Kim <imv4bel@gmail.com>\nSigned-off-by: Florian Westphal <fw@strlen.de>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/netfilter/nf_conntrack_expect.c | 2 +-\n net/netfilter/nf_conntrack_helper.c | 6 +-----\n net/netfilter/nf_conntrack_netlink.c | 24 ++++++++++--------------\n net/netfilter/nf_conntrack_sip.c | 2 +-\n 4 files changed, 13 insertions(+), 21 deletions(-)", "diff": "diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c\nindex 841e316240da..64977db12b1d 100644\n--- a/net/netfilter/nf_conntrack_expect.c\n+++ b/net/netfilter/nf_conntrack_expect.c\n@@ -666,7 +666,7 @@ static int exp_seq_show(struct seq_file *s, void *v)\n \tif (expect->flags & NF_CT_EXPECT_USERSPACE)\n \t\tseq_printf(s, \"%sUSERSPACE\", delim);\n \n-\thelper = rcu_dereference(nfct_help(expect->master)->helper);\n+\thelper = rcu_dereference(expect->helper);\n \tif (helper) {\n \t\tseq_printf(s, \"%s%s\", expect->flags ? \" \" : \"\", helper->name);\n \t\tif (helper->expect_policy[expect->class].name[0])\ndiff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c\nindex 294a6ffcbccd..1b330ba6613b 100644\n--- a/net/netfilter/nf_conntrack_helper.c\n+++ b/net/netfilter/nf_conntrack_helper.c\n@@ -395,14 +395,10 @@ EXPORT_SYMBOL_GPL(nf_conntrack_helper_register);\n \n static bool expect_iter_me(struct nf_conntrack_expect *exp, void *data)\n {\n-\tstruct nf_conn_help *help = nfct_help(exp->master);\n \tconst struct nf_conntrack_helper *me = data;\n \tconst struct nf_conntrack_helper *this;\n \n-\tif (rcu_access_pointer(exp->helper) == me)\n-\t\treturn true;\n-\n-\tthis = rcu_dereference_protected(help->helper,\n+\tthis = rcu_dereference_protected(exp->helper,\n \t\t\t\t\t lockdep_is_held(&nf_conntrack_expect_lock));\n \treturn this == me;\n }\ndiff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c\nindex a42d14290786..8477c3736432 100644\n--- a/net/netfilter/nf_conntrack_netlink.c\n+++ b/net/netfilter/nf_conntrack_netlink.c\n@@ -3012,7 +3012,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,\n {\n \tstruct nf_conn *master = exp->master;\n \tlong timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;\n-\tstruct nf_conn_help *help;\n+\tstruct nf_conntrack_helper *helper;\n #if IS_ENABLED(CONFIG_NF_NAT)\n \tstruct nlattr *nest_parms;\n \tstruct nf_conntrack_tuple nat_tuple = {};\n@@ -3057,15 +3057,12 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,\n \t nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||\n \t nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))\n \t\tgoto nla_put_failure;\n-\thelp = nfct_help(master);\n-\tif (help) {\n-\t\tstruct nf_conntrack_helper *helper;\n \n-\t\thelper = rcu_dereference(help->helper);\n-\t\tif (helper &&\n-\t\t nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))\n-\t\t\tgoto nla_put_failure;\n-\t}\n+\thelper = rcu_dereference(exp->helper);\n+\tif (helper &&\n+\t nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))\n+\t\tgoto nla_put_failure;\n+\n \texpfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);\n \tif (expfn != NULL &&\n \t nla_put_string(skb, CTA_EXPECT_FN, expfn->name))\n@@ -3394,12 +3391,9 @@ static int ctnetlink_get_expect(struct sk_buff *skb,\n static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)\n {\n \tstruct nf_conntrack_helper *helper;\n-\tconst struct nf_conn_help *m_help;\n \tconst char *name = data;\n \n-\tm_help = nfct_help(exp->master);\n-\n-\thelper = rcu_dereference(m_help->helper);\n+\thelper = rcu_dereference(exp->helper);\n \tif (!helper)\n \t\treturn false;\n \n@@ -3534,9 +3528,9 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n \t\t struct nf_conntrack_tuple *tuple,\n \t\t struct nf_conntrack_tuple *mask)\n {\n-\tu_int32_t class = 0;\n \tstruct nf_conntrack_expect *exp;\n \tstruct nf_conn_help *help;\n+\tu32 class = 0;\n \tint err;\n \n \thelp = nfct_help(ct);\n@@ -3573,6 +3567,8 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n \n \texp->class = class;\n \texp->master = ct;\n+\tif (!helper)\n+\t\thelper = rcu_dereference(help->helper);\n \trcu_assign_pointer(exp->helper, helper);\n \texp->tuple = *tuple;\n \texp->mask.src.u3 = mask->src.u3;\ndiff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c\nindex 106b2f419e19..20e57cf5c83a 100644\n--- a/net/netfilter/nf_conntrack_sip.c\n+++ b/net/netfilter/nf_conntrack_sip.c\n@@ -924,7 +924,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,\n \t\texp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple);\n \n \t\tif (!exp || exp->master == ct ||\n-\t\t nfct_help(exp->master)->helper != nfct_help(ct)->helper ||\n+\t\t exp->helper != nfct_help(ct)->helper ||\n \t\t exp->class != class)\n \t\t\tbreak;\n #if IS_ENABLED(CONFIG_NF_NAT)\n", "prefixes": [ "net", "07/12" ] }