Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2217770/?format=api
{ "id": 2217770, "url": "http://patchwork.ozlabs.org/api/patches/2217770/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260330143627.892413-1-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260330143627.892413-1-pablo@netfilter.org>", "list_archive_url": null, "date": "2026-03-30T14:36:27", "name": "[nf,v4] netfilter: ctnetlink: ignore explicit helper on new expectations", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "a196747e73c2092966d3f5e88714172cc8c92f38", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260330143627.892413-1-pablo@netfilter.org/mbox/", "series": [ { "id": 498043, "url": "http://patchwork.ozlabs.org/api/series/498043/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=498043", "date": "2026-03-30T14:36:27", "name": "[nf,v4] netfilter: ctnetlink: ignore explicit helper on new expectations", "version": 4, "mbox": "http://patchwork.ozlabs.org/series/498043/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2217770/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2217770/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11500-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=kTYc2Dgz;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11500-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"kTYc2Dgz\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fkvHT2Knkz1yG8\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 31 Mar 2026 01:47:49 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 58557318C6E4\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 30 Mar 2026 14:37:32 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 6D4A12E718B;\n\tMon, 30 Mar 2026 14:36:34 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 481D12F3C34\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 30 Mar 2026 14:36:32 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 46707602AA;\n\tMon, 30 Mar 2026 16:36:30 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774881394; cv=none;\n b=l2x0SEpnwbFaaRHL14g6tRwpY/UcRSLYkf54Kd9faaVPKLp/LKOvRm6kiG9Aha9Kq7qUSP527jmEGN2CxIEo8jZt6nWTQwWnASchoGdHpKvFxnLKMG+ylSuxy2z1N2DBOcStkEUUe5v+VNMf/siMwTjlvaFeYhmacnKuyFTU9dI=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774881394; c=relaxed/simple;\n\tbh=kRHPeN98j49hMoXY24Eyrjy51fJSDG4WowfpsfOzknE=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=BdQJjrvrwUpb7Z3rpdGPU1rpC/rrM62+W7PXwI3LtwhO2FR0FFWEwZ8t7+ybnGaysD015syUVt7R8KiLvMfrIJTGbg+3kRCPP6E4HGmFWhGpEwWdRkn2ImkzvpZhvepRCc+tkRXfSx3wX9QS2kYiynyeTa1oHVrlNr2jgJHY8eQ=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=kTYc2Dgz; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774881390;\n\tbh=zkkN3tsfduEYKcOlkgjEFxe0R3b1lR3st2fHnafNCyI=;\n\th=From:To:Cc:Subject:Date:From;\n\tb=kTYc2Dgz99uTXrMh+9JPTJCLjkJlwefLhkMoWBTuuojhSHC96nNMIssEe7W63v8h5\n\t YVB/Lw/EmQsJCroOwKh9dNWByRZ+vpPHozfHD1aj/4T5szBLDh9QIHKzczAt6nbLyw\n\t 85ltB384DUCi2XeabCWhrRnQ+VVH5SddtsPbDbbjoN18Drv3sTqUBdGY6IgZClDWAS\n\t MNefM7rkDzUdnaA4jnkCX1Hcz0vNJ2xNeeXu9QDzq5y0Tr4u5VALukq2cHhYR84CTE\n\t A/IaI7P/LFJs9nvdxMwapTUGDkHrrnKMynyYcY4d8vgsQJxGjkEIeQ1Ui7BkNWfSLe\n\t +aHlb9f7Sa/UQ==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "fw@strlen.de,\n\tffmancera@suse.de", "Subject": "[PATCH nf,v4] netfilter: ctnetlink: ignore explicit helper on new\n expectations", "Date": "Mon, 30 Mar 2026 16:36:27 +0200", "Message-ID": "<20260330143627.892413-1-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Use the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n Read of size 4 at addr ffff8880043fe408 by task poc/102\n Call Trace:\n nf_ct_expect_related_report+0x2479/0x27c0\n ctnetlink_create_expect+0x22b/0x3b0\n ctnetlink_new_expect+0x4bd/0x5c0\n nfnetlink_rcv_msg+0x67a/0x950\n netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump.\n\nFixes: bd0779370588 (\"netfilter: nfnetlink_queue: allow to attach expectations to conntracks\")\nReported-by: Qi Tang <tpluszz77@gmail.com>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\nv4: actually... remove this entire refetch\n\n@@ -3576,8 +3569,6 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n #ifdef CONFIG_NF_CONNTRACK_ZONES\n exp->zone = ct->zone;\n #endif\n- if (!helper)\n- helper = rcu_dereference(help->helper);\n rcu_assign_pointer(exp->helper, helper);\n exp->tuple = *tuple;\n exp->mask.src.u3 = mask->src.u3;\n\n\n net/netfilter/nf_conntrack_netlink.c | 54 +++++-----------------------\n 1 file changed, 9 insertions(+), 45 deletions(-)", "diff": "diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c\nindex 35f859b24103..ec6771a0926c 100644\n--- a/net/netfilter/nf_conntrack_netlink.c\n+++ b/net/netfilter/nf_conntrack_netlink.c\n@@ -2636,7 +2636,6 @@ static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {\n \n static struct nf_conntrack_expect *\n ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,\n-\t\t struct nf_conntrack_helper *helper,\n \t\t struct nf_conntrack_tuple *tuple,\n \t\t struct nf_conntrack_tuple *mask);\n \n@@ -2865,7 +2864,6 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,\n {\n \tstruct nlattr *cda[CTA_EXPECT_MAX+1];\n \tstruct nf_conntrack_tuple tuple, mask;\n-\tstruct nf_conntrack_helper *helper = NULL;\n \tstruct nf_conntrack_expect *exp;\n \tint err;\n \n@@ -2879,17 +2877,8 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,\n \tif (err < 0)\n \t\treturn err;\n \n-\tif (cda[CTA_EXPECT_HELP_NAME]) {\n-\t\tconst char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);\n-\n-\t\thelper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),\n-\t\t\t\t\t\t nf_ct_protonum(ct));\n-\t\tif (helper == NULL)\n-\t\t\treturn -EOPNOTSUPP;\n-\t}\n-\n \texp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,\n-\t\t\t\t helper, &tuple, &mask);\n+\t\t\t\t &tuple, &mask);\n \tif (IS_ERR(exp))\n \t\treturn PTR_ERR(exp);\n \n@@ -3528,11 +3517,11 @@ ctnetlink_parse_expect_nat(const struct nlattr *attr,\n \n static struct nf_conntrack_expect *\n ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n-\t\t struct nf_conntrack_helper *helper,\n \t\t struct nf_conntrack_tuple *tuple,\n \t\t struct nf_conntrack_tuple *mask)\n {\n \tstruct net *net = read_pnet(&ct->ct_net);\n+\tstruct nf_conntrack_helper *helper;\n \tstruct nf_conntrack_expect *exp;\n \tstruct nf_conn_help *help;\n \tu32 class = 0;\n@@ -3542,7 +3531,11 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n \tif (!help)\n \t\treturn ERR_PTR(-EOPNOTSUPP);\n \n-\tif (cda[CTA_EXPECT_CLASS] && helper) {\n+\thelper = rcu_dereference(help->helper);\n+\tif (!helper)\n+\t\treturn ERR_PTR(-EOPNOTSUPP);\n+\n+\tif (cda[CTA_EXPECT_CLASS]) {\n \t\tclass = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));\n \t\tif (class > helper->expect_class_max)\n \t\t\treturn ERR_PTR(-EINVAL);\n@@ -3576,8 +3569,6 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,\n #ifdef CONFIG_NF_CONNTRACK_ZONES\n \texp->zone = ct->zone;\n #endif\n-\tif (!helper)\n-\t\thelper = rcu_dereference(help->helper);\n \trcu_assign_pointer(exp->helper, helper);\n \texp->tuple = *tuple;\n \texp->mask.src.u3 = mask->src.u3;\n@@ -3607,7 +3598,6 @@ ctnetlink_create_expect(struct net *net,\n {\n \tstruct nf_conntrack_tuple tuple, mask, master_tuple;\n \tstruct nf_conntrack_tuple_hash *h = NULL;\n-\tstruct nf_conntrack_helper *helper = NULL;\n \tstruct nf_conntrack_expect *exp;\n \tstruct nf_conn *ct;\n \tint err;\n@@ -3633,33 +3623,7 @@ ctnetlink_create_expect(struct net *net,\n \tct = nf_ct_tuplehash_to_ctrack(h);\n \n \trcu_read_lock();\n-\tif (cda[CTA_EXPECT_HELP_NAME]) {\n-\t\tconst char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);\n-\n-\t\thelper = __nf_conntrack_helper_find(helpname, u3,\n-\t\t\t\t\t\t nf_ct_protonum(ct));\n-\t\tif (helper == NULL) {\n-\t\t\trcu_read_unlock();\n-#ifdef CONFIG_MODULES\n-\t\t\tif (request_module(\"nfct-helper-%s\", helpname) < 0) {\n-\t\t\t\terr = -EOPNOTSUPP;\n-\t\t\t\tgoto err_ct;\n-\t\t\t}\n-\t\t\trcu_read_lock();\n-\t\t\thelper = __nf_conntrack_helper_find(helpname, u3,\n-\t\t\t\t\t\t\t nf_ct_protonum(ct));\n-\t\t\tif (helper) {\n-\t\t\t\terr = -EAGAIN;\n-\t\t\t\tgoto err_rcu;\n-\t\t\t}\n-\t\t\trcu_read_unlock();\n-#endif\n-\t\t\terr = -EOPNOTSUPP;\n-\t\t\tgoto err_ct;\n-\t\t}\n-\t}\n-\n-\texp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);\n+\texp = ctnetlink_alloc_expect(cda, ct, &tuple, &mask);\n \tif (IS_ERR(exp)) {\n \t\terr = PTR_ERR(exp);\n \t\tgoto err_rcu;\n@@ -3669,8 +3633,8 @@ ctnetlink_create_expect(struct net *net,\n \tnf_ct_expect_put(exp);\n err_rcu:\n \trcu_read_unlock();\n-err_ct:\n \tnf_ct_put(ct);\n+\n \treturn err;\n }\n \n", "prefixes": [ "nf", "v4" ] }