[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: b04df3da1b5c6f6dc7cdccc37941740c078c4043
WARNING: Author mismatch between patch and upstream commit: Backport author: Pablo Neira Ayusopablo@netfilter.org Commit author: Florian Westphalfw@strlen.de
Status in newer kernel trees: 6.14.y | Present (exact SHA1) 6.12.y | Present (different SHA1: 7cf0bd232b56) 6.6.y | Present (different SHA1: 27f0574253f6) 6.1.y | Not found 5.15.y | Not found
Note: The patch differs from the upstream commit: --- 1: b04df3da1b5c6 ! 1: 3ff4a6c514b0d netfilter: nf_tables: do not defer rule destruction via call_rcu @@ Metadata ## Commit message ## netfilter: nf_tables: do not defer rule destruction via call_rcu
+ commit b04df3da1b5c6f6dc7cdccc37941740c078c4043 upstream. + nf_tables_chain_destroy can sleep, it can't be used from call_rcu callbacks.
@@ Commit message Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org
## include/net/netfilter/nf_tables.h ## -@@ include/net/netfilter/nf_tables.h: struct nft_rule_blob { - * @name: name of the chain - * @udlen: user data length - * @udata: user data in the chain -- * @rcu_head: rcu head for deferred release - * @blob_next: rule blob pointer to the next in the chain - */ - struct nft_chain { @@ include/net/netfilter/nf_tables.h: struct nft_chain { char *name; u16 udlen; @@ include/net/netfilter/nf_tables.h: struct nft_chain { - struct rcu_head rcu_head;
/* Only used during control plane commit phase: */ - struct nft_rule_blob *blob_next; + struct nft_rule **rules_next; @@ include/net/netfilter/nf_tables.h: static inline void nft_use_inc_restore(u32 *use) * @sets: sets in the table * @objects: stateful objects in the table @@ include/net/netfilter/nf_tables.h: struct nft_table { u32 use;
## net/netfilter/nf_tables_api.c ## -@@ net/netfilter/nf_tables_api.c: static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, +@@ net/netfilter/nf_tables_api.c: static int nf_tables_newtable(struct net *net, struct sock *nlsk, INIT_LIST_HEAD(&table->sets); INIT_LIST_HEAD(&table->objects); INIT_LIST_HEAD(&table->flowtables); - write_pnet(&table->net, net); table->family = family; table->flags = flags; - table->handle = ++nft_net->table_handle; + table->handle = ++table_handle; @@ net/netfilter/nf_tables_api.c: void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) kfree(rule); } ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Success |