[ Sasha's backport helper bot ]
Hi,
Summary of potential issues: ℹ️ This is part 2/3 of a series ⚠️ Found follow-up fixes in mainline
The upstream commit SHA1 provided is correct: c03d278fdf35e73dd0ec543b9b556876b9d9a8dc
Status in newer kernel trees: 6.14.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: bfd05c68e4c6) 6.1.y | Not found 5.15.y | Not found
Found fixes commits: b04df3da1b5c netfilter: nf_tables: do not defer rule destruction via call_rcu
Note: The patch differs from the upstream commit: --- 1: c03d278fdf35e ! 1: 69ad0f74eb737 netfilter: nf_tables: wait for rcu grace period on net_device removal @@ Metadata ## Commit message ## netfilter: nf_tables: wait for rcu grace period on net_device removal
+ commit c03d278fdf35e73dd0ec543b9b556876b9d9a8dc upstream. + 8c873e219970 ("netfilter: core: free hooks with call_rcu") removed synchronize_net() call when unregistering basechain hook, however, net_device removal event handler for the NFPROTO_NETDEV was not updated @@ Commit message Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org
## include/net/netfilter/nf_tables.h ## -@@ include/net/netfilter/nf_tables.h: struct nft_rule_blob { - * @name: name of the chain - * @udlen: user data length - * @udata: user data in the chain -+ * @rcu_head: rcu head for deferred release - * @blob_next: rule blob pointer to the next in the chain - */ - struct nft_chain { @@ include/net/netfilter/nf_tables.h: struct nft_chain { char *name; u16 udlen; @@ include/net/netfilter/nf_tables.h: struct nft_chain { + struct rcu_head rcu_head;
/* Only used during control plane commit phase: */ - struct nft_rule_blob *blob_next; + struct nft_rule **rules_next; @@ include/net/netfilter/nf_tables.h: static inline void nft_use_inc_restore(u32 *use) * @sets: sets in the table * @objects: stateful objects in the table @@ include/net/netfilter/nf_tables.h: struct nft_table { u32 use;
## net/netfilter/nf_tables_api.c ## -@@ net/netfilter/nf_tables_api.c: static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, +@@ net/netfilter/nf_tables_api.c: static int nf_tables_newtable(struct net *net, struct sock *nlsk, INIT_LIST_HEAD(&table->sets); INIT_LIST_HEAD(&table->objects); INIT_LIST_HEAD(&table->flowtables); + write_pnet(&table->net, net); table->family = family; table->flags = flags; - table->handle = ++nft_net->table_handle; + table->handle = ++table_handle; @@ net/netfilter/nf_tables_api.c: int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, } EXPORT_SYMBOL_GPL(nft_data_dump); ---
NOTE: These results are for this patch alone. Full series testing will be performed when all parts are received.
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Success |