<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/next/linux-next.git/net/bridge, branch master</title>
<subtitle>The linux-next integration testing tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=master</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/'/>
<updated>2026-07-10T12:27:20+00:00</updated>
<entry>
<title>Merge branch 'master' of git://git.code.sf.net/p/tomoyo/tomoyo.git</title>
<updated>2026-07-10T12:27:20+00:00</updated>
<author>
<name>Mark Brown</name>
<email>broonie@kernel.org</email>
</author>
<published>2026-07-10T12:27:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ff9f5a4e3b834092477f7ee009b6dd2ea8095efa'/>
<id>urn:sha1:ff9f5a4e3b834092477f7ee009b6dd2ea8095efa</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-07-10T08:20:05+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2026-07-10T08:05:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b470fde8f77b56ff273c5527484b99499b894e16'/>
<id>urn:sha1:b470fde8f77b56ff273c5527484b99499b894e16</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.2-rc3).

Conflicts:

tools/testing/selftests/net/lib.sh
  dd6a23bac306b ("selftests: net: make busywait timeout clock portable")
  895bad9cc4cec ("selftests: net: make busywait timeout clock portable")

Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
</entry>
<entry>
<title>netfilter: ebtables: module names must be null-terminated</title>
<updated>2026-07-08T13:22:03+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2026-07-04T10:05:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=084d23f818321390509e9738a0b08bbf46df6425'/>
<id>urn:sha1:084d23f818321390509e9738a0b08bbf46df6425</id>
<content type='text'>
We need to explicitly check the length, else we may pass non-null
terminated string to request_module().

Cc: stable@vger.kernel.org
Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name")
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
</entry>
<entry>
<title>netfilter: ebtables: zero chainstack array</title>
<updated>2026-07-08T13:22:03+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2026-07-04T08:23:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=cbfe53599eebffd188938ab6774cc41794f6f9d5'/>
<id>urn:sha1:cbfe53599eebffd188938ab6774cc41794f6f9d5</id>
<content type='text'>
sashiko reports:
 looking at ebtables table
 translation, could a sparse cpu_possible_mask lead to an uninitialized pointer
 free?

 If cpu_possible_mask is sparse (for example, CPU 0 and CPU 2 are possible,
 but CPU 1 is not), the allocation loop skips CPU 1. If vmalloc_node() fails at
 CPU 2, the cleanup loop will blindly decrement and call vfree() on
 newinfo-&gt;chainstack[1].

Not a real-world bug, such allocation isn't expected to fail
in the first place.

Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
</entry>
<entry>
<title>netfilter: ebtables: terminate table name before find_table_lock()</title>
<updated>2026-07-08T13:22:03+00:00</updated>
<author>
<name>Xiang Mei</name>
<email>xmei5@asu.edu</email>
</author>
<published>2026-07-05T21:58:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a622d2e9608c9dff47fc2e5759ac7aa3a836b45d'/>
<id>urn:sha1:a622d2e9608c9dff47fc2e5759ac7aa3a836b45d</id>
<content type='text'>
update_counters() and compat_update_counters() forward a user-supplied
32-byte table name to find_table_lock() without NUL-terminating it. On a
lookup miss, find_inlist_lock() calls try_then_request_module(..., "%s%s",
"ebtable_", name), and vsnprintf() reads past the name field and the
stack object until it hits a zero byte.

  BUG: KASAN: stack-out-of-bounds in string (lib/vsprintf.c:648 lib/vsprintf.c:730)
  Read of size 1 at addr ffff8880119dfb20 by task exploit/147
  Call Trace:
  ...
   string (lib/vsprintf.c:648 lib/vsprintf.c:730)
   vsnprintf (lib/vsprintf.c:2945)
   __request_module (kernel/module/kmod.c:150)
   do_update_counters.isra.0 (net/bridge/netfilter/ebtables.c:371 net/bridge/netfilter/ebtables.c:380)
   update_counters (net/bridge/netfilter/ebtables.c:1440)
   do_ebt_set_ctl (net/bridge/netfilter/ebtables.c:2573)
   nf_setsockopt (net/netfilter/nf_sockopt.c:101)
   ip_setsockopt (net/ipv4/ip_sockglue.c:1424)
   raw_setsockopt (net/ipv4/raw.c:847)
   __sys_setsockopt (net/socket.c:2393)
  ...

compat_do_replace() shares the same unterminated name via
compat_copy_ebt_replace_from_user(); terminate it there too so all
find_table_lock() callers behave alike. The other callers already
terminate the name after the copy.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Cc: stable@vger.kernel.org
Reported-by: Weiming Shi &lt;bestswngs@gmail.com&gt;
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei &lt;xmei5@asu.edu&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
</entry>
<entry>
<title>net: add "struct dst_entry" debugging</title>
<updated>2026-07-06T10:59:26+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2026-06-29T11:36:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=c84e50ccc177911c542472fca1f4aea843f8d0cc'/>
<id>urn:sha1:c84e50ccc177911c542472fca1f4aea843f8d0cc</id>
<content type='text'>
This change is not for upstream. This change is for linux-next only.

syzbot is reporting "struct dst_entry" leaks.

  unregister_netdevice: waiting for lo to become free. Usage count = 2
  ref_tracker: netdev@ffff88807a79a630 has 1/1 users at
     __netdev_tracker_alloc include/linux/netdevice.h:4418 [inline]
     netdev_hold include/linux/netdevice.h:4447 [inline]
     dst_init+0xe6/0x490 net/core/dst.c:52
     dst_alloc+0x12a/0x170 net/core/dst.c:94
     rt_dst_alloc net/ipv4/route.c:1651 [inline]
     __mkroute_output net/ipv4/route.c:2655 [inline]
  (...snipped...)

Let's try to report all trace hold/release calls.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
</content>
</entry>
<entry>
<title>Merge tag 'nf-next-26-07-02' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next</title>
<updated>2026-07-03T20:00:24+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2026-07-03T20:00:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b73bc9ca3686b78b642fb35dcc1fdf874ecb74a1'/>
<id>urn:sha1:b73bc9ca3686b78b642fb35dcc1fdf874ecb74a1</id>
<content type='text'>
Florian Westphal says:

====================
netfilter: updates for net-next

The following patchset contains Netfilter updates for *net-next*.

1) Update nfnetlink_hook to dump the individual NAT type chains
instead of the nat base chains to userspace. From Phil Sutter.

2) Replace strlcpy/strlcat() with snprintf() in x_tables, from Ian Bridges.

3) Start replacing u_int8_t and u_int16t with u8 and u16 in netfilter.
From Carlos Grillet.

4) Replace strcpy() with strscpy() in netfilter, from David Laight.

5) Remove redundant NULL check before kvfree().

6) Add parameter validation to xt_tcpmss. Ensure mss_min &lt;= mss_max and
invert &lt;= 1.  From Feng Wu.

7) Add checkentry for xt_dscp 'tos' match. Implement tos_mt_check() to reject
invalid invert values.  Also from Feng Wu.

8) Stop hashing nf_conntrack_helper by tuple. Switch to hashing by name and
L4 protocol.

9) Remove tuples from conntrack helper definitions and port usage from
broadcast helpers. Add netlink policy validation to prevent protocol
number truncation.

10) Remove obsolete netfilter conntrack module parameters.

11) Bound num_counters in ebtables: do_replace() by MAX_EBT_ENTRIES to prevent
oversized vmalloc_array() allocations.  From Jiayuan Chen.

12) Make expectations created via nft_ct rules work with NAT.

netfilter pull request nf-next-26-07-02

* tag 'nf-next-26-07-02' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nft_ct: support expectation creation for natted flows
  netfilter: ebtables: bound num_counters like nentries in do_replace()
  netfilter: conntrack: remove obsolete module parameters
  netfilter: conntrack: get rid of tuple in helper definitions
  netfilter: nf_conntrack_helper: do not hash by tuple
  netfilter: xt_dscp: add checkentry for tos match
  netfilter: xt_tcpmss: add checkentry for parameter validation
  netfilter: remove redundant null check before kvfree()
  netfilter: avoid strcpy usage
  netfilter: replace u_int8_t and u_int16t with u8 and u16
  netfilter: x_tables: replace strlcat() with snprintf()
  netfilter: nfnetlink_hook: Dump nat type chains
====================

Link: https://patch.msgid.link/20260702105003.13550-1-fw@strlen.de
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
</entry>
<entry>
<title>netfilter: ebtables: bound num_counters like nentries in do_replace()</title>
<updated>2026-07-02T10:17:14+00:00</updated>
<author>
<name>Jiayuan Chen</name>
<email>jiayuan.chen@linux.dev</email>
</author>
<published>2026-06-10T03:02:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=43ae85af154b27f9a0ff602f7a01e3a7583ffdab'/>
<id>urn:sha1:43ae85af154b27f9a0ff602f7a01e3a7583ffdab</id>
<content type='text'>
do_replace_finish() allocates the counter buffer before it is validated:

   counterstmp = vmalloc_array(repl-&gt;num_counters, sizeof(*counterstmp));

do_replace() only checks num_counters against INT_MAX / sizeof(struct
ebt_counter), so vmalloc_array() can be asked for up to 134217726 * 16 =
2147483616 bytes (~2 GiB).

num_counters must in fact equal nentries: do_replace_finish() later
rejects the request when repl-&gt;num_counters != t-&gt;private-&gt;nentries.
get_counters() folds the per-CPU counters back into one entry per rule,
so what userspace gets is bounded by nentries, never by nentries *
nr_cpus. Apply the same upper bound used for nentries (MAX_EBT_ENTRIES)
to the incoming num_counters so the over-sized allocation can no longer
be requested.

The allocation is still kept outside the ebt_mutex, since vmalloc() may
sleep and trigger reclaim; only the bound is tightened.

Signed-off-by: Jiayuan Chen &lt;jiayuan.chen@linux.dev&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
</entry>
<entry>
<title>bridge: stp: Fix a potential use-after-free when deleting a bridge</title>
<updated>2026-06-30T13:14:35+00:00</updated>
<author>
<name>Ido Schimmel</name>
<email>idosch@nvidia.com</email>
</author>
<published>2026-06-29T07:21:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=2a00517db8de4be7df3d483b215c5544fb30a191'/>
<id>urn:sha1:2a00517db8de4be7df3d483b215c5544fb30a191</id>
<content type='text'>
The three STP timers are not supposed to be armed while the bridge is
administratively down. They are synchronously deactivated when the
bridge is put administratively down and the various call sites check for
'IFF_UP' before arming them.

This check is missing from br_topology_change_detection() and it is
possible to engineer a situation in which the topology change timer is
armed while the bridge is administratively down, resulting in a
use-after-free [1] when the bridge is deleted.

Fix by adding the missing check and for good measures synchronously
shutdown the three timers when the bridge is deleted.

[1]
ODEBUG: free active (active state 0) object: ffff88811662b9b0 object type: timer_list hint: br_topology_change_timer_expired (net/bridge/br_stp_timer.c:120)
WARNING: lib/debugobjects.c:629 at debug_print_object+0x1bc/0x450, CPU#9: ip/359

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Noam Rathaus &lt;noamr@ssd-disclosure.com&gt;
Reported-by: Neil Young &lt;contact@ssd-disclosure.com&gt;
Acked-by: Nikolay Aleksandrov &lt;nikolay@nvidia.com&gt;
Signed-off-by: Ido Schimmel &lt;idosch@nvidia.com&gt;
Reviewed-by: Breno Leitao &lt;leitao@debian.org&gt;
Link: https://patch.msgid.link/20260629072117.497959-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
</entry>
<entry>
<title>netfilter: nft_meta_bridge: fix NFT_META_BRI_IIFPVID stack leak</title>
<updated>2026-06-20T22:18:37+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2026-06-18T22:34:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=27dd2997746d54ebc079bb13161cc1bdd401d4a6'/>
<id>urn:sha1:27dd2997746d54ebc079bb13161cc1bdd401d4a6</id>
<content type='text'>
This needs to test for nonzero retval.

Fixes: c54c7c685494 ("netfilter: nft_meta_bridge: add NFT_META_BRI_IIFPVID support")
Closes: https://sashiko.dev/#/patchset/20260618061631.21919-1-fw%40strlen.de
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
</feed>
