From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 17 Sep 2025 15:13:23 +0000 (+0200)
Subject: 6.16-stable patches
X-Git-Tag: v6.1.153~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c6237e517860496c3dece455ec705bbcc9a0d79;p=thirdparty%2Fkernel%2Fstable-queue.git

6.16-stable patches

added patches:
	netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch
---

diff --git a/queue-6.16/netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch b/queue-6.16/netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch
new file mode 100644
index 0000000000..546b96d85b
--- /dev/null
+++ b/queue-6.16/netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch
@@ -0,0 +1,40 @@
+From 30c1d25b9870d551be42535067d5481668b5e6f3 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 11 Aug 2025 12:26:10 +0200
+Subject: netfilter: nft_set_pipapo: fix null deref for empty set
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 30c1d25b9870d551be42535067d5481668b5e6f3 upstream.
+
+Blamed commit broke the check for a null scratch map:
+  -  if (unlikely(!m || !*raw_cpu_ptr(m->scratch)))
+  +  if (unlikely(!raw_cpu_ptr(m->scratch)))
+
+This should have been "if (!*raw_ ...)".
+Use the pattern of the avx2 version which is more readable.
+
+This can only be reproduced if avx2 support isn't available.
+
+Fixes: d8d871a35ca9 ("netfilter: nft_set_pipapo: merge pipapo_get/lookup")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -426,10 +426,9 @@ static struct nft_pipapo_elem *pipapo_ge
+ 
+ 	local_bh_disable();
+ 
+-	if (unlikely(!raw_cpu_ptr(m->scratch)))
+-		goto out;
+-
+ 	scratch = *raw_cpu_ptr(m->scratch);
++	if (unlikely(!scratch))
++		goto out;
+ 
+ 	map_index = scratch->map_index;
+ 
diff --git a/queue-6.16/series b/queue-6.16/series
index 7ab1708852..a928e86a7e 100644
--- a/queue-6.16/series
+++ b/queue-6.16/series
@@ -187,3 +187,4 @@ phy-qcom-qmp-pcie-fix-phy-initialization-when-powered-down-by-firmware.patch
 phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch
 phy-ti-omap-usb2-fix-device-leak-at-unbind.patch
 phy-ti-pipe3-fix-device-leak-at-unbind.patch
+netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch