--- /dev/null
+From b85e3367a5716ed3662a4fe266525190d2af76df Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 22 Apr 2025 21:52:44 +0200
+Subject: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit b85e3367a5716ed3662a4fe266525190d2af76df upstream.
+
+Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()
+when resizing hashtable because __GFP_NOWARN is unset.
+
+Similar to:
+
+ b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")
+
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[ Keerthana: Handle freeing new_lt ]
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -665,6 +665,11 @@ static int pipapo_resize(struct nft_pipa
+ }
+
+ mt:
++ if (rules > (INT_MAX / sizeof(*new_mt))) {
++ kvfree(new_lt);
++ return -ENOMEM;
++ }
++
+ new_mt = kvmalloc(rules * sizeof(*new_mt), GFP_KERNEL);
+ if (!new_mt) {
+ kvfree(new_lt);
+@@ -1358,6 +1363,9 @@ static struct nft_pipapo_match *pipapo_c
+ src->bsize * sizeof(*dst->lt) *
+ src->groups * NFT_PIPAPO_BUCKETS(src->bb));
+
++ if (src->rules > (INT_MAX / sizeof(*src->mt)))
++ goto out_mt;
++
+ dst->mt = kvmalloc(src->rules * sizeof(*src->mt), GFP_KERNEL);
+ if (!dst->mt)
+ goto out_mt;
projects / thirdparty / kernel / stable-queue.git / commitdiff
