From b754ead78c33badad350deefa4d7fd333ae19d6a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 7 Feb 2026 16:43:17 +0100
Subject: [PATCH] 6.1-stable patches

added patches:
	netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch
---
 ...p-maximum-map-bucket-size-to-int_max.patch | 49 +++++++++++++++++++
 queue-6.1/series                              |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 queue-6.1/netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch

diff --git a/queue-6.1/netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch b/queue-6.1/netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch
new file mode 100644
index 0000000000..f47b883f4c
--- /dev/null
+++ b/queue-6.1/netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch
@@ -0,0 +1,49 @@
+From b85e3367a5716ed3662a4fe266525190d2af76df Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 22 Apr 2025 21:52:44 +0200
+Subject: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit b85e3367a5716ed3662a4fe266525190d2af76df upstream.
+
+Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()
+when resizing hashtable because __GFP_NOWARN is unset.
+
+Similar to:
+
+  b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")
+
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[ Keerthana: Handle freeing new_lt ]
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -667,6 +667,11 @@ static int pipapo_resize(struct nft_pipa
+ 	}
+ 
+ mt:
++	if (rules > (INT_MAX / sizeof(*new_mt))) {
++		kvfree(new_lt);
++		return -ENOMEM;
++	}
++
+ 	new_mt = kvmalloc(rules * sizeof(*new_mt), GFP_KERNEL);
+ 	if (!new_mt) {
+ 		kvfree(new_lt);
+@@ -1360,6 +1365,9 @@ static struct nft_pipapo_match *pipapo_c
+ 		       src->bsize * sizeof(*dst->lt) *
+ 		       src->groups * NFT_PIPAPO_BUCKETS(src->bb));
+ 
++		if (src->rules > (INT_MAX / sizeof(*src->mt)))
++			goto out_mt;
++
+ 		dst->mt = kvmalloc(src->rules * sizeof(*src->mt), GFP_KERNEL);
+ 		if (!dst->mt)
+ 			goto out_mt;
diff --git a/queue-6.1/series b/queue-6.1/series
index e593064116..bc12f0ff66 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -5,3 +5,4 @@ rbd-check-for-eod-after-exclusive-lock-is-ensured-to-be-held.patch
 arm-9468-1-fix-memset64-on-big-endian.patch
 revert-drm-amd-check-if-aspm-is-enabled-from-pcie-subsystem.patch
 kvm-don-t-clobber-irqfd-routing-type-when-deassigning-irqfd.patch
+netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch
-- 
2.47.3