From: Greg Kroah-Hartman Date: Wed, 3 Dec 2025 13:41:00 +0000 (+0100) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c9537da78e612e2c8af61dcdef5d3c1e0c5aae0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch --- diff --git a/queue-5.10/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch b/queue-5.10/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch new file mode 100644 index 0000000000..d13ce306ed --- /dev/null +++ b/queue-5.10/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch @@ -0,0 +1,63 @@ +From ea77c397bff8b6d59f6d83dae1425b08f465e8b5 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 23 May 2025 14:20:44 +0200 +Subject: netfilter: nf_set_pipapo_avx2: fix initial map fill + +From: Florian Westphal + +commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 upstream. + +If the first field doesn't cover the entire start map, then we must zero +out the remainder, else we leak those bits into the next match round map. + +The early fix was incomplete and did only fix up the generic C +implementation. + +A followup patch adds a test case to nft_concat_range.sh. + +Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill") +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -1106,6 +1106,25 @@ bool nft_pipapo_avx2_estimate(const stru + } + + /** ++ * pipapo_resmap_init_avx2() - Initialise result map before first use ++ * @m: Matching data, including mapping table ++ * @res_map: Result map ++ * ++ * Like pipapo_resmap_init() but do not set start map bits covered by the first field. ++ */ ++static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map) ++{ ++ const struct nft_pipapo_field *f = m->f; ++ int i; ++ ++ /* Starting map doesn't need to be set to all-ones for this implementation, ++ * but we do need to zero the remaining bits, if any. ++ */ ++ for (i = f->bsize; i < m->bsize_max; i++) ++ res_map[i] = 0ul; ++} ++ ++/** + * nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation + * @net: Network namespace + * @set: nftables API set representation +@@ -1158,7 +1177,7 @@ bool nft_pipapo_avx2_lookup(const struct + res = scratch->map + (map_index ? m->bsize_max : 0); + fill = scratch->map + (map_index ? 0 : m->bsize_max); + +- /* Starting map doesn't need to be set for this implementation */ ++ pipapo_resmap_init_avx2(m, res); + + nft_pipapo_avx2_prepare(); + diff --git a/queue-5.10/series b/queue-5.10/series index 5fd5fdfed3..0459053917 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -297,3 +297,4 @@ usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch +netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch