Hello Pablo Neira Ayuso, The patch 0ca743a55991: "netfilter: nf_tables: add compatibility layer for x_tables" from Oct 14, 2013, leads to the following Smatch warning: "net/netfilter/nft_compat.c:140 nft_parse_compat() warn: signedness bug returning '(-34)'" net/netfilter/nft_compat.c 131 static u8 nft_parse_compat(const struct nlattr *attr, bool *inv) 132 { 133 struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1]; 134 u32 flags; 135 int err; 136 137 err = nla_parse_nested(tb, NFTA_RULE_COMPAT_MAX, attr, 138 nft_rule_compat_policy); 139 if (err < 0) 140 return err; ^^^^^^^^^^ 141 142 if (!tb[NFTA_RULE_COMPAT_PROTO] || !tb[NFTA_RULE_COMPAT_FLAGS]) 143 return -EINVAL; ^^^^^^^^^^^^^^^ 144 145 flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS])); 146 if (flags & ~NFT_RULE_COMPAT_F_MASK) 147 return -EINVAL; ^^^^^^^^^^^^^^^ 148 if (flags & NFT_RULE_COMPAT_F_INV) 149 *inv = true; 150 151 return ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO])); 152 } This function returns error codes but the return type is u8 so the error codes are transformed into small positive values. The callers don't check the return. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html