Hi,
The following patchset contains Netfilter fixes for net:
1) Fix esoteric UB due to uninitialized stack access in ip_vs_protocol_init(),
from Jinghao Jia.
2) Fix iptables xt_LED slab-out-of-bounds, reported by syzbot,
patch from Dmitry Antipov.
3) Remove WARN_ON_ONCE reachable from userspace to cap maximum cgroup
levels to 255, reported by syzbot.
4) Fix nft_inner incorrect use of percpu area to store tunnel parser
context with softirqs, reported by syzbot.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-28
Thanks.
----------------------------------------------------------------
The following changes since commit 04f5cb48995d51deed0af71aaba1b8699511313f:
Documentation: tls_offload: fix typos and grammar (2024-11-28 12:09:06 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-11-28
for you to fetch changes up to c24e5dbe2e66a24b1713d893806e3fb340df3501:
netfilter: nft_inner: incorrect percpu area handling under softirq (2024-11-28 13:14:24 +0100)
----------------------------------------------------------------
netfilter pull request 24-11-28
----------------------------------------------------------------
Dmitry Antipov (1):
netfilter: x_tables: fix LED ID check in led_tg_check()
Jinghao Jia (1):
ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()
Pablo Neira Ayuso (2):
netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level
netfilter: nft_inner: incorrect percpu area handling under softirq
include/net/netfilter/nf_tables_core.h | 1 +
net/netfilter/ipvs/ip_vs_proto.c | 4 +--
net/netfilter/nft_inner.c | 56 ++++++++++++++++++++++++++--------
net/netfilter/nft_socket.c | 2 +-
net/netfilter/xt_LED.c | 4 ++-
5 files changed, 50 insertions(+), 17 deletions(-)
