[LTS 9.2] netfilter: CVE-2024-27397, CVE-2024-57947, CVE-2025-38120 #803

pvts-mat · 2026-01-08T01:57:53Z

[LTS 9.2]
CVE-2024-27397 VULN-7048
CVE-2024-57947 VULN-42212
CVE-2025-38120 VULN-71797

Commits

CVE-2024-27397

The fix for CVE-2024-27397 got "unlocked" after merging #668 where most of the prerequisites fell into place. A small prereq netfilter: nft_set_rbtree: .deactivate fails if element has expired was pulled in to further reduce conflicts. The remaining modifications required are explained in the upstream-diff below.

netfilter: nft_set_rbtree: .deactivate fails if element has expired

jira VULN-7048
cve-pre CVE-2024-27397
commit-author Pablo Neira Ayuso <[email protected]>
commit d111692a59c1470ae530cbb39bcf0346c950ecc7

netfilter: nf_tables: use timestamp to check for set element timeout

jira VULN-7048
cve CVE-2024-27397
commit-author Pablo Neira Ayuso <[email protected]>
commit 7395dfacfff65e9938ac0889dafa1ab01e987d15
upstream-diff Omitted changes in `nft_rbtree_gc()' in
  net/netfilter/nft_set_rbtree.c. Function `nft_rbtree_gc()' was changed
  from async to sync in 7d259f021aaa78904b6c836d975e8e00d83a182a
  ("nft_set_rbtree: prefer sync gc to async worker"), which was not
  backported to ciqlts9_2 and `nft_rbtree_gc()' remains asynchronous in
  this version. The upstream fix 7395dfacfff65e9938ac0889dafa1ab01e987d15
  left checking current time as it was in the async garbage collectors:
  "Then, there is async gc which also needs to check the current time
  since it runs asynchronously from a workqueue." Similar situation
  occurred in linux-5.15.y and the fix backported as
  0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d omits changes in
  `nft_rbtree_gc()' as well.

CVE-2024-57947 (+ CVE-2025-38120)

The prerequisite f04df57 netfilter: nft_set_pipapo: constify lookup fn args where possible wasn't strictly necessary, but it's functionally neutral and it helped avoid petty conflicts when backporting the main fix 791a615 netfilter: nf_set_pipapo: fix initial map fill. The follow-up ea77c39 netfilter: nf_set_pipapo_avx2: fix initial map fill is actually a bugfix for CVE-2024-57947, but it has its own CVE-2025-38120 assigned so it was used in place of cve-bf tag.

netfilter: nft_set_pipapo: constify lookup fn args where possible

jira VULN-42212
cve-pre CVE-2024-57947
commit-author Florian Westphal <[email protected]>
commit f04df573faf90bb828a2241b650598c02c074323
upstream-diff Context conflicts resolution in `nft_pipapo_avx2_lookup()'.
  No actual diff.

netfilter: nf_set_pipapo: fix initial map fill

jira VULN-42212
cve CVE-2024-57947
commit-author Florian Westphal <[email protected]>
commit 791a615b7ad2258c560f91852be54b0480837c93

netfilter: nf_set_pipapo_avx2: fix initial map fill

jira VULN-71797
cve CVE-2025-38120
commit-author Florian Westphal <[email protected]>
commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5

kABI check: passed

[1/2] kabi_check_kernel	Check ABI of kernel [ciqlts9_2-CVE-batch-16]	_kabi_check_kernel__x86_64--test--ciqlts9_2-CVE-batch-16
++ uname -m
+ python3 /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.2/SOURCES/check-kabi -k /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.2/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts9_2/build_files/kernel-src-tree-ciqlts9_2-CVE-batch-16/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts9_2-CVE-batch-16/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed

Reference

kselftests–ciqlts9_2–run1.log
kselftests–ciqlts9_2–run2.log

Patch

kselftests–ciqlts9_2-CVE-batch-16–run1.log
kselftests–ciqlts9_2-CVE-batch-16–run2.log
kselftests–ciqlts9_2-CVE-batch-16–run3.log
kselftests–ciqlts9_2-CVE-batch-16–run4.log
kselftests–ciqlts9_2-CVE-batch-16–run5.log

Comparison

The tests results for the reference and the patch are the same.

$ ktests.xsh diff  kselftests*.log

Column    File
--------  --------------------------------------------
Status0   kselftests--ciqlts9_2--run1.log
Status1   kselftests--ciqlts9_2--run2.log
Status2   kselftests--ciqlts9_2-CVE-batch-16--run1.log
Status3   kselftests--ciqlts9_2-CVE-batch-16--run2.log
Status4   kselftests--ciqlts9_2-CVE-batch-16--run3.log
Status5   kselftests--ciqlts9_2-CVE-batch-16--run4.log
Status6   kselftests--ciqlts9_2-CVE-batch-16--run5.log

TestCase                              Status0  Status1  Status2  Status3  Status4  Status5  Status6  Summary
netfilter:conntrack_icmp_related.sh   pass     pass     pass     pass     pass     pass     pass     same
netfilter:conntrack_tcp_unreplied.sh  pass     pass     pass     pass     pass     pass     pass     same
netfilter:conntrack_vrf.sh            pass     pass     pass     pass     pass     pass     pass     same
netfilter:ipip-conntrack-mtu.sh       pass     pass     pass     pass     pass     pass     pass     same
netfilter:ipvs.sh                     pass     pass     pass     pass     pass     pass     pass     same
netfilter:nf_nat_edemux.sh            pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_conntrack_helper.sh     pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_fib.sh                  pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_meta.sh                 pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_nat.sh                  pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_queue.sh                pass     pass     pass     pass     pass     pass     pass     same
netfilter:rpath.sh                    pass     pass     pass     pass     pass     pass     pass     same

PlaidCat

These look fine will you also make sure this is updated to the latest 9.2 head

github-actions · 2026-01-14T17:38:09Z

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/21003894885

github-actions · 2026-01-14T17:38:11Z

🔍 Interdiff Analysis

⚠️ PR commit 34e5e17a1fa (netfilter: nf_tables: use timestamp to check for set element timeout) → upstream 7395dfacfff6
Differences found:

diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1687,6 +1687,4 @@
 	return net_generic(net, nf_tables_net_id);
 }
 
-#define __NFT_REDUCE_READONLY	1UL
-#define NFT_REDUCE_READONLY	(void *)__NFT_REDUCE_READONLY
-
+#endif /* _NET_NF_TABLES_H */
@@ -1699,2 +1706,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+	return nft_pernet(net)->tstamp;
+}
+
 #endif /* _NET_NF_TABLES_H */
@@ -1798,6 +1805,11 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 	return net_generic(net, nf_tables_net_id);
 }
 
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+	return nft_pernet(net)->tstamp;
+}
+
 #define __NFT_REDUCE_READONLY	1UL
 #define NFT_REDUCE_READONLY	(void *)__NFT_REDUCE_READONLY
 
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9199,7 +9199,7 @@
 	u64 tstamp = nft_net_tstamp(gc->net);
 	const struct nft_set *set = gc->set;
 	struct nft_elem_priv *elem_priv;
-	struct nft_set_ext *ext;
+	struct nft_set_elem elem;
 	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
 		ext = nft_set_elem_ext(set, catchall->elem);
 
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1566,4 +1566,4 @@
-{
+	struct nft_set *set = (struct nft_set *) _set;
 	struct nft_pipapo *priv = nft_set_priv(set);
 	struct net *net = read_pnet(&set->net);
 	u64 tstamp = nft_net_tstamp(net);
diff -u b/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
--- b/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -576,7 +576,18446744073709551607 @@
-			rbe_end = rbe;
-			continue;
-		}
-		if (!nft_set_elem_expired(&rbe->ext))
-			continue;
-
-		gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
@@ -626,6 +628,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 {
 	struct nft_rbtree *priv = nft_set_priv(set);
 	struct nft_rbtree_elem *rbe, *rbe_end = NULL;
+	struct net *net = read_pnet(&set->net);
+	u64 tstamp = nft_net_tstamp(net);
 	struct rb_node *node, *next;
 	struct nft_trans_gc *gc;
 	struct net *net;
@@ -628,7 +632,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 	struct nft_rbtree_elem *rbe, *rbe_end = NULL;
 	struct rb_node *node, *next;
 	struct nft_trans_gc *gc;
-	struct net *net;
 
 	set  = nft_set_container_of(priv);
 	net  = read_pnet(&set->net);
@@ -650,7 +653,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 			rbe_end = rbe;
 			continue;
 		}
-		if (!nft_set_elem_expired(&rbe->ext))
+		if (!__nft_set_elem_expired(&rbe->ext, tstamp))
 			continue;
 
 		gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);

⚠️ PR commit e8f0ad5dc97 (netfilter: nft_set_pipapo: constify lookup fn args where possible) → upstream f04df573faf9
Differences found:

diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -411,4 +411,4 @@
-	struct nft_pipapo_scratch *scratch;
+	struct nft_pipapo *priv = nft_set_priv(set);
 	unsigned long *res_map, *fill_map;
 	u8 genmask = nft_genmask_cur(net);
 	const struct nft_pipapo_match *m;
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1061,3 +1061,3 @@
 {
-	unsigned long bsize = f->bsize;
+	unsigned long *lt = f->lt, bsize = f->bsize;
 	int i, ret = -1, b;
@@ -1133,8 +1146,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 	struct nft_pipapo_scratch *scratch;
 	u8 genmask = nft_genmask_cur(net);
 	const u8 *rp = (const u8 *)key;
-	struct nft_pipapo_match *m;
-	struct nft_pipapo_field *f;
 	unsigned long *res, *fill;
 	bool map_index;
 	int i, ret = 0;
@@ -1133,11 +1133,11 @@
 	struct nft_pipapo *priv = nft_set_priv(set);
-	struct nft_pipapo_scratch *scratch;
+	unsigned long *res, *fill, *scratch;
 	u8 genmask = nft_genmask_cur(net);
 	const struct nft_pipapo_match *m;
 	const struct nft_pipapo_field *f;
 	const u8 *rp = (const u8 *)key;
 	struct nft_pipapo_match *m;
 	struct nft_pipapo_field *f;
-	unsigned long *res, *fill;
 	bool map_index;
 	int i, ret = 0;
+
@@ -1138,8 +1151,6 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 	unsigned long *res, *fill, *scratch;
 	u8 genmask = nft_genmask_cur(net);
 	const u8 *rp = (const u8 *)key;
-	struct nft_pipapo_match *m;
-	struct nft_pipapo_field *f;
 	bool map_index;
 	int i, ret = 0;

⚠️ PR commit bd3db59e2e4 (netfilter: nf_set_pipapo: fix initial map fill) → upstream 791a615b7ad2
Differences found:

diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -429,5 +429,5 @@
-	res_map  = scratch->map + (map_index ? m->bsize_max : 0);
-	fill_map = scratch->map + (map_index ? 0 : m->bsize_max);
+	res_map  = *raw_cpu_ptr(m->scratch) + (map_index ? m->bsize_max : 0);
+	fill_map = *raw_cpu_ptr(m->scratch) + (map_index ? 0 : m->bsize_max);
 
 	pipapo_resmap_init(m, res_map);
 
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1060,7 +1060,7 @@
 					const struct nft_pipapo_field *f,
 					int offset, const u8 *pkt,
 					bool first, bool last)
-	int i, ret = -1, b;
+	lt += offset * NFT_PIPAPO_LONGS_PER_M256;
 
 	if (first)
 		pipapo_resmap_init(mdata, map);

⚠️ PR commit e2694379e9c (netfilter: nf_set_pipapo_avx2: fix initial map fill) → upstream ea77c397bff8
Differences found:

diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1182,5 +1182,5 @@
-	res  = scratch->map + (map_index ? m->bsize_max : 0);
-	fill = scratch->map + (map_index ? 0 : m->bsize_max);
+	res  = scratch + (map_index ? m->bsize_max : 0);
+	fill = scratch + (map_index ? 0 : m->bsize_max);
 
 	pipapo_resmap_init_avx2(m, res);

This is an automated interdiff check for backported commits.

github-actions · 2026-01-14T17:39:27Z

JIRA PR Check Results

5 commit(s) with issues found:

Commit `e2694379e9c7`

Summary: netfilter: nf_set_pipapo_avx2: fix initial map fill

⚠️ Warnings:

VULN-71797: No time logged - please log time manually

Commit `bd3db59e2e4f`

Summary: netfilter: nf_set_pipapo: fix initial map fill

⚠️ Warnings:

VULN-42212: No time logged - please log time manually

Commit `e8f0ad5dc97c`

Summary: netfilter: nft_set_pipapo: constify lookup fn args where possible

⚠️ Warnings:

VULN-42212: No time logged - please log time manually

Commit `34e5e17a1fad`

Summary: netfilter: nf_tables: use timestamp to check for set element timeout

⚠️ Warnings:

VULN-7048: No time logged - please log time manually

Commit `36de0c18e01b`

Summary: netfilter: nft_set_rbtree: .deactivate fails if element has expired

⚠️ Warnings:

VULN-7048: No time logged - please log time manually

Summary: Checked 5 commit(s) total.

github-actions · 2026-01-14T17:39:28Z

✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/21003894885

PlaidCat · 2026-01-14T17:41:55Z

🔍 Interdiff Analysis

I didn't see any issues with this because of the noted execptions in the commit.

bmastbergen

🥌

PlaidCat · 2026-01-15T19:29:35Z

There are apparently conflicts can you address these and push an update

jira VULN-7048 cve-pre CVE-2024-27397 commit-author Pablo Neira Ayuso <[email protected]> commit d111692 This allows to remove an expired element which is not possible in other existing set backends, this is more noticeable if gc-interval is high so expired elements remain in the tree. On-demand gc also does not help in this case, because this is delete element path. Return NULL if element has expired. Fixes: 8d8540c ("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit d111692) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-7048 cve CVE-2024-27397 commit-author Pablo Neira Ayuso <[email protected]> commit 7395dfa upstream-diff Omitted changes in `nft_rbtree_gc()' in net/netfilter/nft_set_rbtree.c. Function `nft_rbtree_gc()' was changed from async to sync in 7d259f0 ("nft_set_rbtree: prefer sync gc to async worker"), which was not backported to ciqlts9_2 and `nft_rbtree_gc()' remains asynchronous in this version. The upstream fix 7395dfa left checking current time as it was in the async garbage collectors: "Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue." Similar situation occurred in linux-5.15.y and the fix backported as 0d40e8c omits changes in `nft_rbtree_gc()' as well. Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Fixes: c3e1b00 ("netfilter: nf_tables: add set element timeout support") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 7395dfa) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-42212 cve-pre CVE-2024-57947 commit-author Florian Westphal <[email protected]> commit f04df57 upstream-diff Context conflicts resolution in `nft_pipapo_avx2_lookup()'. No actual diff. Those get called from packet path, content must not be modified. No functional changes intended. Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit f04df57) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-42212 cve CVE-2024-57947 commit-author Florian Westphal <[email protected]> commit 791a615 The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges") Reported-by: Yi Chen <[email protected]> Cc: Stefano Brivio <[email protected]> Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 791a615) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-71797 cve CVE-2025-38120 commit-author Florian Westphal <[email protected]> commit ea77c39 If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh. Fixes: 791a615 ("netfilter: nf_set_pipapo: fix initial map fill") Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit ea77c39) Signed-off-by: Marcin Wcisło <[email protected]>

pvts-mat · 2026-01-15T20:36:38Z

Small conflict in nft_pipapo_walk(), net/netfilter/nft_set_pipapo.c, between netfilter: nft_set_pipapo: constify lookup fn args where possible and netfilter: nft_set_pipapo: walk over current view on netlink dump from the recently merged #798. Added consts to m, f like f04df57 intended.

github-actions · 2026-01-15T22:18:02Z

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/21048295033

github-actions · 2026-01-15T22:18:03Z

🔍 Interdiff Analysis

⚠️ PR commit 90fc8bfa10a (netfilter: nf_tables: use timestamp to check for set element timeout) → upstream 7395dfacfff6
Differences found:

diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1701,6 +1701,4 @@
 	return net_generic(net, nf_tables_net_id);
 }
 
-#define __NFT_REDUCE_READONLY	1UL
-#define NFT_REDUCE_READONLY	(void *)__NFT_REDUCE_READONLY
-
+#endif /* _NET_NF_TABLES_H */
@@ -1713,2 +1720,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+	return nft_pernet(net)->tstamp;
+}
+
 #endif /* _NET_NF_TABLES_H */
@@ -1798,6 +1805,11 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 	return net_generic(net, nf_tables_net_id);
 }
 
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+	return nft_pernet(net)->tstamp;
+}
+
 #define __NFT_REDUCE_READONLY	1UL
 #define NFT_REDUCE_READONLY	(void *)__NFT_REDUCE_READONLY
 
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9236,7 +9236,7 @@
 	u64 tstamp = nft_net_tstamp(gc->net);
 	const struct nft_set *set = gc->set;
 	struct nft_elem_priv *elem_priv;
-	struct nft_set_ext *ext;
+	struct nft_set_elem elem;
 	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
 		ext = nft_set_elem_ext(set, catchall->elem);
 
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1566,4 +1566,4 @@
-{
+	struct nft_set *set = (struct nft_set *) _set;
 	struct nft_pipapo *priv = nft_set_priv(set);
 	struct net *net = read_pnet(&set->net);
 	u64 tstamp = nft_net_tstamp(net);
diff -u b/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
--- b/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -576,7 +576,18446744073709551607 @@
-			rbe_end = rbe;
-			continue;
-		}
-		if (!nft_set_elem_expired(&rbe->ext))
-			continue;
-
-		gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
@@ -626,6 +628,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 {
 	struct nft_rbtree *priv = nft_set_priv(set);
 	struct nft_rbtree_elem *rbe, *rbe_end = NULL;
+	struct net *net = read_pnet(&set->net);
+	u64 tstamp = nft_net_tstamp(net);
 	struct rb_node *node, *next;
 	struct nft_trans_gc *gc;
 	struct net *net;
@@ -628,7 +632,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 	struct nft_rbtree_elem *rbe, *rbe_end = NULL;
 	struct rb_node *node, *next;
 	struct nft_trans_gc *gc;
-	struct net *net;
 
 	set  = nft_set_container_of(priv);
 	net  = read_pnet(&set->net);
@@ -650,7 +653,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 			rbe_end = rbe;
 			continue;
 		}
-		if (!nft_set_elem_expired(&rbe->ext))
+		if (!__nft_set_elem_expired(&rbe->ext, tstamp))
 			continue;
 
 		gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);

⚠️ PR commit fe36ffa6bac (netfilter: nft_set_pipapo: constify lookup fn args where possible) → upstream f04df573faf9
Differences found:

diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -411,4 +411,4 @@
-	struct nft_pipapo_scratch *scratch;
+	struct nft_pipapo *priv = nft_set_priv(set);
 	unsigned long *res_map, *fill_map;
 	u8 genmask = nft_genmask_cur(net);
 	const struct nft_pipapo_match *m;
@@ -2024,8 +2024,8 @@
+			    struct nft_set_iter *iter)
 {
 	struct nft_pipapo *priv = nft_set_priv(set);
-	struct net *net = read_pnet(&set->net);
 	struct nft_pipapo_match *m;
 	struct nft_pipapo_field *f;
 	int i, r;
 
-	rcu_read_lock();
+	WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
@@ -2027,8 +2029,8 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 			    struct nft_set_iter *iter)
 {
 	struct nft_pipapo *priv = nft_set_priv(set);
-	struct nft_pipapo_match *m;
-	struct nft_pipapo_field *f;
+	const struct nft_pipapo_match *m;
+	const struct nft_pipapo_field *f;
 	int i, r;
 
 	WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
@@ -2041,8 +2043,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 {
 	struct nft_pipapo *priv = nft_set_priv(set);
 	struct net *net = read_pnet(&set->net);
-	struct nft_pipapo_match *m;
-	struct nft_pipapo_field *f;
+	const struct nft_pipapo_match *m;
+	const struct nft_pipapo_field *f;
 	int i, r;
 
 	rcu_read_lock();
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1061,3 +1061,3 @@
 {
-	unsigned long bsize = f->bsize;
+	unsigned long *lt = f->lt, bsize = f->bsize;
 	int i, ret = -1, b;
@@ -1133,8 +1146,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 	struct nft_pipapo_scratch *scratch;
 	u8 genmask = nft_genmask_cur(net);
 	const u8 *rp = (const u8 *)key;
-	struct nft_pipapo_match *m;
-	struct nft_pipapo_field *f;
 	unsigned long *res, *fill;
 	bool map_index;
 	int i, ret = 0;
@@ -1133,11 +1133,11 @@
 	struct nft_pipapo *priv = nft_set_priv(set);
-	struct nft_pipapo_scratch *scratch;
+	unsigned long *res, *fill, *scratch;
 	u8 genmask = nft_genmask_cur(net);
 	const struct nft_pipapo_match *m;
 	const struct nft_pipapo_field *f;
 	const u8 *rp = (const u8 *)key;
 	struct nft_pipapo_match *m;
 	struct nft_pipapo_field *f;
-	unsigned long *res, *fill;
 	bool map_index;
 	int i, ret = 0;
+
@@ -1138,8 +1151,6 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 	unsigned long *res, *fill, *scratch;
 	u8 genmask = nft_genmask_cur(net);
 	const u8 *rp = (const u8 *)key;
-	struct nft_pipapo_match *m;
-	struct nft_pipapo_field *f;
 	bool map_index;
 	int i, ret = 0;

⚠️ PR commit b2a021e169e (netfilter: nf_set_pipapo: fix initial map fill) → upstream 791a615b7ad2
Differences found:

diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -429,5 +429,5 @@
-	res_map  = scratch->map + (map_index ? m->bsize_max : 0);
-	fill_map = scratch->map + (map_index ? 0 : m->bsize_max);
+	res_map  = *raw_cpu_ptr(m->scratch) + (map_index ? m->bsize_max : 0);
+	fill_map = *raw_cpu_ptr(m->scratch) + (map_index ? 0 : m->bsize_max);
 
 	pipapo_resmap_init(m, res_map);
 
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1060,7 +1060,7 @@
 					const struct nft_pipapo_field *f,
 					int offset, const u8 *pkt,
 					bool first, bool last)
-	int i, ret = -1, b;
+	lt += offset * NFT_PIPAPO_LONGS_PER_M256;
 
 	if (first)
 		pipapo_resmap_init(mdata, map);

⚠️ PR commit 420b004b693 (netfilter: nf_set_pipapo_avx2: fix initial map fill) → upstream ea77c397bff8
Differences found:

diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1182,5 +1182,5 @@
-	res  = scratch->map + (map_index ? m->bsize_max : 0);
-	fill = scratch->map + (map_index ? 0 : m->bsize_max);
+	res  = scratch + (map_index ? m->bsize_max : 0);
+	fill = scratch + (map_index ? 0 : m->bsize_max);
 
 	pipapo_resmap_init_avx2(m, res);

This is an automated interdiff check for backported commits.

github-actions · 2026-01-15T22:19:15Z

JIRA PR Check Results

5 commit(s) with issues found:

Commit `420b004b693e`

Summary: netfilter: nf_set_pipapo_avx2: fix initial map fill

⚠️ Warnings:

VULN-71797: No time logged - please log time manually

Commit `b2a021e169e0`

Summary: netfilter: nf_set_pipapo: fix initial map fill

⚠️ Warnings:

VULN-42212: No time logged - please log time manually

Commit `fe36ffa6bac8`

Summary: netfilter: nft_set_pipapo: constify lookup fn args where possible

⚠️ Warnings:

VULN-42212: No time logged - please log time manually

Commit `90fc8bfa10a0`

Summary: netfilter: nf_tables: use timestamp to check for set element timeout

⚠️ Warnings:

VULN-7048: No time logged - please log time manually

Commit `5d7d4212d48c`

Summary: netfilter: nft_set_rbtree: .deactivate fails if element has expired

⚠️ Warnings:

VULN-7048: No time logged - please log time manually

Summary: Checked 5 commit(s) total.

github-actions · 2026-01-15T22:19:16Z

✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/21048295033

pvts-mat marked this pull request as ready for review January 8, 2026 14:01

PlaidCat previously approved these changes Jan 14, 2026

View reviewed changes

PlaidCat requested a review from a team January 14, 2026 14:17

pvts-mat force-pushed the ciqlts9_2-CVE-batch-16 branch from 5fc0e7e to e269437 Compare January 14, 2026 17:27

bmastbergen previously approved these changes Jan 14, 2026

View reviewed changes

pvts-mat added 5 commits January 15, 2026 21:16

pvts-mat dismissed stale reviews from bmastbergen and PlaidCat via 420b004 January 15, 2026 20:21

pvts-mat force-pushed the ciqlts9_2-CVE-batch-16 branch from e269437 to 420b004 Compare January 15, 2026 20:21

[LTS 9.2] netfilter: CVE-2024-27397, CVE-2024-57947, CVE-2025-38120 #803

Are you sure you want to change the base?

[LTS 9.2] netfilter: CVE-2024-27397, CVE-2024-57947, CVE-2025-38120 #803

Uh oh!

Conversation

pvts-mat commented Jan 8, 2026

Commits

CVE-2024-27397

CVE-2024-57947 (+ CVE-2025-38120)

kABI check: passed

Boot test: passed

Kselftests: passed

Reference

Patch

Comparison

Uh oh!

PlaidCat left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Jan 14, 2026

Uh oh!

github-actions bot commented Jan 14, 2026

🔍 Interdiff Analysis

Uh oh!

github-actions bot commented Jan 14, 2026

JIRA PR Check Results

Commit e2694379e9c7

Commit bd3db59e2e4f

Commit e8f0ad5dc97c

Commit 34e5e17a1fad

Commit 36de0c18e01b

Uh oh!

github-actions bot commented Jan 14, 2026

Uh oh!

PlaidCat commented Jan 14, 2026

🔍 Interdiff Analysis

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

PlaidCat commented Jan 15, 2026

Uh oh!

pvts-mat commented Jan 15, 2026

Uh oh!

github-actions bot commented Jan 15, 2026

Uh oh!

github-actions bot commented Jan 15, 2026

🔍 Interdiff Analysis

Uh oh!

github-actions bot commented Jan 15, 2026

JIRA PR Check Results

Commit 420b004b693e

Commit b2a021e169e0

Commit fe36ffa6bac8

Commit 90fc8bfa10a0

Commit 5d7d4212d48c

Uh oh!

github-actions bot commented Jan 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

Commit `e2694379e9c7`

Commit `bd3db59e2e4f`

Commit `e8f0ad5dc97c`

Commit `34e5e17a1fad`

Commit `36de0c18e01b`

Commit `420b004b693e`

Commit `b2a021e169e0`

Commit `fe36ffa6bac8`

Commit `90fc8bfa10a0`

Commit `5d7d4212d48c`