Dev news

Commit 284f1f176f29 for kernel

commit 284f1f176f29ef0db4be806e3255b7154b250c92
Merge: 0da1dba72616 71e99ee20fc3
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Wed Feb 18 17:09:30 2026 -0800

    Merge tag 'nf-26-02-17' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

    Florian Westphal says:

    ====================
    netfilter: updates for net

    The following patchset contains Netfilter fixes for *net*:

    1) Add missing __rcu annotations to NAT helper hook pointers in Amanda,
       FTP, IRC, SNMP and TFTP helpers.  From Sun Jian.

    2-4):
     - Add global spinlock to serialize nft_counter fetch+reset operations.
     - Use atomic64_xchg() for nft_quota reset instead of read+subtract pattern.
       Note AI review detects a race in this change but it isn't new. The
       'racing' bit only exists to prevent constant stream of 'quota expired'
       notifications.
     - Revert commit_mutex usage in nf_tables reset path, it caused
       circular lock dependency.  All from Brian Witte.

    5) Fix uninitialized l3num value in nf_conntrack_h323 helper.

    6) Fix musl libc compatibility in netfilter_bridge.h UAPI header. This
       change isn't nice (UAPI headers should not include libc headers), but
       as-is musl builds may fail due to redefinition of struct ethhdr.

    7) Fix protocol checksum validation in IPVS for IPv6 with extension headers,
       from Julian Anastasov.

    8) Fix device reference leak in IPVS when netdev goes down. Also from
       Julian.

    9) Remove WARN_ON_ONCE when accessing forward path array, this can
       trigger with sufficiently long forward paths.  From Pablo Neira Ayuso.

    10) Fix use-after-free in nf_tables_addchain() error path, from Inseo An.

    * tag 'nf-26-02-17' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
      netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
      net: remove WARN_ON_ONCE when accessing forward path array
      ipvs: do not keep dest_dst if dev is going down
      ipvs: skip ipv6 extension headers for csum checks
      include: uapi: netfilter_bridge.h: Cover for musl libc
      netfilter: nf_conntrack_h323: don't pass uninitialised l3num value
      netfilter: nf_tables: revert commit_mutex usage in reset path
      netfilter: nft_quota: use atomic64_xchg for reset
      netfilter: nft_counter: serialize reset with spinlock
      netfilter: annotate NAT helper hook pointers with __rcu
    ====================

    Link: https://patch.msgid.link/20260217163233.31455-1-fw@strlen.de
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>