Commit ead054054874 for kernel

commit ead054054874d7de4c1724e18c1adf90fdb5d7db
Merge: 14ad51036c57 329f0b9b48ee
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Wed Mar 11 19:12:59 2026 -0700

    Merge tag 'nf-26-03-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

    Florian Westphal says:

    ====================
    netfilter: updates for net

    Due to large volume of backlogged patches its unlikely I will make the
    2nd planned PR this week, so several legit fixes will be pushed back
    to next week.  Sorry for the inconvenience but I am out of ideas and
    alternatives.

    1) syzbot managed to add/remove devices to a flowtable, due to a bug in
       the flowtable netdevice notifier this gets us a double-add and
       eventually UaF when device is removed again (we only expect one
       entry, duplicate remains past net_device end-of-life).
       From Phil Sutter, bug added in 6.16.

    2) Yiming Qian reports another nf_tables transaction handling bug:
       in some cases error unwind misses to undo certain set elements,
       resulting in refcount underflow and use-after-free, bug added in 6.4.

    3) Jenny Guanni Qu found out-of-bounds read in pipapo set type.
       While the value is never used, it still rightfully triggers KASAN
       splats.  Bug exists since this set type was added in 5.6.

    4) a few x_tables modules contain copypastry tcp option parsing code which
        can read 1 byte past the option area.  This bug is ancient, fix from
        David Dull.

    5) nfnetlink_queue leaks kernel memory if userspace provides bad
       NFQA_VLAN/NFQA_L2HDR attributes.  From Hyunwoo Kim, bug stems from
       from 4.7 days.

    6) nfnetlink_cthelper has incorrect loop restart logic which may result
       in reading one pointer past end of array. From 3.6 days, fix also from
       Hyunwoo Kim.

    7) xt_IDLETIMER v0 extension must reject working with timers added
       by revision v1, else we get list corruption. Bug added in v5.7.
       From Yifan Wu, Juefei Pu and Yuan Tan via Xin Lu.

    * tag 'nf-26-03-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
      netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
      netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
      netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
      netfilter: x_tables: guard option walkers against 1-byte tail reads
      netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
      netfilter: nf_tables: always walk all pending catchall elements
      netfilter: nf_tables: Fix for duplicate device in netdev hooks
    ====================

    Link: https://patch.msgid.link/20260310132050.630-1-fw@strlen.de
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>