Commit db472c34a747 for kernel

commit db472c34a74770f39318ddb1efa986c0a8d5d86a
Merge: deec4f7b411a 8f15b5071b45
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Thu Mar 26 15:38:14 2026 +0100

    Merge tag 'nf-26-03-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

    Pablo Neira Ayuso says:

    ====================
    Netfilter for net

    This is v3, I kept back an ipset fix and another to tigthen the xtables
    interface to reject invalid combinations with the NFPROTO_ARP family.
    They need a bit more discussion. I fixed the issues reported by AI on
    patch 9 (add #ifdef to access ct zone, update nf_conntrack_broadcast
    and patch 10 (use better Fixes: tag). Thanks!

    The following patchset contains Netfilter fixes for *net*.

    Note that most bugs fixed here stem from 2.6 days, the large PR is not
    due to an increase in regressions.

    1) Fix incorrect reject of set updates with nf_tables pipapo set
       avx2 backend.  This comes with a regression test in patch 2.
       From Florian Westphal.

    2) nfnetlink_log needs to zero padding to prevent infoleak to userspace,
       from Weiming Shi.

    3) xtables ip6t_rt module never validated that addrnr length is within the
       allowed array boundary. Reject bogus values.  From Ren Wei.

    4) Fix high memory usage in rbtree set backend that was unwanted side-effect
       of the recently added binary search blob. From Pablo Neira Ayuso.

    5) Patches 5 to 10, also from Pablo, address long-standing RCU safety bugs
       in conntracks handling of expectations: We can never safely defer
       a conntrack extension area without holding a reference. Yet expectation
       handling does so in multiple places.  Fix this by avoiding the need to
       look into the master conntrack to begin with and by extending locked
       sections in a few places.

    11) Fix use of uninitialized rtp_addr in the sip conntrack helper,
        also from Weiming Shi.

    12) Add stricter netlink policy checks in ctnetlink, from David Carlier.
        This avoids undefined behaviour when userspace provides huge wscale
        value.

    netfilter pull request 26-03-26

    * tag 'nf-26-03-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
      netfilter: ctnetlink: use netlink policy range checks
      netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
      netfilter: nf_conntrack_expect: skip expectations in other netns via proc
      netfilter: nf_conntrack_expect: store netns and zone in expectation
      netfilter: ctnetlink: ensure safe access to master conntrack
      netfilter: nf_conntrack_expect: use expect->helper
      netfilter: nf_conntrack_expect: honor expectation helper field
      netfilter: nft_set_rbtree: revisit array resize logic
      netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
      netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
      selftests: netfilter: nft_concat_range.sh: add check for flush+reload bug
      netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
    ====================

    Link: https://patch.msgid.link/20260326125153.685915-1-pablo@netfilter.org
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>