From nobody Sat Feb 7 14:34:24 2026 Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DADF1990A7 for ; Thu, 5 Feb 2026 12:30:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770294627; cv=none; b=KIYgCFnF5KHaxk5nN2IHnvxZ5Eb4wdv2AZihdWmZezGPqQKu+YBuZdktLz6hGZiE9e7GRIyBgXXhH882hGPHXYN0Eu3SSNDZzGPTEkJtEMTRJgge/TdYP3dXIdBTol8/G+WSwzEFzTiX5JoLKNdEKAFejbag0JIclrj++cM90x4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770294627; c=relaxed/simple; bh=BdLeY/Wcp9Yp2LmkVEP9i8CAU+Ez17YaOPV00h+snL4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KRqJI9hIMKGfBTdEiXKodiDoQRb7/OwqtT08sDEh2dfWiDke52/4dRptuhW0CxCX8/pCfoJdm07/77Lql/z/Re4W6rCK4b71Lpt9ZTh1MWVjK2c1MhTT+CsfKVbW4WOnSYK8NFeemYVKiTJoZGJjCy7jroNlZuhAIOI6kyA7/mA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=X+XyFQv8; arc=none smtp.client-ip=209.85.128.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="X+XyFQv8" Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-79503150783so9141507b3.3 for ; Thu, 05 Feb 2026 04:30:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770294626; x=1770899426; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yrS9DvQduBuG9vFWu3R3S68L8j+kOMCWlO1YzP6LJOM=; b=X+XyFQv8iWownLFggkE+9ED2WrW4xBDz9gcqCLuqbiClC3C8Hy9S8qpXUpjRXig0et ZxhrR7ITmSCUg74iszcXbuZOFbJjXVwxhdSCXfKics5GbJqYS6FqjNQD8yfw9MIXwWF7 II6nsJ5dFmS/wnqpIIvrs1MhNKJj4N9Z4VUdCtKJTCfoKolt5aTzu1kBpf2K1rHiMMg0 WsRuUUy/IQuMpdbhlPKeEDzsypU8WviCp6c9Q5Ne4AZodRTWKXhc+byQioHhKMRoiC2K ZyQYG4J3Bl+SdY4PJCALDckUTyST9TJ9q6Bl3WvMxTerI/n9ecHeQSv6u5KgU5glAaLr YpDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770294626; x=1770899426; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=yrS9DvQduBuG9vFWu3R3S68L8j+kOMCWlO1YzP6LJOM=; b=aP7iEozVIWCMVLB/1wPkUS6Bg1ejhZEAf6XhEjgy+C6YODkq6SGF4B3uPdlYgVE6h9 keff8NwInde2u+7e84t/qDctogTV6uWIk5ONlReglsgbaXQSgYB1JqYXnrX2e+JRgxU2 itAsf40rlgrl/cN0i5d6Bnoh7GGt6mmDQAXOIApljf6BRG3GJuyiQpeZQtDh3CX13z/6 Mp/zpF6yVZv92qIA+yJvOoDlhYFjnQxuqxF1qZcV1npMUL33OmBJSigwRjzsAPES/VhZ RIG1Tz8kN+QNSKPCWGQsae/nfXNKRNy0mhcNoZUMMiFvxcOdfHlGg2/cMhNl7iEuQLSu 1hAg== X-Forwarded-Encrypted: i=1; AJvYcCWgOfHpmqlCRQ/mNovZhw9KD8IQEvKWflUmY5aHI6jx+bYINDiv1IhHd4Gb3VkO9mEQaaY6MYlxsWxKRrI=@vger.kernel.org X-Gm-Message-State: AOJu0Yxvlfhe3xpKLGDluoRnUE+kUhPJfZEqQSYYSoNSewNA+kTsSgAX lYk8bovgqLc6GkmIHoMSym1Rw1OwKJchlokmqSNL/CWEaeLACq1zSnHP X-Gm-Gg: AZuq6aIb6kMWkSqx9QgPaNpk1LU+4jGmHyFbNDzq+7AA+ErPK/j3DJ7UDGc50n71A0g gEsNGC4zgjpT9f35tOce9fXFFbuoGKFW7oWzO8dIS4wIRb0BlbjixeS7pmLXFCWDUYhbV2D8RdA MgC/6aw3v64bDJYkAOHVTA5Ze+f1OhkvPHjGI2HGvzX3MG6nvF3G3HC6fCvwqPtl/G7sh0WeZnH +VTyh2S739WkOrIawPAnpIe24+7iS1LHag6sU2mQ4Ds76tPfSVtu3m+vSHgTSnMKFFUw0+xcRD5 BPRidPKkFoDmXbrRYwVhFoDDEyGbn7wH30QEXzVqQNfX1KNl5KIGjc7WR4u7XclB5dNrWI5hEtW 4AXekcpWor5WJpYXwvm1+go+kNBiCdw54c7MgmGmlv2Xx3UHnOZJDVd3smIlUN1hUFILBuXFUnP fBilnkl/j97V1MxsqYxXPrD/LF1hSPUmGobRL0S323LqTF4rRx6jLXQjot1QEIs2yI9KDHxE2Gm wmSW2RPAw== X-Received: by 2002:a05:690c:e3ee:b0:794:e6c0:1e9d with SMTP id 00721157ae682-794fe678e95mr55962387b3.17.1770294626165; Thu, 05 Feb 2026 04:30:26 -0800 (PST) Received: from localhost.localdomain (108-214-96-168.lightspeed.sntcca.sbcglobal.net. [108.214.96.168]) by smtp.gmail.com with ESMTPSA id 00721157ae682-794feff5cc7sm44122577b3.52.2026.02.05.04.30.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Feb 2026 04:30:25 -0800 (PST) From: Sun Jian To: Florian Westphal Cc: Pablo Neira Ayuso , netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org, Sun Jian Subject: [PATCH v5] netfilter: annotate NAT helper hook pointers with __rcu Date: Thu, 5 Feb 2026 20:30:17 +0800 Message-ID: <20260205123017.20152-1-sun.jian.kdev@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The NAT helper hook pointers are updated and dereferenced under RCU rules, but lack the proper __rcu annotation. This makes sparse report address space mismatches when the hooks are used with rcu_dereference(). Add the missing __rcu annotations to the global hook pointer declarations and definitions in Amanda, FTP, IRC, SNMP and TFTP. No functional change intended. Suggested-by: Florian Westphal Signed-off-by: Sun Jian --- v5: - Squash previous 5-patch series into a single patch (per Florian). - Fix parameter alignment in .h and .c files to match the opening parenthesis. v4: - Extend the change from amanda to the other NAT helpers (ftp/irc/snmp/tf= tp). - Drop the proposed code simplification (typeof pattern). v2: - Place __rcu annotation inside the pointer parentheses (per Florian). - Return to use standard rcu_dereference() instead of rcu_dereference_raw= (). (no v3 posted) --- include/linux/netfilter/nf_conntrack_amanda.h | 12 ++++++------ include/linux/netfilter/nf_conntrack_ftp.h | 14 +++++++------- include/linux/netfilter/nf_conntrack_irc.h | 12 ++++++------ include/linux/netfilter/nf_conntrack_snmp.h | 2 +- include/linux/netfilter/nf_conntrack_tftp.h | 6 +++--- net/netfilter/nf_conntrack_amanda.c | 14 +++++++------- net/netfilter/nf_conntrack_ftp.c | 14 +++++++------- net/netfilter/nf_conntrack_irc.c | 13 +++++++------ net/netfilter/nf_conntrack_snmp.c | 8 ++++---- net/netfilter/nf_conntrack_tftp.c | 7 ++++--- 10 files changed, 52 insertions(+), 50 deletions(-) diff --git a/include/linux/netfilter/nf_conntrack_amanda.h b/include/linux/= netfilter/nf_conntrack_amanda.h index 6f0ac896fcc9..9f957598a9da 100644 --- a/include/linux/netfilter/nf_conntrack_amanda.h +++ b/include/linux/netfilter/nf_conntrack_amanda.h @@ -7,10 +7,10 @@ #include #include =20 -extern unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - unsigned int protoff, - unsigned int matchoff, - unsigned int matchlen, - struct nf_conntrack_expect *exp); +extern unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + unsigned int protoff, + unsigned int matchoff, + unsigned int matchlen, + struct nf_conntrack_expect *exp); #endif /* _NF_CONNTRACK_AMANDA_H */ diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/net= filter/nf_conntrack_ftp.h index 0e38302820b9..939c847213b4 100644 --- a/include/linux/netfilter/nf_conntrack_ftp.h +++ b/include/linux/netfilter/nf_conntrack_ftp.h @@ -26,11 +26,11 @@ struct nf_ct_ftp_master { =20 /* For NAT to hook in when we find a packet which describes what other * connection we should expect. */ -extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - enum nf_ct_ftp_type type, - unsigned int protoff, - unsigned int matchoff, - unsigned int matchlen, - struct nf_conntrack_expect *exp); +extern unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + enum nf_ct_ftp_type type, + unsigned int protoff, + unsigned int matchoff, + unsigned int matchlen, + struct nf_conntrack_expect *exp); #endif /* _NF_CONNTRACK_FTP_H */ diff --git a/include/linux/netfilter/nf_conntrack_irc.h b/include/linux/net= filter/nf_conntrack_irc.h index d02255f721e1..14ad5bfaad81 100644 --- a/include/linux/netfilter/nf_conntrack_irc.h +++ b/include/linux/netfilter/nf_conntrack_irc.h @@ -8,11 +8,11 @@ =20 #define IRC_PORT 6667 =20 -extern unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - unsigned int protoff, - unsigned int matchoff, - unsigned int matchlen, - struct nf_conntrack_expect *exp); +extern unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + unsigned int protoff, + unsigned int matchoff, + unsigned int matchlen, + struct nf_conntrack_expect *exp); =20 #endif /* _NF_CONNTRACK_IRC_H */ diff --git a/include/linux/netfilter/nf_conntrack_snmp.h b/include/linux/ne= tfilter/nf_conntrack_snmp.h index 87e4f33eb55f..99107e4f5234 100644 --- a/include/linux/netfilter/nf_conntrack_snmp.h +++ b/include/linux/netfilter/nf_conntrack_snmp.h @@ -5,7 +5,7 @@ #include #include =20 -extern int (*nf_nat_snmp_hook)(struct sk_buff *skb, +extern int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb, unsigned int protoff, struct nf_conn *ct, enum ip_conntrack_info ctinfo); diff --git a/include/linux/netfilter/nf_conntrack_tftp.h b/include/linux/ne= tfilter/nf_conntrack_tftp.h index dc4c1b9beac0..05c72d0bc98d 100644 --- a/include/linux/netfilter/nf_conntrack_tftp.h +++ b/include/linux/netfilter/nf_conntrack_tftp.h @@ -19,8 +19,8 @@ struct tftphdr { #define TFTP_OPCODE_ACK 4 #define TFTP_OPCODE_ERROR 5 =20 -extern unsigned int (*nf_nat_tftp_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - struct nf_conntrack_expect *exp); +extern unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + struct nf_conntrack_expect *exp); =20 #endif /* _NF_CONNTRACK_TFTP_H */ diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntra= ck_amanda.c index 7be4c35e4795..c0132559f6af 100644 --- a/net/netfilter/nf_conntrack_amanda.c +++ b/net/netfilter/nf_conntrack_amanda.c @@ -37,13 +37,13 @@ MODULE_PARM_DESC(master_timeout, "timeout for the maste= r connection"); module_param(ts_algo, charp, 0400); MODULE_PARM_DESC(ts_algo, "textsearch algorithm to use (default kmp)"); =20 -unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - unsigned int protoff, - unsigned int matchoff, - unsigned int matchlen, - struct nf_conntrack_expect *exp) - __read_mostly; +unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + unsigned int protoff, + unsigned int matchoff, + unsigned int matchlen, + struct nf_conntrack_expect *exp) + __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_amanda_hook); =20 enum amanda_strings { diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_= ftp.c index 617f744a2e3a..5e00f9123c38 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c @@ -43,13 +43,13 @@ module_param_array(ports, ushort, &ports_c, 0400); static bool loose; module_param(loose, bool, 0600); =20 -unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - enum nf_ct_ftp_type type, - unsigned int protoff, - unsigned int matchoff, - unsigned int matchlen, - struct nf_conntrack_expect *exp); +unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + enum nf_ct_ftp_type type, + unsigned int protoff, + unsigned int matchoff, + unsigned int matchlen, + struct nf_conntrack_expect *exp); EXPORT_SYMBOL_GPL(nf_nat_ftp_hook); =20 static int try_rfc959(const char *, size_t, struct nf_conntrack_man *, diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_= irc.c index 5703846bea3b..b8e6d724acd1 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -30,12 +30,13 @@ static unsigned int dcc_timeout __read_mostly =3D 300; static char *irc_buffer; static DEFINE_SPINLOCK(irc_buffer_lock); =20 -unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - unsigned int protoff, - unsigned int matchoff, - unsigned int matchlen, - struct nf_conntrack_expect *exp) __read_mostly; +unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + unsigned int protoff, + unsigned int matchoff, + unsigned int matchlen, + struct nf_conntrack_expect *exp) + __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_irc_hook); =20 #define HELPER_NAME "irc" diff --git a/net/netfilter/nf_conntrack_snmp.c b/net/netfilter/nf_conntrack= _snmp.c index daacf2023fa5..387dd6e58f88 100644 --- a/net/netfilter/nf_conntrack_snmp.c +++ b/net/netfilter/nf_conntrack_snmp.c @@ -25,10 +25,10 @@ static unsigned int timeout __read_mostly =3D 30; module_param(timeout, uint, 0400); MODULE_PARM_DESC(timeout, "timeout for master connection/replies in second= s"); =20 -int (*nf_nat_snmp_hook)(struct sk_buff *skb, - unsigned int protoff, - struct nf_conn *ct, - enum ip_conntrack_info ctinfo); +int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb, + unsigned int protoff, + struct nf_conn *ct, + enum ip_conntrack_info ctinfo); EXPORT_SYMBOL_GPL(nf_nat_snmp_hook); =20 static int snmp_conntrack_help(struct sk_buff *skb, unsigned int protoff, diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack= _tftp.c index 80ee53f29f68..89e9914e5d03 100644 --- a/net/netfilter/nf_conntrack_tftp.c +++ b/net/netfilter/nf_conntrack_tftp.c @@ -32,9 +32,10 @@ static unsigned int ports_c; module_param_array(ports, ushort, &ports_c, 0400); MODULE_PARM_DESC(ports, "Port numbers of TFTP servers"); =20 -unsigned int (*nf_nat_tftp_hook)(struct sk_buff *skb, - enum ip_conntrack_info ctinfo, - struct nf_conntrack_expect *exp) __read_mostly; +unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb, + enum ip_conntrack_info ctinfo, + struct nf_conntrack_expect *exp) + __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_tftp_hook); =20 static int tftp_help(struct sk_buff *skb, --=20 2.43.0