netfilter: annotate NAT helper hook pointers with __rcu
authorSun Jian <sun.jian.kdev@gmail.com>
Thu, 5 Feb 2026 12:30:17 +0000 (20:30 +0800)
committerFlorian Westphal <fw@strlen.de>
Tue, 17 Feb 2026 14:04:20 +0000 (15:04 +0100)
The NAT helper hook pointers are updated and dereferenced under RCU rules,
but lack the proper __rcu annotation.

This makes sparse report address space mismatches when the hooks are used
with rcu_dereference().

Add the missing __rcu annotations to the global hook pointer declarations
and definitions in Amanda, FTP, IRC, SNMP and TFTP.

No functional change intended.

Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
include/linux/netfilter/nf_conntrack_amanda.h
include/linux/netfilter/nf_conntrack_ftp.h
include/linux/netfilter/nf_conntrack_irc.h
include/linux/netfilter/nf_conntrack_snmp.h
include/linux/netfilter/nf_conntrack_tftp.h
net/netfilter/nf_conntrack_amanda.c
net/netfilter/nf_conntrack_ftp.c
net/netfilter/nf_conntrack_irc.c
net/netfilter/nf_conntrack_snmp.c
net/netfilter/nf_conntrack_tftp.c

index 6f0ac89..dfe89f3 100644 (file)
@@ -7,7 +7,7 @@
 #include <linux/skbuff.h>
 #include <net/netfilter/nf_conntrack_expect.h>
 
-extern unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
+extern unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb,
                                          enum ip_conntrack_info ctinfo,
                                          unsigned int protoff,
                                          unsigned int matchoff,
index 0e38302..f312926 100644 (file)
@@ -26,7 +26,7 @@ struct nf_ct_ftp_master {
 
 /* For NAT to hook in when we find a packet which describes what other
  * connection we should expect. */
-extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
+extern unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb,
                                       enum ip_conntrack_info ctinfo,
                                       enum nf_ct_ftp_type type,
                                       unsigned int protoff,
index d02255f..4f3ca56 100644 (file)
@@ -8,7 +8,7 @@
 
 #define IRC_PORT       6667
 
-extern unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb,
+extern unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb,
                                       enum ip_conntrack_info ctinfo,
                                       unsigned int protoff,
                                       unsigned int matchoff,
index 87e4f33..99107e4 100644 (file)
@@ -5,7 +5,7 @@
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 
-extern int (*nf_nat_snmp_hook)(struct sk_buff *skb,
+extern int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb,
                                unsigned int protoff,
                                struct nf_conn *ct,
                                enum ip_conntrack_info ctinfo);
index dc4c1b9..1490b68 100644 (file)
@@ -19,7 +19,7 @@ struct tftphdr {
 #define TFTP_OPCODE_ACK                4
 #define TFTP_OPCODE_ERROR      5
 
-extern unsigned int (*nf_nat_tftp_hook)(struct sk_buff *skb,
+extern unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb,
                                        enum ip_conntrack_info ctinfo,
                                        struct nf_conntrack_expect *exp);
 
index 7be4c35..c013255 100644 (file)
@@ -37,13 +37,13 @@ MODULE_PARM_DESC(master_timeout, "timeout for the master connection");
 module_param(ts_algo, charp, 0400);
 MODULE_PARM_DESC(ts_algo, "textsearch algorithm to use (default kmp)");
 
-unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
-                                  enum ip_conntrack_info ctinfo,
-                                  unsigned int protoff,
-                                  unsigned int matchoff,
-                                  unsigned int matchlen,
-                                  struct nf_conntrack_expect *exp)
-                                  __read_mostly;
+unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb,
+                                        enum ip_conntrack_info ctinfo,
+                                        unsigned int protoff,
+                                        unsigned int matchoff,
+                                        unsigned int matchlen,
+                                        struct nf_conntrack_expect *exp)
+                                        __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_amanda_hook);
 
 enum amanda_strings {
index 617f744..5e00f91 100644 (file)
@@ -43,13 +43,13 @@ module_param_array(ports, ushort, &ports_c, 0400);
 static bool loose;
 module_param(loose, bool, 0600);
 
-unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
-                               enum ip_conntrack_info ctinfo,
-                               enum nf_ct_ftp_type type,
-                               unsigned int protoff,
-                               unsigned int matchoff,
-                               unsigned int matchlen,
-                               struct nf_conntrack_expect *exp);
+unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb,
+                                     enum ip_conntrack_info ctinfo,
+                                     enum nf_ct_ftp_type type,
+                                     unsigned int protoff,
+                                     unsigned int matchoff,
+                                     unsigned int matchlen,
+                                     struct nf_conntrack_expect *exp);
 EXPORT_SYMBOL_GPL(nf_nat_ftp_hook);
 
 static int try_rfc959(const char *, size_t, struct nf_conntrack_man *,
index 5703846..b8e6d72 100644 (file)
@@ -30,12 +30,13 @@ static unsigned int dcc_timeout __read_mostly = 300;
 static char *irc_buffer;
 static DEFINE_SPINLOCK(irc_buffer_lock);
 
-unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb,
-                               enum ip_conntrack_info ctinfo,
-                               unsigned int protoff,
-                               unsigned int matchoff,
-                               unsigned int matchlen,
-                               struct nf_conntrack_expect *exp) __read_mostly;
+unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb,
+                                     enum ip_conntrack_info ctinfo,
+                                     unsigned int protoff,
+                                     unsigned int matchoff,
+                                     unsigned int matchlen,
+                                     struct nf_conntrack_expect *exp)
+                                     __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_irc_hook);
 
 #define HELPER_NAME "irc"
index daacf20..387dd6e 100644 (file)
@@ -25,10 +25,10 @@ static unsigned int timeout __read_mostly = 30;
 module_param(timeout, uint, 0400);
 MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
 
-int (*nf_nat_snmp_hook)(struct sk_buff *skb,
-                       unsigned int protoff,
-                       struct nf_conn *ct,
-                       enum ip_conntrack_info ctinfo);
+int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb,
+                             unsigned int protoff,
+                             struct nf_conn *ct,
+                             enum ip_conntrack_info ctinfo);
 EXPORT_SYMBOL_GPL(nf_nat_snmp_hook);
 
 static int snmp_conntrack_help(struct sk_buff *skb, unsigned int protoff,
index 80ee53f..89e9914 100644 (file)
@@ -32,9 +32,10 @@ static unsigned int ports_c;
 module_param_array(ports, ushort, &ports_c, 0400);
 MODULE_PARM_DESC(ports, "Port numbers of TFTP servers");
 
-unsigned int (*nf_nat_tftp_hook)(struct sk_buff *skb,
-                                enum ip_conntrack_info ctinfo,
-                                struct nf_conntrack_expect *exp) __read_mostly;
+unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb,
+                                      enum ip_conntrack_info ctinfo,
+                                      struct nf_conntrack_expect *exp)
+                                      __read_mostly;
 EXPORT_SYMBOL_GPL(nf_nat_tftp_hook);
 
 static int tftp_help(struct sk_buff *skb,