From: Sashiko Review <sashiko@example.com> hulk inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15123 CVE: CVE-2026-45859 -------------------------------- Use KABI_EXTEND to fix kabi breakage of struct nf_conntrack_expect Fixes: dcb0f9aefdd6 ("netfilter: nf_conntrack_expect: restore helper propagation via expectation") Fixes: 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation") Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- include/net/netfilter/nf_conntrack_expect.h | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 80f50fd0f7ad..6cb2e4048973 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -22,16 +22,10 @@ struct nf_conntrack_expect { /* Hash member */ struct hlist_node hnode; - /* Network namespace */ - possible_net_t net; - /* We expect this tuple, with the following mask */ struct nf_conntrack_tuple tuple; struct nf_conntrack_tuple_mask mask; -#ifdef CONFIG_NF_CONNTRACK_ZONES - struct nf_conntrack_zone zone; -#endif /* Usage count. */ refcount_t use; @@ -48,9 +42,6 @@ struct nf_conntrack_expect { /* Helper that created this expectation */ struct nf_conntrack_helper __rcu *helper; - /* Helper to assign to new connection */ - struct nf_conntrack_helper __rcu *assign_helper; - /* The conntrack of the master connection */ struct nf_conn *master; @@ -67,6 +58,13 @@ struct nf_conntrack_expect { #endif struct rcu_head rcu; +#ifdef CONFIG_NF_CONNTRACK_ZONES + KABI_EXTEND(struct nf_conntrack_zone zone) +#endif + /* Network namespace */ + KABI_EXTEND(possible_net_t net) + /* Helper to assign to new connection */ + KABI_EXTEND(struct nf_conntrack_helper __rcu *assign_helper) }; static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp) -- 2.43.0