[PATCH net 0/3] netfilter: updates for net

[PATCH net 0/3] netfilter: updates for net

[Florian Westphal]

Hi,

The following patchset contains Netfilter fixes for *net*:

1) Fix UaF when netfilter bpf link goes away while nfnetlink dumps
   current hook list, we have to wait until rcu readers are gone.

2) Fix UaF when flowtable fails to register all devices, similar
   bug as 1). From Pablo Neira Ayuso.

3) nfnetlink_osf fails to properly validate option length fields.
   From Weiming Shi.

Please, pull these changes from:
The following changes since commit 7c46bd845d89ad4772573cfe0f2a56b93db75cc7:

  Merge tag 'wireless-2026-03-18' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless (2026-03-18 19:25:41 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-03-19

for you to fetch changes up to dbdfaae9609629a9569362e3b8f33d0a20fd783c:

  nfnetlink_osf: validate individual option lengths in fingerprints (2026-03-19 10:27:07 +0100)

----------------------------------------------------------------
netfilter pull request nf-26-03-19

----------------------------------------------------------------
Florian Westphal (1):
  netfilter: bpf: defer hook memory release until rcu readers are done

Pablo Neira Ayuso (1):
  netfilter: nf_tables: release flowtable after rcu grace period on error

Weiming Shi (1):
  nfnetlink_osf: validate individual option lengths in fingerprints

 net/netfilter/nf_bpf_link.c   |  2 +-
 net/netfilter/nf_tables_api.c |  1 +
 net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

-- 
2.52.0

[PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done

[Florian Westphal]

Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
 <TASK>
 nfnl_hook_dump_one.isra.0+0xe71/0x10f0
 netlink_dump+0x554/0x12b0
 nfnl_hook_get+0x176/0x230
 [..]

Defer release until after concurrent readers have completed.

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_bpf_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index 6f3a6411f4af..c20031891b86 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog,
 
 static const struct bpf_link_ops bpf_nf_link_lops = {
 	.release = bpf_nf_link_release,
-	.dealloc = bpf_nf_link_dealloc,
+	.dealloc_deferred = bpf_nf_link_dealloc,
 	.detach = bpf_nf_link_detach,
 	.show_fdinfo = bpf_nf_link_show_info,
 	.fill_link_info = bpf_nf_link_fill_link_info,
-- 
2.52.0

Re: [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:

On Thu, 19 Mar 2026 10:38:32 +0100 you wrote:
> Yiming Qian reports UaF when concurrent process is dumping hooks via
> nfnetlink_hooks:
> 
> BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
> Read of size 8 at addr ffff888003edbf88 by task poc/79
> Call Trace:
>  <TASK>
>  nfnl_hook_dump_one.isra.0+0xe71/0x10f0
>  netlink_dump+0x554/0x12b0
>  nfnl_hook_get+0x176/0x230
>  [..]
> 
> [...]

Here is the summary with links:
  - [net,1/3] netfilter: bpf: defer hook memory release until rcu readers are done
    https://git.kernel.org/netdev/net/c/24f90fa3994b
  - [net,2/3] netfilter: nf_tables: release flowtable after rcu grace period on error
    https://git.kernel.org/netdev/net/c/d73f4b53aaae
  - [net,3/3] nfnetlink_osf: validate individual option lengths in fingerprints
    https://git.kernel.org/netdev/net/c/dbdfaae96096

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 2/3] netfilter: nf_tables: release flowtable after rcu grace period on error

[Florian Westphal]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.

This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().

There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.

Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.

Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9b1c8d0a35fb..3922cff1bb3d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9203,6 +9203,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
 	return 0;
 
 err_flowtable_hooks:
+	synchronize_rcu();
 	nft_trans_destroy(trans);
 err_flowtable_trans:
 	nft_hooks_destroy(&flowtable->hook_list);
-- 
2.52.0

[PATCH net 3/3] nfnetlink_osf: validate individual option lengths in fingerprints

[Florian Westphal]

From: Weiming Shi <bestswngs@gmail.com>

nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:

 Oops: general protection fault
 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
 RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
 Call Trace:
  nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
  xt_osf_match_packet (net/netfilter/xt_osf.c:32)
  ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
  nf_hook_slow (net/netfilter/core.c:623)
  ip_local_deliver (net/ipv4/ip_input.c:262)
  ip_rcv (net/ipv4/ip_input.c:573)

Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction.  While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.

Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.

Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 94e3eac5743a..45d9ad231a92 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
 {
 	struct nf_osf_user_finger *f;
 	struct nf_osf_finger *kf = NULL, *sf;
+	unsigned int tot_opt_len = 0;
 	int err = 0;
+	int i;
 
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
 	if (f->opt_num > ARRAY_SIZE(f->opt))
 		return -EINVAL;
 
+	for (i = 0; i < f->opt_num; i++) {
+		if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
+			return -EINVAL;
+		if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
+			return -EINVAL;
+
+		tot_opt_len += f->opt[i].length;
+		if (tot_opt_len > MAX_IPOPTLEN)
+			return -EINVAL;
+	}
+
 	if (!memchr(f->genre, 0, MAXGENRELEN) ||
 	    !memchr(f->subtype, 0, MAXGENRELEN) ||
 	    !memchr(f->version, 0, MAXGENRELEN))
-- 
2.52.0

[PATCH net 0/3] netfilter: updates for net

[Florian Westphal]

Hi,

The following patchset contains Netfilter fixes for *net*:

1) its not possible to attach conntrack labels via ctnetlink
   unless one creates a dummy 'ct labels set' rule in nftables.
   This is an oversight, the 'ruleset tests presence, userspace
   (netlink) sets' use-case is valid and should 'just work'.
   Always broken since this got added in Linux 4.7.

2) nft_connlimit reads count value without holding the relevant
   lock, add a READ_ONCE annotation.  From Fernando Fernandez Mancera.

3) There is a long-standing bug (since 4.12) in nftables helper infra
   when NAT is in use: if the helper gets assigned after the nat binding
   was set up, we fail to initialise the 'seqadj' extension, which is
   needed in case NAT payload rewrites need to add (or remove) from the
   packet payload.  Fix from Andrii Melnychenko.

Please, pull these changes from:
The following changes since commit 8df206f7b63611dbaeb8628661d87fe994dcdf71:

  Merge branch 'bug-fixes-for-the-hibmcge-ethernet-driver' (2025-10-28 19:11:07 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-10-29

for you to fetch changes up to 90918e3b6404c2a37837b8f11692471b4c512de2:

  netfilter: nft_ct: add seqadj extension for natted connections (2025-10-29 14:47:59 +0100)

----------------------------------------------------------------
netfilter pull request nf-25-10-29

----------------------------------------------------------------

Andrii Melnychenko (1):
  netfilter: nft_ct: add seqadj extension for natted connections

Fernando Fernandez Mancera (1):
  netfilter: nft_connlimit: fix possible data race on connection count

Florian Westphal (1):
  netfilter: nft_ct: enable labels for get case too

 net/netfilter/nft_connlimit.c |  2 +-
 net/netfilter/nft_ct.c        | 30 +++++++++++++++++++++++++++---
 2 files changed, 28 insertions(+), 4 deletions(-)

-- 
2.51.0

[PATCH net 0/3] netfilter updates for net

[Florian Westphal]

Hello,

The following three patches fix regressions in the netfilter subsystem:

1. Reject attempts to repeatedly toggle the 'dormant' flag in a single
   transaction.  Doing so makes nf_tables lose track of the real state
   vs. the desired state.  This ends with an attempt to unregister hooks
   that were never registered in the first place, which yields a splat.

2. Fix element counting in the new nftables garbage collection infra
   that came with 6.5:  More than 255 expired elements wraps a counter
   which results in memory leak.

3. Since 6.4 ipset can BUG when a set is renamed while a CREATE command
   is in progress, fix from Jozsef Kadlecsik.

The following changes since commit 4e4b1798cc90e376b8b61d0098b4093898a32227:

  vxlan: Add missing entries to vxlan_get_size() (2023-09-20 09:00:54 +0100)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-09-20

for you to fetch changes up to 7433b6d2afd512d04398c73aa984d1e285be125b:

  netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP (2023-09-20 10:35:24 +0200)

Florian Westphal (2):
      netfilter: nf_tables: disable toggling dormant table state more than once
      netfilter: nf_tables: fix memleak when more than 255 elements expired

Jozsef Kadlecsik (1):
      netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP

 include/net/netfilter/nf_tables.h |  2 +-
 net/netfilter/ipset/ip_set_core.c | 12 ++++++++++--
 net/netfilter/nf_tables_api.c     | 14 ++++++++++++--
 3 files changed, 23 insertions(+), 5 deletions(-)
-- 
2.41.0

[PATCH net 0/3] netfilter updates for net

[Florian Westphal]

Three late fixes for netfilter:

1) If nf_queue user requests packet truncation below size of l3 header,
   we corrupt the skb, then crash.  Reject such requests.

2) add cond_resched() calls when doing cycle detection in the
   nf_tables graph.  This avoids softlockup warning with certain
   rulesets.

3) Reject rulesets that use nftables 'queue' expression in family/chain
   combinations other than those that are supported.  Currently the ruleset
   will load, but when userspace attempts to reinject you get WARN splat +
   packet drops.

The following changes since commit 9b134b1694ec8926926ba6b7b80884ea829245a0:

  bridge: Do not send empty IFLA_AF_SPEC attribute (2022-07-26 15:35:53 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

for you to fetch changes up to 47f4f510ad586032b85c89a0773fbb011d412425:

  netfilter: nft_queue: only allow supported familes and hooks (2022-07-26 21:12:42 +0200)

----------------------------------------------------------------
Florian Westphal (3):
  netfilter: nf_queue: do not allow packet truncation below transport header offset
  netfilter: nf_tables: add rescheduling points during loop detection walks
  netfilter: nft_queue: only allow supported familes and hooks

 net/netfilter/nf_tables_api.c   |  6 ++++++
 net/netfilter/nfnetlink_queue.c |  7 ++++++-
 net/netfilter/nft_queue.c       | 27 +++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
-- 
2.35.1