From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
horms@kernel.org
Subject: [PATCH net 0/8] Netfilter fixes for net
Date: Wed, 10 Jun 2026 18:16:20 +0200 [thread overview]
Message-ID: <20260610161629.214092-1-pablo@netfilter.org> (raw)
Hi,
The following patchset contains Netfilter fixes for net:
1) Revalidate bridge ports, add missing NULL checks to fetch the bridge
device by the port. From Florian Westphal.
2) Fix netdevice refcount leak in the error path of nft_fwd hardware
offload function, also from Florian.
3) Unregister helper expectfn callback on conntrack helper module
removal, otherwise dangling pointer remains in place,
from Weiming Shi.
4) Fix possible pointer infoleak in getsockopt() IPT_SO_GET_ENTRIES,
From Kyle Zeng.
5) Validate that device MAC header is present before nf_syslog
accesses it. From Xiang Mei.
6-8) Three patches to address a possible infoleak of stale stack
data in three nf_tables expressions, due to mismatch in the
_init() and _eval() function which is possible since 14fb07130c7d.
From Davide Ornaghi and Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-26-06-10
Thanks.
----------------------------------------------------------------
The following changes since commit 4aacf509e537a711fa71bca9f234e5eb6968850e:
net: mv643xx: fix OF node refcount (2026-06-04 18:40:31 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-26-06-10
for you to fetch changes up to c7d573551f9286100a055ef696cde6af54549677:
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register (2026-06-10 18:00:32 +0200)
----------------------------------------------------------------
netfilter pull request 26-06-10
----------------------------------------------------------------
Davide Ornaghi (2):
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
Florian Westphal (3):
netfilter: revalidate bridge ports
netfilter: nf_tables_offload: drop device refcount on error
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
Kyle Zeng (1):
netfilter: x_tables: avoid leaking percpu counter pointers
Weiming Shi (1):
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Xiang Mei (1):
netfilter: nf_log: validate MAC header was set before dumping it
include/net/netfilter/nf_conntrack_helper.h | 1 +
net/bridge/netfilter/ebt_dnat.c | 4 +-
net/bridge/netfilter/ebt_redirect.c | 16 +++++---
net/bridge/netfilter/nft_meta_bridge.c | 2 +
net/ipv4/netfilter/arp_tables.c | 15 +++----
net/ipv4/netfilter/ip_tables.c | 15 +++----
net/ipv4/netfilter/nf_nat_h323.c | 2 +
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 15 +++----
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/netfilter/nf_conntrack_helper.c | 19 +++++++++
net/netfilter/nf_dup_netdev.c | 6 ++-
net/netfilter/nf_log_syslog.c | 4 +-
net/netfilter/nf_nat_core.c | 2 +
net/netfilter/nf_nat_sip.c | 1 +
net/netfilter/nfnetlink_log.c | 23 +++++++++--
net/netfilter/nfnetlink_queue.c | 64 +++++++++++++++++++++++++----
net/netfilter/nft_exthdr.c | 3 ++
net/netfilter/nft_fib.c | 6 +++
19 files changed, 151 insertions(+), 51 deletions(-)
next reply other threads:[~2026-06-10 16:16 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 16:16 Pablo Neira Ayuso [this message]
2026-06-10 16:16 ` [PATCH net 1/8] netfilter: revalidate bridge ports Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 2/8] netfilter: nf_tables_offload: drop device refcount on error Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 3/8] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 4/8] netfilter: x_tables: avoid leaking percpu counter pointers Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 5/8] netfilter: nf_log: validate MAC header was set before dumping it Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 6/8] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 7/8] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 8/8] netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2024-08-14 22:20 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
2022-08-09 22:05 Pablo Neira Ayuso
2022-08-10 4:27 ` Jakub Kicinski
2022-08-10 7:59 ` Pablo Neira Ayuso
2022-03-01 21:53 Pablo Neira Ayuso
2022-01-27 23:52 Pablo Neira Ayuso
2021-06-22 21:59 Pablo Neira Ayuso
2021-06-22 22:41 ` David Miller
2021-06-22 23:06 ` Pablo Neira Ayuso
2021-05-07 17:47 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610161629.214092-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox