ACK: [SRU][J/N/P][PATCH 0/3] CVE-2025-38678

Manuel Diewald manuel.diewald at canonical.com
Tue Oct 7 09:20:01 UTC 2025 

On Tue, Sep 16, 2025 at 10:50:58PM -0400, Ian Whitfield wrote:
> [Impact]
> 
> netfilter: nf_tables: reject duplicate device on updates
> 
> A chain/flowtable update with duplicated devices in the same batch is
> possible. Unfortunately, netdev event path only removes the first
> device that is found, leaving unregistered the hook of the duplicated
> device.
> 
> Check if a duplicated device exists in the transaction batch, bail out
> with EEXIST in such case.
> 
> WARNING is hit when unregistering the hook:
> 
>  [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
>  [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S                  6.16.0+ #170 PREEMPT(full)
>  [...]
>  [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
> 
> [Backport]
> 
> All patches required a context adjustment around the missing commits 75e20bcdce24
> ("netfilter: nf_tables: Introduce functions freeing nft_hook objects") which
> added wrapper functions for kfree and 0741f5559354 ("netfilter: nf_tables: Fix
> percpu address space issues in nf_tables_api.c") which resolves warnings in a
> later version of the kernel but introduces no changes to the binary.
> 
> Noble and Jammy required a small edit due to missing e169285f8c56 ("netfilter:
> nf_tables: do not store nft_ctx in transaction objects"). The edit just replaces
> `trans->table` with `trans->ctx.table`.
> 
> Jammy only includes one of the two break commits, namely 78d9f48f7f44
> ("netfilter: nf_tables: add devices to existing flowtable"), so only flowtable
> updates needed to be fixed. Chain updates were left as-is for Jammy because the
> break commit b9703ed44ffb ("netfilter: nf_tables: support for adding new devices
> to an existing netdev chain") is not included.
> 
> [Fix]
> 
> Plucky:   backport
> Noble:    backport
> Jammy:    backport
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use nftables for network filtering, particularly
> with tables in the netdev family. An issue with this fix would be visible to the
> user as networking issues or kernel errors occuring after making updates to an
> existing flowtable or chain.
> 
> Pablo Neira Ayuso (1):
>   netfilter: nf_tables: reject duplicate device on updates
> 
>  net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251007/42210b10/attachment.sig>

More information about the kernel-team mailing list