APPLIED: [SRU][J/N/P][PATCH 0/3] CVE-2025-38678

Edoardo Canepa edoardo.canepa at canonical.com
Fri Oct 10 11:05:45 UTC 2025 

Applied to [J/N/P]/master-next. Thanks.

On 9/17/25 04:50, Ian Whitfield wrote:
> [Impact]
>
> netfilter: nf_tables: reject duplicate device on updates
>
> A chain/flowtable update with duplicated devices in the same batch is
> possible. Unfortunately, netdev event path only removes the first
> device that is found, leaving unregistered the hook of the duplicated
> device.
>
> Check if a duplicated device exists in the transaction batch, bail out
> with EEXIST in such case.
>
> WARNING is hit when unregistering the hook:
>
>   [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
>   [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S                  6.16.0+ #170 PREEMPT(full)
>   [...]
>   [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
>
> [Backport]
>
> All patches required a context adjustment around the missing commits 75e20bcdce24
> ("netfilter: nf_tables: Introduce functions freeing nft_hook objects") which
> added wrapper functions for kfree and 0741f5559354 ("netfilter: nf_tables: Fix
> percpu address space issues in nf_tables_api.c") which resolves warnings in a
> later version of the kernel but introduces no changes to the binary.
>
> Noble and Jammy required a small edit due to missing e169285f8c56 ("netfilter:
> nf_tables: do not store nft_ctx in transaction objects"). The edit just replaces
> `trans->table` with `trans->ctx.table`.
>
> Jammy only includes one of the two break commits, namely 78d9f48f7f44
> ("netfilter: nf_tables: add devices to existing flowtable"), so only flowtable
> updates needed to be fixed. Chain updates were left as-is for Jammy because the
> break commit b9703ed44ffb ("netfilter: nf_tables: support for adding new devices
> to an existing netdev chain") is not included.
>
> [Fix]
>
> Plucky:   backport
> Noble:    backport
> Jammy:    backport
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use nftables for network filtering, particularly
> with tables in the netdev family. An issue with this fix would be visible to the
> user as networking issues or kernel errors occuring after making updates to an
> existing flowtable or chain.
>
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: reject duplicate device on updates
>
>   net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
>   1 file changed, 30 insertions(+)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/29a0e81e/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/29a0e81e/attachment-0001.sig>

More information about the kernel-team mailing list