[PATCH net 0/8] Netfilter fixes for net
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2026-06-10 16:16:35
Also in:
netfilter-devel
Hi,
The following patchset contains Netfilter fixes for net:
1) Revalidate bridge ports, add missing NULL checks to fetch the bridge
device by the port. From Florian Westphal.
2) Fix netdevice refcount leak in the error path of nft_fwd hardware
offload function, also from Florian.
3) Unregister helper expectfn callback on conntrack helper module
removal, otherwise dangling pointer remains in place,
from Weiming Shi.
4) Fix possible pointer infoleak in getsockopt() IPT_SO_GET_ENTRIES,
From Kyle Zeng.
5) Validate that device MAC header is present before nf_syslog
accesses it. From Xiang Mei.
6-8) Three patches to address a possible infoleak of stale stack
data in three nf_tables expressions, due to mismatch in the
_init() and _eval() function which is possible since 14fb07130c7d.
From Davide Ornaghi and Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-26-06-10
Thanks.
----------------------------------------------------------------
The following changes since commit 4aacf509e537a711fa71bca9f234e5eb6968850e:
net: mv643xx: fix OF node refcount (2026-06-04 18:40:31 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-26-06-10
for you to fetch changes up to c7d573551f9286100a055ef696cde6af54549677:
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register (2026-06-10 18:00:32 +0200)
----------------------------------------------------------------
netfilter pull request 26-06-10
----------------------------------------------------------------
Davide Ornaghi (2):
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
Florian Westphal (3):
netfilter: revalidate bridge ports
netfilter: nf_tables_offload: drop device refcount on error
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
Kyle Zeng (1):
netfilter: x_tables: avoid leaking percpu counter pointers
Weiming Shi (1):
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Xiang Mei (1):
netfilter: nf_log: validate MAC header was set before dumping it
include/net/netfilter/nf_conntrack_helper.h | 1 +
net/bridge/netfilter/ebt_dnat.c | 4 +-
net/bridge/netfilter/ebt_redirect.c | 16 +++++---
net/bridge/netfilter/nft_meta_bridge.c | 2 +
net/ipv4/netfilter/arp_tables.c | 15 +++----
net/ipv4/netfilter/ip_tables.c | 15 +++----
net/ipv4/netfilter/nf_nat_h323.c | 2 +
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 15 +++----
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/netfilter/nf_conntrack_helper.c | 19 +++++++++
net/netfilter/nf_dup_netdev.c | 6 ++-
net/netfilter/nf_log_syslog.c | 4 +-
net/netfilter/nf_nat_core.c | 2 +
net/netfilter/nf_nat_sip.c | 1 +
net/netfilter/nfnetlink_log.c | 23 +++++++++--
net/netfilter/nfnetlink_queue.c | 64 +++++++++++++++++++++++++----
net/netfilter/nft_exthdr.c | 3 ++
net/netfilter/nft_fib.c | 6 +++
19 files changed, 151 insertions(+), 51 deletions(-)