28d0060632
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmn9IKAACgkQ1w0aZmrP
KyF4kw/+NUCZ1C4dp1QlkhV4fQ6yrfkxmV34QTi1zy4lUPqDC/20T7DHc4klYNhP
28mI6jnfLUq94Qyp+jVLGMT+W/2O34sk8mdSnBsn6Cj4HxscY0cSyhXAKarr/Fb2
aYmWP5+rxYp0ZyIyU6ayK7pBQUeVqYtDvZ6WyUE49GU4bTjORyBKN4Xhett+wtPA
2THWq2KsUmOVJhtl6pyGBAgveZhDlCj9XH4C9pRNQbdcRoCUpMgFfhJEWrRPb8So
1yZf8b+3RaBwK6WGoiLGv5u8RfGkKCJ6u3PkKRYdrk3m1K1d9kVUGyNWPbbaG5zg
kwIOhI1xM740cpUo3pC0t/hDdWKCgSykS83zgMYtuesOUSh5330qMWpW+sHR12ya
9AH/4XzCrVlNdIsU5ffK0nXhTi/tu19ldW/L/yWDRycxDdprAQujdSUinH/bG7JR
tmQyVtX/kf6mUEzrZ7fqY44nJiNkkBZoLo4XVpCxTCExglPvs2ZTF/Npze7z7dkW
qXyXA77W0djmycIVjGbNxvKeXX8foZZfLI//CvF+OGHGgZ3/j/Vg2N59+wiO8N0s
Mxu2ME1o1q7DWlOLYbgvP2YPs5Zlcv2P3gpNh5kukntheky/Q5CtGQDX3LAUUJYv
j9nPz8OfYvW/4rzZgSiCYET2UJAkJe12DCOPiRhZcCt6s4LLCrE=
=i40t
-----END PGP SIGNATURE-----
Merge tag 'nf-26-05-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following batch contains Netfilter fixes for net:
1) Allow initial x_tables table replacement without emitting an audit
log message. Delay the register message until after hooks are wired up
to avoid unnecessary unregister logs during error unwinding.
2) Fix a NULL dereference by allocating hook ops before adding the
table to the per-netns list. Use `synchronize_rcu()` during error
unwinding to ensure the table stops processing packets before
teardown. Defer audit log register message until all operations
succeed.
3) Refactor xtables to use a single `xt_unregister_table_pre_exit`
function. Eliminate code duplication by centralizing table
unregistration logic within the xtables core. ebtables cannot be
changed due to incompatibility.
4) Unregister xtables templates before module removal. This prevents
a race condition where userspace instantiates a new table after the
pernet unreg removed the current table.
5) Add `xtables_unregister_table_exit` to fully unregister netfilter
tables during module removal. Unlink the table from dying lists,
then free hook operations.
6) Implement a two-stage removal scheme for ebtables following the
x_tables pattern. Assign table->ops while holding the ebt mutex to
prevent exposing partially-filled structures.
7) Fix ebtables module initialization race. Register the template last
in table initialization functions. Prevent table instantiation before
pernet operations are available.
8) Fix a race condition in x_tables module initialization. Ensure
pernet ops are fully set up before exposing the table to userspace.
9) Fix a race condition in ebtables module initialization, similar to
previous patch.
10) Restore propagation of helper to expected connection, this is a
fix-for-recent-fix.
11) Validate that the expectation tuple and mask netlink attributes are
present when adding expectation via nfqueue, this fixes a possible
null-ptr-deref.
12) Fix possible rare memleak in the SIP helper in case helper has been
detached from conntrack entry, from Li Xiasong.
13) Fix refcount leak in nft_ct when creating custom expectation, also
from Li Xiason.
Patches 1-9 from Florian Westphal.
10) Restore propagation of helper to expected connection, this is a
fix-for-recent-fix.
11) Check that tuple and mask netlink attributes are set when creating an
expectation via nfqueue.
* tag 'nf-26-05-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
netfilter: nft_ct: fix missing expect put in obj eval
netfilter: nf_conntrack_sip: get helper before allocating expectation
netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue
netfilter: nf_conntrack_expect: restore helper propagation via expectation
netfilter: bridge: eb_tables: close module init race
netfilter: x_tables: close dangling table module init race
netfilter: ebtables: close dangling table module init race
netfilter: ebtables: move to two-stage removal scheme
netfilter: x_tables: add and use xtables_unregister_table_exit
netfilter: x_tables: unregister the templates first
netfilter: x_tables: add and use xt_unregister_table_pre_exit
netfilter: x_tables: allocate hook ops while under mutex
netfilter: x_tables: allow initial table replace without emitting audit log message
====================
Link: https://patch.msgid.link/20260507234509.603182-1-pablo@netfilter.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||
|---|---|---|
| .. | ||
| acpi | ||
| asm-generic | ||
| clocksource | ||
| crypto | ||
| cxl | ||
| drm | ||
| dt-bindings | ||
| hyperv | ||
| keys | ||
| kunit | ||
| kvm | ||
| linux | ||
| math-emu | ||
| media | ||
| memory | ||
| misc | ||
| net | ||
| pcmcia | ||
| ras | ||
| rdma | ||
| rv | ||
| scsi | ||
| soc | ||
| sound | ||
| target | ||
| trace | ||
| uapi | ||
| ufs | ||
| vdso | ||
| video | ||
| xen | ||
| Kbuild | ||