CVE-2025-71160

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: avoid chain re-validation if possible<br /> <br /> Hamza Mahfooz reports cpu soft lock-ups in<br /> nft_chain_validate():<br /> <br /> watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]<br /> [..]<br /> RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]<br /> [..]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_immediate_validate+0x36/0x50 [nf_tables]<br /> nft_chain_validate+0xc9/0x110 [nf_tables]<br /> nft_table_validate+0x6b/0xb0 [nf_tables]<br /> nf_tables_validate+0x8b/0xa0 [nf_tables]<br /> nf_tables_commit+0x1df/0x1eb0 [nf_tables]<br /> [..]<br /> <br /> Currently nf_tables will traverse the entire table (chain graph), starting<br /> from the entry points (base chains), exploring all possible paths<br /> (chain jumps). But there are cases where we could avoid revalidation.<br /> <br /> Consider:<br /> 1 input -&gt; j2 -&gt; j3<br /> 2 input -&gt; j2 -&gt; j3<br /> 3 input -&gt; j1 -&gt; j2 -&gt; j3<br /> <br /> Then the second rule does not need to revalidate j2, and, by extension j3,<br /> because this was already checked during validation of the first rule.<br /> We need to validate it only for rule 3.<br /> <br /> This is needed because chain loop detection also ensures we do not exceed<br /> the jump stack: Just because we know that j2 is cycle free, its last jump<br /> might now exceed the allowed stack size. We also need to update all<br /> reachable chains with the new largest observed call depth.<br /> <br /> Care has to be taken to revalidate even if the chain depth won&amp;#39;t be an<br /> issue: chain validation also ensures that expressions are not called from<br /> invalid base chains. For example, the masquerade expression can only be<br /> called from NAT postrouting base chains.<br /> <br /> Therefore we also need to keep record of the base chain context (type,<br /> hooknum) and revalidate if the chain becomes reachable from a different<br /> hook location.