[PATCH net 10/10] netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	<netfilter-devel@vger.kernel.org>,
	pablo@netfilter.org
Subject: [PATCH net 10/10] netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
Date: Tue, 17 Feb 2026 17:32:33 +0100	[thread overview]
Message-ID: <20260217163233.31455-11-fw@strlen.de> (raw)
In-Reply-To: <20260217163233.31455-1-fw@strlen.de>

From: Inseo An <y0un9sa@gmail.com>

nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.

This creates two use-after-free conditions:

 1) Control-plane: nf_tables_dump_chains() traverses table->chains
    under rcu_read_lock(). A concurrent dump can still be walking
    the chain when the error path frees it.

 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
    installs the IPv4 hook before IPv6 registration fails.  Packets
    entering nft_do_chain() via the transient IPv4 hook can still be
    dereferencing chain->blob_gen_X when the error path frees the
    chain.

Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.

Fixes: 91c7b38dc9f0 ("netfilter: nf_tables: use new transaction infrastructure to handle chain")
Signed-off-by: Inseo An <y0un9sa@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 819056ea1ce1..0c5a4855b97d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2823,6 +2823,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 policy,
 
 err_register_hook:
 	nft_chain_del(chain);
+	synchronize_rcu();
 err_chain_add:
 	nft_trans_destroy(trans);
 err_trans:
-- 
2.52.0

     prev parent reply	other threads:[~2026-02-17 16:33 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-17 16:32 [PATCH net 00/10] netfilter: updates for net Florian Westphal
2026-02-17 16:32 ` [PATCH net 01/10] netfilter: annotate NAT helper hook pointers with __rcu Florian Westphal
2026-02-19  1:20   ` patchwork-bot+netdevbpf
2026-02-17 16:32 ` [PATCH net 02/10] netfilter: nft_counter: serialize reset with spinlock Florian Westphal
2026-02-17 16:32 ` [PATCH net 03/10] netfilter: nft_quota: use atomic64_xchg for reset Florian Westphal
2026-02-17 16:32 ` [PATCH net 04/10] netfilter: nf_tables: revert commit_mutex usage in reset path Florian Westphal
2026-02-17 16:32 ` [PATCH net 05/10] netfilter: nf_conntrack_h323: don't pass uninitialised l3num value Florian Westphal
2026-02-17 16:32 ` [PATCH net 06/10] include: uapi: netfilter_bridge.h: Cover for musl libc Florian Westphal
2026-02-17 16:32 ` [PATCH net 07/10] ipvs: skip ipv6 extension headers for csum checks Florian Westphal
2026-02-17 16:32 ` [PATCH net 08/10] ipvs: do not keep dest_dst if dev is going down Florian Westphal
2026-02-17 16:32 ` [PATCH net 09/10] net: remove WARN_ON_ONCE when accessing forward path array Florian Westphal
2026-02-17 16:32 ` Florian Westphal [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:819056ea1ce dfblob:0c5a4855b97 )
 OR (
bs:"[PATCH net 10/10] netfilter: nf_tables: fix use-after-free in nf_tables_addchain()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260217163233.31455-11-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.