From: syzbot <syzbot+d417922a3e7935517ef6@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] netfilter: nf_tables: fix use-after-free in nft_set_elem lookup
Date: Wed, 28 Jan 2026 05:15:02 -0800 [thread overview]
Message-ID: <697a0bd6.a70a0220.9914.0000.GAE@google.com> (raw)
In-Reply-To: <6979fc44.050a0220.c9109.003b.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] netfilter: nf_tables: fix use-after-free in nft_set_elem lookup
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
Add RCU read-side critical section in nft_get_set_elem() to protect
against concurrent element deletion by garbage collection.
The lookup path in nft_rbtree_get() dereferences set elements through
interval->from and interval->to pointers via nft_array_get_cmp().
These elements can be freed by nft_trans_gc_trans_free() running in
an RCU callback context while the lookup is in progress, leading to
a use-after-free.
The crash occurs in nft_array_get_cmp() when it calls nft_set_ext_key()
on a freed element:
BUG: KASAN: slab-use-after-free in nft_array_get_cmp+0x1f6/0x2a0
Protect the element lookup with rcu_read_lock()/rcu_read_unlock() to
ensure the RCU grace period extends until after we're done accessing
the element data. This prevents the GC callback from freeing elements
while they're being accessed.
Reported-by: syzbot+d417922a3e7935517ef6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d417922a3e7935517ef6
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index be4924aeaf0e..57affe22e0bd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6540,7 +6540,10 @@ static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
return err;
}
+ rcu_read_lock();
err = nft_setelem_get(ctx, set, &elem, flags);
+ rcu_read_unlock();
+
if (err < 0)
return err;
--
2.43.0
next prev parent reply other threads:[~2026-01-28 13:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-28 12:08 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nft_array_get_cmp syzbot
2026-01-28 13:15 ` syzbot [this message]
2026-01-28 13:40 ` Florian Westphal
2026-01-28 16:35 ` Florian Westphal
2026-01-28 14:54 ` Forwarded: [PATCH] netfilter: nf_tables: add missing RCU read lock in nf_tables_getsetelem syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=697a0bd6.a70a0220.9914.0000.GAE@google.com \
--to=syzbot+d417922a3e7935517ef6@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.