From: syzbot <syzbot+d417922a3e7935517ef6@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] netfilter: nf_tables: fix use-after-free in nft_set_elem lookup
Date: Wed, 28 Jan 2026 05:15:02 -0800 [thread overview]
Message-ID: <697a0bd6.a70a0220.9914.0000.GAE@google.com> (raw)
In-Reply-To: <6979fc44.050a0220.c9109.003b.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] netfilter: nf_tables: fix use-after-free in nft_set_elem lookup
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
Add RCU read-side critical section in nft_get_set_elem() to protect
against concurrent element deletion by garbage collection.
The lookup path in nft_rbtree_get() dereferences set elements through
interval->from and interval->to pointers via nft_array_get_cmp().
These elements can be freed by nft_trans_gc_trans_free() running in
an RCU callback context while the lookup is in progress, leading to
a use-after-free.
The crash occurs in nft_array_get_cmp() when it calls nft_set_ext_key()
on a freed element:
BUG: KASAN: slab-use-after-free in nft_array_get_cmp+0x1f6/0x2a0
Protect the element lookup with rcu_read_lock()/rcu_read_unlock() to
ensure the RCU grace period extends until after we're done accessing
the element data. This prevents the GC callback from freeing elements
while they're being accessed.
Reported-by: syzbot+d417922a3e7935517ef6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d417922a3e7935517ef6
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index be4924aeaf0e..57affe22e0bd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6540,7 +6540,10 @@ static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
return err;
}
+ rcu_read_lock();
err = nft_setelem_get(ctx, set, &elem, flags);
+ rcu_read_unlock();
+
if (err < 0)
return err;
--
2.43.0
next prev parent reply other threads:[~2026-01-28 13:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-28 12:08 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nft_array_get_cmp syzbot
2026-01-28 13:15 ` syzbot [this message]
2026-01-28 13:40 ` Florian Westphal
2026-01-28 16:35 ` Florian Westphal
2026-01-28 14:54 ` Forwarded: [PATCH] netfilter: nf_tables: add missing RCU read lock in nf_tables_getsetelem syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=697a0bd6.a70a0220.9914.0000.GAE@google.com \
--to=syzbot+d417922a3e7935517ef6@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox