* [PATCH net 0/3] netfilter: updates for net
@ 2026-03-19 9:38 Florian Westphal
2026-03-19 9:38 ` [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Florian Westphal @ 2026-03-19 9:38 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, pablo
Hi,
The following patchset contains Netfilter fixes for *net*:
1) Fix UaF when netfilter bpf link goes away while nfnetlink dumps
current hook list, we have to wait until rcu readers are gone.
2) Fix UaF when flowtable fails to register all devices, similar
bug as 1). From Pablo Neira Ayuso.
3) nfnetlink_osf fails to properly validate option length fields.
From Weiming Shi.
Please, pull these changes from:
The following changes since commit 7c46bd845d89ad4772573cfe0f2a56b93db75cc7:
Merge tag 'wireless-2026-03-18' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless (2026-03-18 19:25:41 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-03-19
for you to fetch changes up to dbdfaae9609629a9569362e3b8f33d0a20fd783c:
nfnetlink_osf: validate individual option lengths in fingerprints (2026-03-19 10:27:07 +0100)
----------------------------------------------------------------
netfilter pull request nf-26-03-19
----------------------------------------------------------------
Florian Westphal (1):
netfilter: bpf: defer hook memory release until rcu readers are done
Pablo Neira Ayuso (1):
netfilter: nf_tables: release flowtable after rcu grace period on error
Weiming Shi (1):
nfnetlink_osf: validate individual option lengths in fingerprints
net/netfilter/nf_bpf_link.c | 2 +-
net/netfilter/nf_tables_api.c | 1 +
net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
--
2.52.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done
2026-03-19 9:38 [PATCH net 0/3] netfilter: updates for net Florian Westphal
@ 2026-03-19 9:38 ` Florian Westphal
2026-03-19 14:50 ` patchwork-bot+netdevbpf
2026-03-19 9:38 ` [PATCH net 2/3] netfilter: nf_tables: release flowtable after rcu grace period on error Florian Westphal
2026-03-19 9:38 ` [PATCH net 3/3] nfnetlink_osf: validate individual option lengths in fingerprints Florian Westphal
2 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2026-03-19 9:38 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, pablo
Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:
BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
<TASK>
nfnl_hook_dump_one.isra.0+0xe71/0x10f0
netlink_dump+0x554/0x12b0
nfnl_hook_get+0x176/0x230
[..]
Defer release until after concurrent readers have completed.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_bpf_link.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index 6f3a6411f4af..c20031891b86 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog,
static const struct bpf_link_ops bpf_nf_link_lops = {
.release = bpf_nf_link_release,
- .dealloc = bpf_nf_link_dealloc,
+ .dealloc_deferred = bpf_nf_link_dealloc,
.detach = bpf_nf_link_detach,
.show_fdinfo = bpf_nf_link_show_info,
.fill_link_info = bpf_nf_link_fill_link_info,
--
2.52.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] netfilter: nf_tables: release flowtable after rcu grace period on error
2026-03-19 9:38 [PATCH net 0/3] netfilter: updates for net Florian Westphal
2026-03-19 9:38 ` [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done Florian Westphal
@ 2026-03-19 9:38 ` Florian Westphal
2026-03-19 9:38 ` [PATCH net 3/3] nfnetlink_osf: validate individual option lengths in fingerprints Florian Westphal
2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2026-03-19 9:38 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, pablo
From: Pablo Neira Ayuso <pablo@netfilter.org>
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.
This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().
There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.
Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_tables_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9b1c8d0a35fb..3922cff1bb3d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9203,6 +9203,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
return 0;
err_flowtable_hooks:
+ synchronize_rcu();
nft_trans_destroy(trans);
err_flowtable_trans:
nft_hooks_destroy(&flowtable->hook_list);
--
2.52.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] nfnetlink_osf: validate individual option lengths in fingerprints
2026-03-19 9:38 [PATCH net 0/3] netfilter: updates for net Florian Westphal
2026-03-19 9:38 ` [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done Florian Westphal
2026-03-19 9:38 ` [PATCH net 2/3] netfilter: nf_tables: release flowtable after rcu grace period on error Florian Westphal
@ 2026-03-19 9:38 ` Florian Westphal
2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2026-03-19 9:38 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, pablo
From: Weiming Shi <bestswngs@gmail.com>
nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:
Oops: general protection fault
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
nf_hook_slow (net/netfilter/core.c:623)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction. While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.
Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 94e3eac5743a..45d9ad231a92 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
{
struct nf_osf_user_finger *f;
struct nf_osf_finger *kf = NULL, *sf;
+ unsigned int tot_opt_len = 0;
int err = 0;
+ int i;
if (!capable(CAP_NET_ADMIN))
return -EPERM;
@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
if (f->opt_num > ARRAY_SIZE(f->opt))
return -EINVAL;
+ for (i = 0; i < f->opt_num; i++) {
+ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
+ return -EINVAL;
+ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
+ return -EINVAL;
+
+ tot_opt_len += f->opt[i].length;
+ if (tot_opt_len > MAX_IPOPTLEN)
+ return -EINVAL;
+ }
+
if (!memchr(f->genre, 0, MAXGENRELEN) ||
!memchr(f->subtype, 0, MAXGENRELEN) ||
!memchr(f->version, 0, MAXGENRELEN))
--
2.52.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done
2026-03-19 9:38 ` [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done Florian Westphal
@ 2026-03-19 14:50 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-03-19 14:50 UTC (permalink / raw)
To: Florian Westphal
Cc: netdev, pabeni, davem, edumazet, kuba, netfilter-devel, pablo
Hello:
This series was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:
On Thu, 19 Mar 2026 10:38:32 +0100 you wrote:
> Yiming Qian reports UaF when concurrent process is dumping hooks via
> nfnetlink_hooks:
>
> BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
> Read of size 8 at addr ffff888003edbf88 by task poc/79
> Call Trace:
> <TASK>
> nfnl_hook_dump_one.isra.0+0xe71/0x10f0
> netlink_dump+0x554/0x12b0
> nfnl_hook_get+0x176/0x230
> [..]
>
> [...]
Here is the summary with links:
- [net,1/3] netfilter: bpf: defer hook memory release until rcu readers are done
https://git.kernel.org/netdev/net/c/24f90fa3994b
- [net,2/3] netfilter: nf_tables: release flowtable after rcu grace period on error
https://git.kernel.org/netdev/net/c/d73f4b53aaae
- [net,3/3] nfnetlink_osf: validate individual option lengths in fingerprints
https://git.kernel.org/netdev/net/c/dbdfaae96096
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-19 14:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-19 9:38 [PATCH net 0/3] netfilter: updates for net Florian Westphal
2026-03-19 9:38 ` [PATCH net 1/3] netfilter: bpf: defer hook memory release until rcu readers are done Florian Westphal
2026-03-19 14:50 ` patchwork-bot+netdevbpf
2026-03-19 9:38 ` [PATCH net 2/3] netfilter: nf_tables: release flowtable after rcu grace period on error Florian Westphal
2026-03-19 9:38 ` [PATCH net 3/3] nfnetlink_osf: validate individual option lengths in fingerprints Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox