Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nf_tables_trans_destroy_work (2)
From: Hillf Danton
Date: Mon Mar 03 2025 - 06:03:54 EST
On Sun, 02 Mar 2025 03:57:27 -0800
> syzbot found the following issue on:
>
> HEAD commit: 03d38806a902 Merge tag 'thermal-6.14-rc5' of git://git.ker..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=155128b7980000
#syz test
--- x/net/netfilter/nf_tables_api.c
+++ y/net/netfilter/nf_tables_api.c
@@ -10654,6 +10654,10 @@ static int nf_tables_commit(struct net *
mutex_unlock(&nft_net->commit_mutex);
return 0;
}
+ if (nft_net->flushed) {
+ mutex_unlock(&nft_net->commit_mutex);
+ return -EAGAIN;
+ }
nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
@@ -11251,6 +11255,7 @@ static int nf_tables_abort(struct net *n
else
nf_tables_module_autoload_cleanup(net);
+ nft_net->flushed = 0;
mutex_unlock(&nft_net->commit_mutex);
return ret;
@@ -11854,6 +11859,7 @@ static int nft_rcv_nl_event(struct notif
gc_seq = nft_gc_seq_begin(nft_net);
nf_tables_trans_destroy_flush_work();
+ nft_net->flushed = 1;
again:
list_for_each_entry(table, &nft_net->tables, list) {
if (nft_table_has_owner(table) &&
@@ -11903,6 +11909,7 @@ static int __net_init nf_tables_init_net
nft_net->base_seq = 1;
nft_net->gc_seq = 0;
nft_net->validate_state = NFT_VALIDATE_SKIP;
+ nft_net->flushed = 0;
return 0;
}
--- x/include/net/netfilter/nf_tables.h
+++ y/include/net/netfilter/nf_tables.h
@@ -1915,6 +1915,7 @@ struct nftables_pernet {
unsigned int base_seq;
unsigned int gc_seq;
u8 validate_state;
+ u8 flushed;
};
extern unsigned int nf_tables_net_id;
--