Re: [PATCH] netfilter: nf_tables: fix use-after-free on ops->dev

Next message: Konstantin Taranov: "Re: [PATCH rdma-next v2 1/1] RDMA/mana: Provide a modern CQ creation interface"
Previous message: Christoph Hellwig: "Re: [PATCH 00/21] nvme-auth: use crypto library for HMAC and hashing"
In reply to: Phil Sutter: "Re: [PATCH] netfilter: nf_tables: fix use-after-free on ops-&gt;dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Wed Mar 04 2026 - 08:29:20 EST

Phil Sutter <phil@xxxxxx> wrote:
> But isn't __nf_unregister_net_hook() still called immediately when
> handling NETDEV_UNREGISTER event? I guess struct nf_hook_ops::dev may
> still be accessed afterwards since ops is RCU-freed. Is Helen's report
> inaccurate in that regard?

Its a red herring.

The device is registered twice. But UNREGISTER only removes ONE
instance.

Then, later, when a different device (same name!) invokes netlink handler,
the walk finds the old, free'd net_device.

I hacked UNREGISTER to handle this: no more splat.
I reverted this change and altered REGISTER to never allow
double-register: no splats.