Re: [PATCH] netfilter: nf_tables: fix use-after-free on ops->dev

Next message: Shah, Tanmay: "Re: [PATCH] mailbox: add API to query available TX queue slots"
Previous message: Maxime Chevallier: "[PATCH net-next v6 10/10] net: ethtool: Introduce ethtool command to list ports"
In reply to: Florian Westphal: "Re: [PATCH] netfilter: nf_tables: fix use-after-free on ops-&gt;dev"
Next in thread: Phil Sutter: "Re: [PATCH] netfilter: nf_tables: fix use-after-free on ops-&gt;dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Helen Koike

Date: Wed Mar 04 2026 - 10:16:50 EST

On 3/4/26 10:38 AM, Florian Westphal wrote:

Phil Sutter <phil@xxxxxx> wrote:

And *THIS* looks buggy.
Shouldn't that simply be:
if (!match || ops)
continue;

I tested this change locally (with syz reproducer) and I'm unable to trigger the issue anymore. Without this change I always reproduce it.

If you are to send this patch, please add:

Tested-by: Helen Koike <koike@xxxxxxxxxx>

FWIW I can't get the reproducer to trigger a splat with this change.
I've fed this to syzbot to double-check.

You're right, the 'changename' check in NETDEV_REGISTER is not needed
because even if not changing names one should skip if already
registered. Actually, this indicates a bug unless handling
NETDEV_CHANGENAME. Maybe add a WARN_ON_ONCE()?

Well, it does trigger, afaics.

Thanks,
Helen