Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nf_tables_trans_destroy_work
From: Hillf Danton
Date: Tue Jul 02 2024 - 07:28:51 EST
On Mon, 01 Jul 2024 13:19:15 -0700
> syzbot found the following issue on:
>
> HEAD commit: 1c5fc27bc48a Merge tag 'nf-next-24-06-28' of git://git.ker..
> git tree: net-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12cecb1e980000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git 1c5fc27bc48a
--- x/include/net/netfilter/nf_tables.h
+++ y/include/net/netfilter/nf_tables.h
@@ -1281,6 +1281,7 @@ struct nft_table {
u64 hgenerator;
u64 handle;
u32 use;
+ atomic_t cnt;
u16 family:6,
flags:8,
genmask:2;
--- x/net/netfilter/nf_tables_api.c
+++ y/net/netfilter/nf_tables_api.c
@@ -162,6 +162,8 @@ static struct nft_trans *nft_trans_alloc
trans->net = ctx->net;
trans->table = ctx->table;
+ if (trans->table)
+ atomic_inc(&trans->table->cnt);
trans->seq = ctx->seq;
trans->flags = ctx->flags;
trans->report = ctx->report;
@@ -1498,6 +1500,7 @@ static int nf_tables_newtable(struct sk_
if (err < 0)
goto err_trans;
+ atomic_inc(&table->cnt);
list_add_tail_rcu(&table->list, &nft_net->tables);
return 0;
err_trans:
@@ -1663,6 +1666,8 @@ static int nf_tables_deltable(struct sk_
static void nf_tables_table_destroy(struct nft_table *table)
{
+ if (!atomic_dec_and_test(&table->cnt))
+ return;
if (WARN_ON(table->use > 0))
return;
@@ -9532,7 +9537,6 @@ static void nft_commit_release(struct nf
switch (trans->msg_type) {
case NFT_MSG_DELTABLE:
case NFT_MSG_DESTROYTABLE:
- nf_tables_table_destroy(trans->table);
break;
case NFT_MSG_NEWCHAIN:
free_percpu(nft_trans_chain_stats(trans));
@@ -9572,6 +9576,9 @@ static void nft_commit_release(struct nf
break;
}
+ if (trans->table)
+ nf_tables_table_destroy(trans->table);
+
if (trans->put_net)
put_net(trans->net);
--