[SRU][J/N/Q][PATCH 0/1] CVE-2026-23392

[Tim Whisonant]

SRU Justification:

[Impact]

netfilter: nf_tables: release flowtable after rcu grace period on error

Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.

This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().

There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.

Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.

[Fix]

Questing: applied Noble patch
Noble:    cherry picked from upstream
Jammy:    backported from upstream
Focal:    sent to Forgejo
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the nftables fast path code, particularly the
allocation routine for the flowtable object, to correct a use
after free in the error handling path. Issues would affect this
nftables fast path table object handling.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: release flowtable after rcu grace period on
    error

 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.43.0