[SRU][J][PATCH 1/1] netfilter: nf_tables: release flowtable after rcu grace period on error

[Tim Whisonant]

From: Pablo Neira Ayuso <pablo at netfilter.org>

Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.

This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().

There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.

Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.

Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Reported-by: Yiming Qian <yimingqian591 at gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Florian Westphal <fw at strlen.de>
(backported from commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce)
[tswhison: context adjustments due to missing commit
d472e9853d7 ("netfilter: nf_tables: register hooks last when adding new chain/flowtable")]
CVE-2026-23392
Signed-off-by: Tim Whisonant <tim.whisonant at canonical.com>
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 49fc22db42d62..cd4388bb00aef 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8123,6 +8123,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
 
 	return 0;
 err5:
+	synchronize_rcu();
 	list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
 		nft_unregister_flowtable_hook(net, flowtable, hook);
 		list_del_rcu(&hook->list);
-- 
2.43.0