[SRU][J][PATCH 1/1] netfilter: nf_tables: release flowtable after rcu grace period on error

[Manuel Diewald]

On Wed, Apr 08, 2026 at 03:11:50PM -0700, Tim Whisonant wrote:
> From: Pablo Neira Ayuso <pablo at netfilter.org>
> 
> Call synchronize_rcu() after unregistering the hooks from error path,
> since a hook that already refers to this flowtable can be already
> registered, exposing this flowtable to packet path and nfnetlink_hook
> control plane.
> 
> This error path is rare, it should only happen by reaching the maximum
> number hooks or by failing to set up to hardware offload, just call
> synchronize_rcu().
> 
> There is a check for already used device hooks by different flowtable
> that could result in EEXIST at this late stage. The hook parser can be
> updated to perform this check earlier to this error path really becomes
> rarely exercised.
> 
> Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
> when dumping hooks.
> 
> Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
> Reported-by: Yiming Qian <yimingqian591 at gmail.com>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> (backported from commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce)
> [tswhison: context adjustments due to missing commit
> d472e9853d7 ("netfilter: nf_tables: register hooks last when adding new chain/flowtable")]

Looking at d472e9853d7b4 ("netfilter: nf_tables: register hooks last
when adding new chain/flowtable"), I feel like it's quite possible that
it's a prerequisite patch for the fix of CVE-2026-23392 and should also
be included in this submission for jammy. We should revisit this before
applying the patch, just to be sure.

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260505/1c8a97ae/attachment.sig>