| Message ID | 20260305120144.26350-1-phil@nwl.cc |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [nf] netfilter: nf_tables: Fix for duplicate device in netdev hooks | expand |
On 3/5/26 9:01 AM, Phil Sutter wrote: > When handling NETDEV_REGISTER notification, duplicate device > registration must be avoided since the device may have been added by > nft_netdev_hook_alloc() already when creating the hook. > > Cc: Helen Koike <koike@igalia.com> > Suggested-by: Florian Westphal <fw@strlen.de> > Reported-by: syzbot+bb9127e278fa198e110c@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=bb9127e278fa198e110c > Fixes: a331b78a5525 ("netfilter: nf_tables: Respect NETDEV_REGISTER events") > Signed-off-by: Phil Sutter <phil@nwl.cc> I tested and validated this fixes the use-after-free as reported by syzbot. Tested locally with Qemu using the disk image and reproducer from syzbot. Tested-by: Helen Koike <koike@igalia.com> Thanks, Helen > --- > net/netfilter/nf_tables_api.c | 2 +- > net/netfilter/nft_chain_filter.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 0c5a4855b97d..29f54998a637 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -9679,7 +9679,7 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev, > break; > case NETDEV_REGISTER: > /* NOP if not matching or already registered */ > - if (!match || (changename && ops)) > + if (!match || ops) > continue; > > ops = kzalloc(sizeof(struct nf_hook_ops), > diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c > index b16185e9a6dd..041426e3bdbf 100644 > --- a/net/netfilter/nft_chain_filter.c > +++ b/net/netfilter/nft_chain_filter.c > @@ -344,7 +344,7 @@ static int nft_netdev_event(unsigned long event, struct net_device *dev, > break; > case NETDEV_REGISTER: > /* NOP if not matching or already registered */ > - if (!match || (changename && ops)) > + if (!match || ops) > continue; > > ops = kmemdup(&basechain->ops,
On Thu, Mar 05, 2026 at 10:24:54AM -0300, Helen Koike wrote: > On 3/5/26 9:01 AM, Phil Sutter wrote: > > When handling NETDEV_REGISTER notification, duplicate device > > registration must be avoided since the device may have been added by > > nft_netdev_hook_alloc() already when creating the hook. > > > > Cc: Helen Koike <koike@igalia.com> > > Suggested-by: Florian Westphal <fw@strlen.de> > > Reported-by: syzbot+bb9127e278fa198e110c@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=bb9127e278fa198e110c > > Fixes: a331b78a5525 ("netfilter: nf_tables: Respect NETDEV_REGISTER events") > > Signed-off-by: Phil Sutter <phil@nwl.cc> > > I tested and validated this fixes the use-after-free as reported by syzbot. > > Tested locally with Qemu using the disk image and reproducer from syzbot. > > Tested-by: Helen Koike <koike@igalia.com> Thanks for testing, Helen!
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 0c5a4855b97d..29f54998a637 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9679,7 +9679,7 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev, break; case NETDEV_REGISTER: /* NOP if not matching or already registered */ - if (!match || (changename && ops)) + if (!match || ops) continue; ops = kzalloc(sizeof(struct nf_hook_ops), diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index b16185e9a6dd..041426e3bdbf 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -344,7 +344,7 @@ static int nft_netdev_event(unsigned long event, struct net_device *dev, break; case NETDEV_REGISTER: /* NOP if not matching or already registered */ - if (!match || (changename && ops)) + if (!match || ops) continue; ops = kmemdup(&basechain->ops,
When handling NETDEV_REGISTER notification, duplicate device registration must be avoided since the device may have been added by nft_netdev_hook_alloc() already when creating the hook. Cc: Helen Koike <koike@igalia.com> Suggested-by: Florian Westphal <fw@strlen.de> Reported-by: syzbot+bb9127e278fa198e110c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=bb9127e278fa198e110c Fixes: a331b78a5525 ("netfilter: nf_tables: Respect NETDEV_REGISTER events") Signed-off-by: Phil Sutter <phil@nwl.cc> --- net/netfilter/nf_tables_api.c | 2 +- net/netfilter/nft_chain_filter.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)