git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 17 Mar 2026 11:23:08 +0000 (12:23 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 25 Mar 2026 10:08:55 +0000 (11:08 +0100)
commit	cb2bf5efdb02a2a59faf603604a1066e8266f349
tree	b3d29f14cf7c3dcda08f6167a22c213233892c24	tree \| snapshot
parent	6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4	commit \| diff

netfilter: bpf: defer hook memory release until rcu readers are done

[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ]

Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
<TASK>
nfnl_hook_dump_one.isra.0+0xe71/0x10f0
netlink_dump+0x554/0x12b0
nfnl_hook_get+0x176/0x230
[..]

Defer release until after concurrent readers have completed.

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>