APPLIED: [SRU][N/Q][PATCH 0/1] CVE-2026-23231
Mehmet Basaran
mehmet.basaran at canonical.com
Tue Apr 7 09:18:38 UTC 2026
Applied to noble:linux, questing:linux master-next branches. Thanks.
-------------- next part --------------
Tim Whisonant <tim.whisonant at canonical.com> writes:
> SRU Justification:
>
> [Impact]
>
> netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
>
> nf_tables_addchain() publishes the chain to table->chains via
> list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
> If nf_tables_register_hook() then fails, the error path calls
> nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
> with no RCU grace period in between.
>
> This creates two use-after-free conditions:
>
> 1) Control-plane: nf_tables_dump_chains() traverses table->chains
> under rcu_read_lock(). A concurrent dump can still be walking
> the chain when the error path frees it.
>
> 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
> installs the IPv4 hook before IPv6 registration fails. Packets
> entering nft_do_chain() via the transient IPv4 hook can still be
> dereferencing chain->blob_gen_X when the error path frees the
> chain.
>
> Add synchronize_rcu() between nft_chain_del() and the chain destroy
> so that all RCU readers -- both dump threads and in-flight packet
> evaluation -- have finished before the chain is freed.
>
> [Fix]
>
> Questing: applied Noble patch
> Noble: cherry picked from upstream
> Jammy: not affected
> Focal: not affected
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the nftables subsystem within Netfilter
> to address two potential use-after-free scenarios rooted
> in nf_tables_addchain(). Issues would only affect Netfilter
> chains.
>
> Inseo An (1):
> netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
>
> net/netfilter/nf_tables_api.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260407/4b9e6904/attachment-0001.sig>
More information about the kernel-team
mailing list